Re: [Muscle] GDM with smartcard

Fri, 12 Mar 2010 07:49:07 -0800 


Anderson Goulart wrote:

Hello,


I know this question is on the archives, but I could not find any 
solution for this yet...



I am trying to authenticate a user with a smartcard. I am using OpenSuse 
11 with GDM 2.24. Everything is working, but not quite as I would like to.


This is how it is:

1) GDM prompts for a Smartcard or a Username.
2) I insert the smartcard
3) Then press ENTER
4) GDM ask for PIN
5) PIN typed and press ENTER again
6) User accepted




In addition to GDM, screen unlock applications to use smartcards
too. There have been a number of discussions on how PAM should handle smartcards
and PINs with the pam_krb5 that can use PKCS#11 with PKINIT.
On the kerberos lists and the opensolaris lists. (Consider pin pad readers too.)
The main points are PINs are not passwords, and should be treated separately,
but PAM is not flexible enough at the present time to do it right.

The Russ Albery's open source pam_krb5 will run with GDM and xlock, and
use the entry of a blank password to try_pkinit. It can then call the
MIT or Heimdal krb5 that will use PKINIT with OpenSC PKCS#11 to
authenticate to Kerberos including Windows AD kerberos.


What I am trying to do is deal with insertion and removing the 
smartcard. When I insert the smartcard I would like GDM to show the PIN 
dialog without pressing ENTER. And if I remove, GDM should show the 
Username/Password dialog again. 


I like this, but PAM today gets in the way.


The same idea was discussed a few years 
ago on this list 
(http://www.mail-archive.com/muscle@lists.musclecard.com/msg04346.html 
and http://osdir.com/ml/gnome.gdm.general/2006-10/msg00010.html - GDM 
list) and the solution was not clearly explained for me. Anyone knows 
how to deal with this? Or have some information that could be useful?



I found tw solutions (didn't work) for this: Quest software 
(http://rc.quest.com/topics/gdm/ - too old) and a multistack patch for 
GDM 2.28 (Fedora patch), but I could not make it works (in Fedora) and 
the compilation for Suse 11 was not so easy (because of some newer hal 
functions).



ps: I got an Omnikey card reader


Thanks,
Global



------------------------------------------------------------------------

_______________________________________________
Muscle mailing list
Muscle@lists.musclecard.com
http://lists.drizzle.com/mailman/listinfo/muscle


--

 Douglas E. Engert  <deeng...@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439
 (630) 252-5444
_______________________________________________
Muscle mailing list
Muscle@lists.musclecard.com
http://lists.drizzle.com/mailman/listinfo/muscle






















					Reply via email to