Am Mon, Nov 18, 2024 at 02:50:09PM +0100 schrieb Winfried de Heiden:
Hi all,
The tuning options as provided on https://github.com/OpenSC/OpenSC/wiki/Aventra-MyEID-PKI-card#smart-card-read....
He looks however it is related to file caching. In "man 5 opensc.conf":
If caching is done by a system process, the cached files may be placed inaccessible from a user account. Use a globally readable and writable location if you wish to share the cached information. Note that the cached files may contain personal data such as name and mail address.
email handtekening privé It seems caching is done by GDM (user: gdm) and sssd (user: root) and I added to ensure a caching directory is created (and removed when rebooted, nice and handy during testing)
/etc/tmpfiles.d/opensc.conf d /dev/shm/.cache/opensc 2700 gdm root -
I also added "file_cache_dir" to /etc/opensc.conf:
app default { # debug = 3; # debug_file = opensc-debug.txt; framework pkcs15 { use_file_caching = public; file_cache_dir = /dev/shm/.cache/opensc; } reader_driver pcsc { # The pinpad is disabled by default, # because of many broken readers out there enable_pinpad = false; } } # the pkcs15-init is used for card initialization when the file caching # brings more trouble than use so disable that: app pkcs15-init { framework pkcs15 { use_file_caching = no; } }
It's still not bleeding fast () but it'sa shure more acceptable and workable. After a reboot:
time sudo -l; sudo -k; time sudo -l PIN for MyEID-222 (MyEID-222 Basic PIN):
User winfried may run the following commands on minicard: (ALL : ALL) ALL
real 0m8.016s user 0m0.019s sys 0m0.022s
PIN for MyEID-222 (MyEID-222 Basic PIN): User winfried may run the following commands on minicard: (ALL : ALL) ALL
real 0m5.428s user 0m0.019s sys 0m0.012s
When I remove the line "file_cache_dir", sudo -l takes ages (...) but strangely there are no traces of any cache anywhere on the filesystem; no wonder it is slow... According to the man pages:
Where to cache the card's files. The default values are: • $XDG_CACHE_HOME/opensc/ (If $XDG_CACHE_HOME is defined) • $HOME/.cache/opensc/ (Unix) • $USERPROFILE.eid-cache\ (Windows)
But nothing is there!? Anyone got an idea whatś happening here?
Hi,
have you check if the `$XDG_CACHE_HOME` or `$HOME/.cache` directories exists for the root user?
bye, Sumit
Thanks!
Winfried
Hi all,
XDG_CACHE_HOME was not defined, also not after a GDM login as user root. I added it to /root/.bash_profile. Afterwards:
grep XDG_CACHE_HOME ~/.bash_profile export XDG_CACHE_HOME=$HOME/.cache
[root@minicard ~]# ls -ldZ $XDG_CACHE_HOME drwx------. 11 root root system_u:object_r:cache_home_t:s0 158 Nov 18 15:49 /root/.cache
[root@minicard ~]# ls -ldZ $XDG_CACHE_HOME/opensc drwx------. 2 root root unconfined_u:object_r:cache_home_t:s0 6 Nov 18 12:33 /root/.cache/opensc
[root@minicard ~]# ls -lZ $XDG_CACHE_HOME/opensc <empty!>
And: user the smartcard is slow once again. Put back file_cache_dir in /etc/opensc.conf and the smart card is (more or less) fast again.
Winfried
Op 18-11-2024 om 15:31 schreef Sumit Bose via FreeIPA-users:
Am Mon, Nov 18, 2024 at 02:50:09PM +0100 schrieb Winfried de Heiden:
Hi all,
The tuning options as provided on https://github.com/OpenSC/OpenSC/wiki/Aventra-MyEID-PKI-card#smart-card-read....
He looks however it is related to file caching. In "man 5 opensc.conf":
If caching is done by a system process, the cached files may be placed inaccessible from a user account. Use a globally readable and writable location if you wish to share the cached information. Note that the cached files may contain personal data such as name and mail address.
email handtekening privé It seems caching is done by GDM (user: gdm) and sssd (user: root) and I added to ensure a caching directory is created (and removed when rebooted, nice and handy during testing)
/etc/tmpfiles.d/opensc.conf d /dev/shm/.cache/opensc 2700 gdm root -
I also added "file_cache_dir" to /etc/opensc.conf:
app default { # debug = 3; # debug_file = opensc-debug.txt; framework pkcs15 { use_file_caching = public; file_cache_dir = /dev/shm/.cache/opensc; } reader_driver pcsc { # The pinpad is disabled by default, # because of many broken readers out there enable_pinpad = false; } } # the pkcs15-init is used for card initialization when the file caching # brings more trouble than use so disable that: app pkcs15-init { framework pkcs15 { use_file_caching = no; } }
It's still not bleeding fast () but it'sa shure more acceptable and workable. After a reboot:
time sudo -l; sudo -k; time sudo -l PIN for MyEID-222 (MyEID-222 Basic PIN): User winfried may run the following commands on minicard: (ALL : ALL) ALL real 0m8.016s user 0m0.019s sys 0m0.022s PIN for MyEID-222 (MyEID-222 Basic PIN): User winfried may run the following commands on minicard: (ALL : ALL) ALL real 0m5.428s user 0m0.019s sys 0m0.012s
When I remove the line "file_cache_dir", sudo -l takes ages (...) but strangely there are no traces of any cache anywhere on the filesystem; no wonder it is slow... According to the man pages:
Where to cache the card's files. The default values are: • $XDG_CACHE_HOME/opensc/ (If $XDG_CACHE_HOME is defined) • $HOME/.cache/opensc/ (Unix) • $USERPROFILE.eid-cache\ (Windows)
But nothing is there!? Anyone got an idea whatś happening here?
Hi,
have you check if the `$XDG_CACHE_HOME` or `$HOME/.cache` directories exists for the root user?
bye, Sumit
Thanks!
Winfried
Am Mon, Nov 18, 2024 at 04:08:49PM +0100 schrieb Winfried de Heiden:
Hi all,
XDG_CACHE_HOME was not defined, also not after a GDM login as user root. I added it to /root/.bash_profile. Afterwards:
grep XDG_CACHE_HOME ~/.bash_profile export XDG_CACHE_HOME=$HOME/.cache
[root@minicard ~]# ls -ldZ $XDG_CACHE_HOME drwx------. 11 root root system_u:object_r:cache_home_t:s0 158 Nov 18 15:49 /root/.cache
[root@minicard ~]# ls -ldZ $XDG_CACHE_HOME/opensc drwx------. 2 root root unconfined_u:object_r:cache_home_t:s0 6 Nov 18 12:33 /root/.cache/opensc
[root@minicard ~]# ls -lZ $XDG_CACHE_HOME/opensc <empty!>
And: user the smartcard is slow once again. Put back file_cache_dir in /etc/opensc.conf and the smart card is (more or less) fast again.
Hi,
have you checked for any SELinux AVCs?
bye, Sumit
Winfried
Op 18-11-2024 om 15:31 schreef Sumit Bose via FreeIPA-users:
Am Mon, Nov 18, 2024 at 02:50:09PM +0100 schrieb Winfried de Heiden:
Hi all,
The tuning options as provided on https://github.com/OpenSC/OpenSC/wiki/Aventra-MyEID-PKI-card#smart-card-read....
He looks however it is related to file caching. In "man 5 opensc.conf":
If caching is done by a system process, the cached files may be placed inaccessible from a user account. Use a globally readable and writable location if you wish to share the cached information. Note that the cached files may contain personal data such as name and mail address.
email handtekening privé It seems caching is done by GDM (user: gdm) and sssd (user: root) and I added to ensure a caching directory is created (and removed when rebooted, nice and handy during testing)
/etc/tmpfiles.d/opensc.conf d /dev/shm/.cache/opensc 2700 gdm root -
I also added "file_cache_dir" to /etc/opensc.conf:
app default { # debug = 3; # debug_file = opensc-debug.txt; framework pkcs15 { use_file_caching = public; file_cache_dir = /dev/shm/.cache/opensc; } reader_driver pcsc { # The pinpad is disabled by default, # because of many broken readers out there enable_pinpad = false; } } # the pkcs15-init is used for card initialization when the file caching # brings more trouble than use so disable that: app pkcs15-init { framework pkcs15 { use_file_caching = no; } }
It's still not bleeding fast () but it'sa shure more acceptable and workable. After a reboot:
time sudo -l; sudo -k; time sudo -l PIN for MyEID-222 (MyEID-222 Basic PIN): User winfried may run the following commands on minicard: (ALL : ALL) ALL real 0m8.016s user 0m0.019s sys 0m0.022s PIN for MyEID-222 (MyEID-222 Basic PIN): User winfried may run the following commands on minicard: (ALL : ALL) ALL real 0m5.428s user 0m0.019s sys 0m0.012s
When I remove the line "file_cache_dir", sudo -l takes ages (...) but strangely there are no traces of any cache anywhere on the filesystem; no wonder it is slow... According to the man pages:
Where to cache the card's files. The default values are: • $XDG_CACHE_HOME/opensc/ (If $XDG_CACHE_HOME is defined) • $HOME/.cache/opensc/ (Unix) • $USERPROFILE.eid-cache\ (Windows)
But nothing is there!? Anyone got an idea whatś happening here?
Hi,
have you check if the `$XDG_CACHE_HOME` or `$HOME/.cache` directories exists for the root user?
bye, Sumit
Thanks!
Winfried
Hi all,
I did, no errors. To be shure:
semanage dontaudit off
reboot
ausearch -m avc -ts boot | grep -e 'opensc' -e ' .cache'
<nothing>
Put the system in Permissive mode; same result: /root/.cache/opensc is empty.
Winfried
email handtekening privé Op 18-11-2024 om 16:24 schreef Sumit Bose:
Hi,
have you checked for any SELinux AVCs?
bye, Sumit
freeipa-users@lists.fedorahosted.org