Re: [gdm-list] My questions
- From: "Philippe C. Martin" <pmartin snakecard com>
- To: Martin Paljak <martin paljak pri ee>
- Cc: gdm-list gnome org, Brian Cameron <Brian Cameron Sun COM>
- Subject: Re: [gdm-list] My questions
- Date: Tue, 4 Oct 2005 20:02:51 +0000
Many thanks Martin, I will check your list.
One question though: I have never played with PKCS#11 but I seem to remember
it closely uses PKI architecture (X509) and as such requires that the card
support assymetric algorithms where I want to also support cheaper cards
(3DES/AES) and simply retrieve logon information rather than go through
certificate signatures .....
Do I have a problem there with PKCS#11/PAM ?
Regards,
Philippe
On Tuesday 04 October 2005 07:23 pm, Martin Paljak wrote:
> Working closely with smartcards (that is, opensc.org) I can say that this
> list is not bad either for things that relate to GDM and smartcards login.
> What i can also tell is that most folks at muscle and/or opensc mailing
> list (as muscle can be reduced to pkcs#11 and we have two different pkcs#11
> related pam modules) tell you is to use one of the available pam modules OR
> to extend them ;)
>
> What you're facing here most probly is what is often requested when smart
> card logon is investigated:
>
> Something that would react on card insertion, read from there something
> that would result in a suername and then only ask for a single pin and
> start the session.
>
> Last time when i checked this was not possible with PAM. Because PAM, as
> writte nearlier, works on a request-response mechanism and thus always
> wants first a username to start with.
>
> What can be done is embedding-extending GDM with tools like pkcs11_evenmgr
> (might not be the right name, check from opensc.org) that would trigger gdm
> with a correct username already extracted from a certificate when a card is
> inserted. I might be wrong though.
>
> Feel free to drop a mail to opensc-devel opensc org but it would fall back
> to PAM issues anyway.
>
> If PAM would support such event notification, GDM would support it and one
> of pkcs#11 based pam modules would support it too. If not - we should
> either get PAM support it directly or maybe extend GDM to handle some kind
> of 'events' and THEN still combine it with PAM.
>
> Everything else except this issue can be and should be solved with pam.
>
> I once faced a similar problem and then solved it with some wrappers around
> GDM and a custom card even handler daemon that is now superseded by
> pam_pkcs11 tools.
>
>
> cheers,
> m.
>
> On Tue, Oct 04, 2005 at 02:09:20PM -0500, Brian Cameron wrote:
> > Philippe:
> > >I have asked a few questions in this ng and have yet to receive any
> > >answer, is it that my questions are irrelevant, stupid, or is this not
> > > the correct ng to ask them ?
> > >
> > >If the latter is correct, please let me know and I will stop polluting
> > >this list.
> >
> > I believe you are asking about your recent questions about SmartCard
> > usage. The gdm-list is not a bad place to ask questions about this topic
> > since SmartCards do relate to the gdm login program. At any rate, I
> > don't feel you
> > are polluting the list.
> >
> > If nobody is responding to your questions, this may simply mean that
> > nobody on the list knows the answers to your questions. You might try
> > some forums where SmartCard is discussed more specifically. I don't
> > really know where to point you, but a quick Google search brought up
> > a few ideas:
> >
> > http://www.linuxnet.com/list.html
> > http://www.opencard.org/
> >
> > You might try Google too. Sorry I am not more help.
> >
> > Brian
> > _______________________________________________
> > gdm-list mailing list
> > gdm-list gnome org
> > http://mail.gnome.org/mailman/listinfo/gdm-list
>
> peace,
> m.
--
*************************************
Philippe C. Martin
SnakeCard, LLC
www.snakecard.com
+1 405 694 8098
*************************************
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]