Project

General

Profile

Actions

Todo #11933

closed

PC/SC Smart Card Daemon ``pcscd`` running on all devices at all times, should be optional

Added by Jim Pingle 4 months ago. Updated 16 days ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
IPsec
Target version:
Start date:
05/17/2021
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
21.09
Release Notes:
Default

Description

In 2.5.0/21.02 we added the pcscd service to builds for #9878 and it gets run at startup in all cases to handle certain cryptographic smart cards (e.g. PCKS#11). It consumes resources unnecessarily in the majority of cases where it is not needed. It should be made optional and disabled by default on new installations.


Related issues

Related to Bug #12095: Memory leak in pcscdNew06/30/2021

Actions
Actions #1

Updated by Jim Pingle 3 months ago

  • Related to Bug #12095: Memory leak in pcscd added
Actions #3

Updated by Jim Pingle 2 months ago

  • Status changed from New to Pull Request Review
Actions #4

Updated by Renato Botelho 2 months ago

  • Status changed from Pull Request Review to Feedback
  • Assignee set to Viktor Gurov

PR has been merged. Thanks!

Actions #5

Updated by Steve Wheeler 2 months ago

This option should probably have a warning on it to let users know un-selecting it will restart all IPSec tunnels.

Actions #6

Updated by Viktor Gurov 2 months ago

Steve Wheeler wrote in #note-5:

This option should probably have a warning on it to let users know un-selecting it will restart all IPSec tunnels.

Most of the IPsec Settings restarts all tunnels,
see `$needsrestart` in https://github.com/pfsense/pfsense/blob/master/src/usr/local/www/vpn_ipsec_settings.php

Actions #7

Updated by Jim Pingle 2 months ago

  • Status changed from Feedback to New

Tested this both on snapshots and on release systems with afcc0e9c97c1993ae6b95f886665fcb4375d26c7 applied via system patches package. The pcscd daemon is no longer running or configured which is great.

The pcscd service still shows up in the service list as stopped rather than being hidden when the option is disabled. We should probably hide when it's not needed that so it doesn't confuse users.

I have not tested PKCS#11 with the option enabled, however. Someone with the appropriate hardware and setup for that will also need to ensure it works before we close this.

Actions #8

Updated by Viktor Gurov about 2 months ago

hide pcscd from the service list if not enabled:
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/304

Actions #9

Updated by Jim Pingle about 2 months ago

  • Status changed from New to Pull Request Review
Actions #10

Updated by Viktor Gurov about 2 months ago

  • Status changed from Pull Request Review to Feedback

Merged

Actions #11

Updated by Jim Pingle 16 days ago

  • Status changed from Feedback to Resolved

Service is no longer running by default, service is not in the list when disabled.

Actions

Also available in: Atom PDF