On Mar 12, 2010, at 17:48 , Douglas E. Engert wrote: > Anderson Goulart wrote: >> Hello, >> I know this question is on the archives, but I could not find any solution >> for this yet... >> I am trying to authenticate a user with a smartcard. I am using OpenSuse 11 >> with GDM 2.24. Everything is working, but not quite as I would like to. >> This is how it is: >> 1) GDM prompts for a Smartcard or a Username. >> 2) I insert the smartcard >> 3) Then press ENTER >> 4) GDM ask for PIN >> 5) PIN typed and press ENTER again >> 6) User accepted > > In addition to GDM, screen unlock applications to use smartcards > too. There have been a number of discussions on how PAM should handle > smartcards > and PINs with the pam_krb5 that can use PKCS#11 with PKINIT. > On the kerberos lists and the opensolaris lists. (Consider pin pad readers > too.) > The main points are PINs are not passwords, and should be treated separately, > but PAM is not flexible enough at the present time to do it right. > > The Russ Albery's open source pam_krb5 will run with GDM and xlock, and > use the entry of a blank password to try_pkinit. It can then call the > MIT or Heimdal krb5 that will use PKINIT with OpenSC PKCS#11 to > authenticate to Kerberos including Windows AD kerberos. > >> What I am trying to do is deal with insertion and removing the smartcard. >> When I insert the smartcard I would like GDM to show the PIN dialog without >> pressing ENTER. And if I remove, GDM should show the Username/Password >> dialog again. > > I like this, but PAM today gets in the way.
This is a question I've heard before. I hope I described the problem and the answer correctly: http://www.opensc-project.org/opensc/wiki/FrequentlyAskedQuestions#IsitpossibletomakeGDMautomaticallyaskforthePINwhenacardisinserted -- Martin Paljak http://martin.paljak.pri.ee +3725156495 _______________________________________________ Muscle mailing list Muscle@lists.musclecard.com http://lists.drizzle.com/mailman/listinfo/muscle
