Project

General

Profile

Actions

Todo #11933

closed

PC/SC Smart Card Daemon ``pcscd`` running on all devices at all times, should be optional

Added by Jim Pingle over 3 years ago. Updated about 3 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Viktor Gurov
Category:
IPsec
Target version:
Start date:
05/17/2021
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
22.01
Release Notes:
Default

Description

In 2.5.0/21.02 we added the pcscd service to builds for #9878 and it gets run at startup in all cases to handle certain cryptographic smart cards (e.g. PCKS#11). It consumes resources unnecessarily in the majority of cases where it is not needed. It should be made optional and disabled by default on new installations.


Related issues

Related to Bug #12095: Memory leak in pcscdNew06/30/2021

Actions
Related to Bug #12468: Stopping IPsec daemon on the Status / Services page lead to log files flooding if pcscd daemon is enabledResolvedViktor Gurov

Actions
Actions #1

Updated by Jim Pingle over 3 years ago

  • Related to Bug #12095: Memory leak in pcscd added
Actions #3

Updated by Jim Pingle over 3 years ago

  • Status changed from New to Pull Request Review
Actions #4

Updated by Renato Botelho over 3 years ago

  • Status changed from Pull Request Review to Feedback
  • Assignee set to Viktor Gurov

PR has been merged. Thanks!

Actions #5

Updated by Steve Wheeler over 3 years ago

This option should probably have a warning on it to let users know un-selecting it will restart all IPSec tunnels.

Actions #6

Updated by Viktor Gurov over 3 years ago

Steve Wheeler wrote in #note-5:

This option should probably have a warning on it to let users know un-selecting it will restart all IPSec tunnels.

Most of the IPsec Settings restarts all tunnels,
see `$needsrestart` in https://github.com/pfsense/pfsense/blob/master/src/usr/local/www/vpn_ipsec_settings.php

Actions #7

Updated by Jim Pingle over 3 years ago

  • Status changed from Feedback to New

Tested this both on snapshots and on release systems with afcc0e9c97c1993ae6b95f886665fcb4375d26c7 applied via system patches package. The pcscd daemon is no longer running or configured which is great.

The pcscd service still shows up in the service list as stopped rather than being hidden when the option is disabled. We should probably hide when it's not needed that so it doesn't confuse users.

I have not tested PKCS#11 with the option enabled, however. Someone with the appropriate hardware and setup for that will also need to ensure it works before we close this.

Actions #8

Updated by Viktor Gurov over 3 years ago

hide pcscd from the service list if not enabled:
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/304

Actions #9

Updated by Jim Pingle over 3 years ago

  • Status changed from New to Pull Request Review
Actions #10

Updated by Viktor Gurov over 3 years ago

  • Status changed from Pull Request Review to Feedback

Merged

Actions #11

Updated by Jim Pingle over 3 years ago

  • Status changed from Feedback to Resolved

Service is no longer running by default, service is not in the list when disabled.

Actions #12

Updated by Viktor Gurov about 3 years ago

  • Related to Bug #12468: Stopping IPsec daemon on the Status / Services page lead to log files flooding if pcscd daemon is enabled added
Actions #13

Updated by Jim Pingle about 3 years ago

  • Plus Target Version changed from 21.09 to 22.01
Actions

Also available in: Atom PDF