Access to USB HSM Token

Question

I have an ubuntu 24.04 and a Nitrokey HSM.

I use p11tool --list-token-urls to list the HSM url.

When I run it from a local session it works, and it print:

pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust
pkcs11:model=PKCS%2315%20emulated;manufacturer=www.CardContact.de;serial=DENK0300649;token=provKey001%20%28UserPIN%29

when I try from an ssh session (or from a systemd service) the HSM is not listed:

pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust

but if I sudo it works again.

My user is in the following groups:

powerprov adm dialout cdrom sudo dip shadow plugdev users lpadmin

I thought it might depend on which tty is used by the session.

powerprov pts/0        2024-09-02 12:13 (10.151.13.183)  # ssh session
powerprov tty2         2024-09-02 12:21 (tty2)           # local session

I wonder why this behaviour and how to make also ssh session work.

score 2 · Accepted Answer · answered Sep 03 '24 at 07:45

Current pcsc-lite versions use PolicyKit for authorization and (similar to other devices like USB sticks) default to only allowing access for "local" sessions. Create a custom rule that allows a group:

/etc/polkit-1/rules.d/90-pcsc.rules
polkit.addRule(function(action, subject) {
    if (action.id == "org.debian.pcsc-lite.access_pcsc" ||
        action.id == "org.debian.pcsc-lite.access_card")
    {
        if (subject.isInGroup("pkcs11")) {
            return polkit.Result.YES;
        }
    }
});

Access to USB HSM Token

1 Answers1