Re: [gdm-list] Smart Card login
- From: Brian Cameron <Brian Cameron Sun COM>
- To: Ray Strode <rstrode redhat com>
- Cc: gdm-list gnome org
- Subject: Re: [gdm-list] Smart Card login
- Date: Wed, 14 Jun 2006 13:42:50 -0500
Hi Ray.
This issue comes up a lot, and it seems that most people tend to
approach PAM from the wrong angle when trying to integrate with
display managers. So hopefully I'll give you some ideas.
Keep in mind that PAM is designed to only support a single
authentication mechanism at a time. It is not encouraged to
try and create a single PAM stack that can handle authentication
in multiple ways (such as both typing on the keyboard and smart
card).
Also keep in mind that PAM is designed so that it should *not*
be necessary to modify the display manager at all. In other
words, your PAM stack should be able to read the username
(and/or password) from the card and fill these values into
the PAM structure in the pam_authenticate hook before the GUI
is displayed. If these values are filled in, then GDM won't
bother asking for the values that are already specified. If
the username and password are filled in already, then GDM won't
ask for username/password at all (this is how gdm-autologin
PAM stack works, by the way).
The way Sun manages SmartCard is by writing a daemon that runs
as root and listens for the smartcard (or USB key or whatever)
insertion and this daemon restarts GDM with the right PAM stack
for authentication. Then when the card is removed the daemon
again restarts GDM with a PAM stack that allows users to type
their username/password in the normal login program.
Until recently the PAM Stack was hardcoded to "gdm" and
"gdm-autologin", but I recently added a configuration choice
so that this can be configured per-display. This allows such
a daemon to restart the GUI with a different PAM stack when
needed - for exactly this sort of purpose.
It might be a bit nicer if GDM were enhanced so that it could
be told to use a different PAM stack without needing to restart
the GUI, but code to tear down and reinit PAM would need to be
written. This would make login a bit faster and avoid the
flicker as GDM restarts. Not sure if this is really a big
deal, though. SunRay users currently deal with the display
manager restarting on card inertion/removal and people don't
seem to be bothered.
Brian
I'm currently working on part of a FC6/RHEL5 feature to add smart card
authentication to the desktop. In particular, for login, we are going
to be using the pam_pkcs11 pam module and coolkey pkcs11 driver.
The basic idea behind it is, each security token (smart card) contains
a signed certificate identifying the user who owns the card. The
certificate is protected by an alphanumeric PIN code. At login time,
instead of entering a username and password, the user would enter the
PIN code to unlock the card. The certificate on the card contains
some metadata including a unix username to map the card to a user
account on the system.
I was wondering if Sun has done anything like this in the past?
One thing I'd like to get into GDM would be the ability to detect when
a security token is inserted or removed from the system to restart the
PAM authentication process (so for instance, if someone is sitting at
the login screen and they insert their smart card, it would switch
from asking for a username to asking for PIN). Would you accept a
patch to optionally compile in support for that ability?
Another thing I'd like to do is rework some of the PAM code and add
btmp logging and (linux) auditing support. I'll post another mail
with more details on that later.
--Ray
_______________________________________________
gdm-list mailing list
gdm-list gnome org
http://mail.gnome.org/mailman/listinfo/gdm-list
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
