Re: [gdm-list] My questions

From: Martin Paljak <martin paljak pri ee>
To: Brian Cameron <Brian Cameron Sun COM>
Cc: gdm-list gnome org
Subject: Re: [gdm-list] My questions
Date: Tue, 4 Oct 2005 22:23:18 +0300

Working closely with smartcards (that is, opensc.org) I can say that this list is not bad either
for things that relate to GDM and smartcards login. What i can also tell is that most folks
at muscle and/or opensc mailing list (as muscle can be reduced to pkcs#11 and we have two different pkcs#11
related pam modules) tell you is to use one of the available pam modules OR to extend them ;)

What you're facing here most probly is what is often requested when smart card logon is investigated:

Something that would react on card insertion, read from there something that would result in a suername
and then only ask for a single pin and start the session.

Last time when i checked this was not possible with PAM. Because PAM, as writte nearlier, works on a
request-response mechanism and thus always wants first a username to start with.

What can be done is embedding-extending GDM with tools like pkcs11_evenmgr (might not be the right name,
check from opensc.org) that would trigger gdm with a correct username already extracted from 
a certificate when a card is inserted. I might be wrong though.

Feel free to drop a mail to opensc-devel opensc org but it would fall back to PAM issues anyway.

If PAM would support such event notification, GDM would support it and one of pkcs#11 based pam modules would
support it too. If not - we should either get PAM support it directly or maybe extend GDM to handle
some kind of 'events' and THEN still combine it with PAM.

Everything else except this issue can be and should be solved with pam.

I once faced a similar problem and then solved it with some wrappers around GDM and a custom card even handler daemon
that is now superseded by pam_pkcs11 tools.

cheers,
m.

On Tue, Oct 04, 2005 at 02:09:20PM -0500, Brian Cameron wrote:
> Philippe:
> 
> >I have asked a few questions in this ng and have yet to receive any 
> >answer, is it that my questions are irrelevant, stupid, or is this not the 
> >correct ng to ask them ?
> >
> >If the latter is correct, please let me know and I will stop polluting 
> >this list.
> 
> I believe you are asking about your recent questions about SmartCard usage.
> The gdm-list is not a bad place to ask questions about this topic since
> SmartCards do relate to the gdm login program.  At any rate, I don't feel 
> you
> are polluting the list.
> 
> If nobody is responding to your questions, this may simply mean that
> nobody on the list knows the answers to your questions.  You might try
> some forums where SmartCard is discussed more specifically.  I don't
> really know where to point you, but a quick Google search brought up
> a few ideas:
> 
>   http://www.linuxnet.com/list.html
>   http://www.opencard.org/
> 
> You might try Google too.  Sorry I am not more help.
> 
> Brian
> _______________________________________________
> gdm-list mailing list
> gdm-list gnome org
> http://mail.gnome.org/mailman/listinfo/gdm-list

peace,
m.
-- 
martin paljak
martin paljak pri ee
martin.paljak.pri.ee
+372.5156495

Follow-Ups:
- Re: [gdm-list] My questions
  - From: Philippe C. Martin
- Re: [gdm-list] My questions
  - From: Bob Doolittle

References:
- [gdm-list] My questions
  - From: Philippe C. Martin
- Re: [gdm-list] My questions
  - From: Brian Cameron

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]