Acording to this manual:
making a smartcard forwarding qube should be trivial using the same socket forwarding technique that we use for ssh-agent, right?
I tested it and it works!
1 Like
I added this to rc.local in sys-usb:
su user -c "mkdir /run/user/1000/p11-kit"
eval `su user -l -c "umask 177 && XDG_RUNTIME_DIR=/run/user/1000 p11-kit server --provider /usr/lib64/pkcs11/opensc-pkcs11.so 'pkcs11:manufacturer=Aktiv%20Co.' 'pkcs11:manufacturer=piv_II'"`
cat >/etc/qubes-rpc/qubes.pkcs11 <<EOF
#!/bin/sh
notify-send "[\`qubesdb-read /name\`] Smart card PKCS#11 access from: \$QREXEC_REMOTE_DOMAIN"
ncat -U `echo $P11_KIT_SERVER_ADDRESS|sed -e "s/.*\=//"`
EOF
chmod +x /etc/qubes-rpc/qubes.pkcs11
created a basic “ask” policy in dom0, and a simple ncat-based service calling qrexec on client vm’s. That’s it! Works like a charm with Yubikey/PIV and some Russian smartcard by Activ. Tested with ssh, openconnect and firefox.
3 Likes
I was not satisfied with the way systemd/qrexec combo handles socket connections so I rewrote the whole thing to transaction-based remoting via remote module (as opposite to remote socket). Stay tuned, will push to gitlab soon.
1 Like