Smart Card Passthrough Doesn't seem to work #97
Comments
|
I also noticed that the manifest file for |
|
Try to start remmina in debug https://gitlab.com/Remmina/Remmina/-/wikis/Usage/Remmina-debugging |
|
And raise up the freerdp logging as well |
|
I need those traces to see what happens |
|
Here is the log file from the session. I connect to the server, but the smart card is not recognized on the other side. Like i said this works with remmina in non-flatpak distributions. |
|
I did see this note in the log that might be relevent. |
|
The secret service is used only to save passwords. What I see is that the smart card is correctly recognized and shared. I'll have to look at the code, because it's a long time I'm not working on this. Be sure you have selected the correct authentication mechanism in the advanced tab. I don't know when I will have time to look at this, in the next 20 days I won't be much connected. |
|
I did a little more experimenting. I installed Fedora 35 in a vm and tried the remmina rpm from the repositories and from flathub. The remmina flatpak behaved exactly the same as on RHEL 8. The smart card doesn't seem to be shared. However, the rpm works as expected. I saved the log file from that session for a comparison to what is happening in the flatpak. Please let me know if there is anything else I can do to help track this down. It would be immensely helpful for me if this functionality worked with the flatpak distribution. As a side note, I also tried the snap package on RHEL 8 and it didn't seem to be able to share the smart card either. thank you so much for all your help! |
|
Remmina finally got added to epel for RHEL 8. Same as fedora, the rpm version works to forward the smart card and the flatpak version does not. It would be cool to get this resolved. let me know if I can help with testing. thanks! |
|
I think it's a sandboxing issue. |
|
sudo flatpak override --socket=pcsc org.remmina.Remmina Can you try? Before and after to lunch remmina Edit: fixed command. Also, it should be not relevant |
|
Another thing to check is to compare how remmina and freerdp are built in Kodi, for red hat, and fedora. This is to see if we are missing any library or build flags in the fkatpak |
|
Another test. https://github.com/FreeRDP/FreeRDP/blob/master/packaging/flatpak/com.freerdp.FreeRDP.json If you could test the freerdp flatpak we could at least ditch freerdp (or not) |
|
The minimum flatpak version is fine. RHEL 8 is on 1.8.5 and I also tested it on the latest fedora with the same problems. I will try these other tests here in the next day or so. thanks! |
|
I just tried with the flatpak after running sudo flatpak override --socket=pcsc org.remmina.Remmina as you suggested. In the log there is some more error messages related to the smart card that might be helpful. |
|
I'll have a look. You should not run flatpak as root |
|
I ran remmina as normal user, just set the override with sudo before running remmina. Thanks. I'll work on testing the freerdp flatpak. |
|
I wasn't able to get connected with freerdp (rpm or flatpak) at all. Not sure what I was doing wrong. |
|
Can you show the options you have used |
|
I had a command like this; |
|
OK, a couple of things.
Are you using it to authenticate on Windows? If it's the case you have to add
Do you have any other smartcard devices? If you have just the Yubiko, just use
If xfreerdp fails to connect, it's probably negotiating the protocol security, and it falls back to something that is not, for some reasons, supported, so you have to force it with , for instance,
Sometimes instead of using /u, /d, better to use the /u:user@fqdn |
|
|
The pcsc_scan utility finds the smart card without any problems. I cannot figure out how to get xfreerdp to connect. I tried all manner of permutations of your suggestions. |
|
Any obvious message when you try to connect? You can add |
|
Here is my log and here is the command I ran Thanks for your patience. |
|
No problem at all, but the command line should be probably: Or better (because it looks like rdp is not working well): |
|
Unfortunately, neither of those options work to connect. |
|
I've read the whole thread one more time, and still it's not clear to me your use case. Are you trying to authenticate on the windows hos with the Yubikey? Or is it used on the Windows server for other authentication? |
|
I connect to the windows computer with RDP, and then log in to my user account with the Yubikey. So at the login screen the Yubikey is recognized and then I can enter my pin to login. |
|
Looks like this is probably related to: https://bugzilla.redhat.com/show_bug.cgi?id=2054826 |
|
If you can determine the latest version that works, we could 'impose' that version in the flatpak build, till we will get that bug fixxed. I cannot just follow up on this, so I'll need help to get the version that works, and when the bug will be fixed upstream and a new version will be tagged. |
|
Not sure there is a version of flatpak that ever worked for me. The rpm package for RHEL 8 and Fedora 35 both work. I think the best thing to do is just wait for this to be resolved upstream. |
For a long time I couldn't get any flatpak applications to recognize my smart card. Non-flatpak applications worked as expected. Even the yubico application. com.yubico.yubioath, would not see my smart card. Recently there was an update and now com.yubico.yubioath can use the smart card, which is great, but the application that I really need to use is Remmina, org.remmina.Remmina, since there is no other option besides flatpak for Remmina on RHEL 8. I use Remmina to remote into computers that require the smart card to be passed through to login. This is a big blocker for me using RHEL 8 and flatpak in general.
The main difference between the two applications seems to be the runtime.
They both have the sockets=pcsc; permission, so it seems to me that there is either something about the org.kde.Platform that is able to handle the Yubikey FIPS smart card while the org.gnome.Platform is not or something about the flatpak packaging of
org.remmina.Remmina has a bug.
On other linux distributions like Debian or Fedora where there is normally packaged Remmina the smart card support works without issue, so it is specific to flatpak.
This is on RHEL 8 with everything updated to the latest as of 4 November 2021.
The text was updated successfully, but these errors were encountered: