Douglas E. Engert wrote, On 03/16/2010 02:33 PM:
>
>
> Todd Denniston wrote:
>> Douglas E. Engert wrote, On 03/12/2010 10:48 AM:
>>>
>>> Anderson Goulart wrote:
>>>> Hello,
>>>> I am trying to authenticate a user with a smartcard. I am using
>>>> OpenSuse 11 with GDM 2.24. Everything is working, but not quite as I
>>>> would like to.
>>>>
>>
>>>> What I am trying to do is deal with insertion and removing the
>>>> smartcard. When I insert the smartcard I would like GDM to show the
>>>> PIN dialog without pressing ENTER. And if I remove, GDM should show
>>>> the Username/Password dialog again.
>>> I like this, but PAM today gets in the way.
>>>
>>
>> we're talking about
>> URL : ftp://ftp.gnome.org/pub/GNOME/sources/gdm
>> ... the thing you see while you try to log in (also fronts
>> RHEL/CentOS/Fedora boxes), right?
>>
>
> Yes and any other vendor's GDM like the Ubuntu (2.28) or Solaris. I
> don't know what
> the Solaris version is based on. All of thes can use PAM.
>
> But in addition to GDM you will need to look at any screen lock
> programs, as you
> will want to unlock with the smart card too. Do the screen lock programs
> have the
> same pre-PAM detection of smart cards?
>
As I understand your question, yes.
If I move my mouse or punch a key without the card in, the unlock window only
displays something
along the lines of:
"please insert {my Common Name} token" with an "OK or cancel" button, there is
no prompting for a
password.
if I do the same things with the card in, the unlock window asks for the
password (of the card) and
only lets you in if the card allows you in.
I realize I have been a bit vague here, but unlike the earlier work I did with
fedora (FC4) I have
had to do very little to get CentOS and RHEL to work** with the smart cards.
Here is the 10Kfeet view of what I have to do now.
1) if not done while installing set authentication to use smart card
authconfig --enablesmartcard --update
### do NOT use --enablerequiresmartcard unless your box is already setup to
allow root in with
only the smart card. (that was a tricky devil to get around without
reinstalling. :)
2) use certutil to populate /etc/pki/nssdb/ with the Certificate Authorities.
3) populate the appropriate field in your password database (/etc/passwd ||
LDAP || NIS).
on RHEL/CentOs the default appropriate fields are cn file, uid, pwent,
according to
/etc/pam_pkcs11/pam_pkcs11.conf
4) reboot or restart some services IIRC.
5) login and unlock X using smart card.
**I may not like some of the design decisions the Fedora/RHEL engineers made,
and some of the human
documentation still sucks (when it exists at all), but the system is tolerable
to use by default.
example:
Fedora & RHEL chose to use NSS** vs OpenSSL in pam_pkcs11, and did not even
bother updating any of
the documentation, i.e., grep make_hash_link /usr/share/doc/pam_pkcs11-0.5.3/*
all these references should now be to how to use certutil, and certutil itself
has thin if any
documentation outside of "read the source".
--
Todd Denniston
Crane Division, Naval Surface Warfare Center (NSWC Crane)
Harnessing the Power of Technology for the Warfighter
_______________________________________________
Muscle mailing list
Muscle@lists.musclecard.com
http://lists.drizzle.com/mailman/listinfo/muscle
