I think I have a tentative, but sufficient grasp of how the Smart Card
stuff flows from the client into the server. It's not quite as clear
how the server bridges it into qemu, but I think I have the gist of it.
However, that doesn't work for XSpice sessions.
I'm not sure why it shouldn't. The qemu portion simply forwards the ccid
APDU's from the host. Spice has libcaccard which translates the CAC
requests into calls against your PKCS #11 token on your client side.
Alright, my ignorance is showing; perhaps I need to understand the qemu
path better.
In what I think of a typical use case, you have a client with a smart
card reader attached. Let's say that is a Fedora 20 box. Then you have
a host system which runs qemu to start a guest VM; let's say the host
system is RHEL and the guest VM is Fedora RawHide.
My understanding is that the client (essentially spice-gtk) interacts
with the physical hardware, and uses libcacard to put the smartcard data
onto the Spice smartcard channel.
This is passed over the spice channel into qemu (running on the host),
which uses the spice server calls to decode the data, and then it writes
the data to a virtual character device that appears in the guest as a
USB CCID device. RawHide detects that and treats it a 'real' hardware
device.
How am I doing so far? Is that about right?
In the XSpice case, we have no qemu. Instead, the host system runs Xorg
against what is a virtual framebuffer, and runs the xf86-video-qxl xorg
driver.
In my use case, I've got Xorg running, with spice, and I'm just about to
launch xdm. I'd really like to have a smartcard, if available, be part
of the pam stack prior to launching xdm, so that it can be used by pam.
Given that, how do you expect the smartcard data to flow into that Xorg
session? I imagine that either the qxl driver, or a different utility
(e.g. vd_agent) would be required in order to relay the smartcard data
from the channel and into the pam stack. Is there something I'm missing?
It looks to me that this should be possible. My research suggests
that pam_pkcs11 is pluggable, and that it should be possible to write
a module that would receive the cert information.
pam_pkcs11 uses plugable PKCS #11 modules (which also work in firefox
and other NSS applications). You would have to install this module in
your guest, however. I think redirecting the CCID USB data would be
easier, though.
Yeah, I saw that ccid was also pluggable, and I begin to see why that
would be a better layer to plug into. (Saves me the hassle of parsing
the cert data, right?)
Cheers,
Jeremy
_______________________________________________
Spice-devel mailing list
Spice-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/spice-devel
