Douglas E. Engert wrote, On 03/16/2010 02:33 PM: > > > Todd Denniston wrote: >> Douglas E. Engert wrote, On 03/12/2010 10:48 AM: >>> >>> Anderson Goulart wrote: >>>> Hello, >>>> I am trying to authenticate a user with a smartcard. I am using >>>> OpenSuse 11 with GDM 2.24. Everything is working, but not quite as I >>>> would like to. >>>> >> >>>> What I am trying to do is deal with insertion and removing the >>>> smartcard. When I insert the smartcard I would like GDM to show the >>>> PIN dialog without pressing ENTER. And if I remove, GDM should show >>>> the Username/Password dialog again. >>> I like this, but PAM today gets in the way. >>> >> >> we're talking about >> URL : ftp://ftp.gnome.org/pub/GNOME/sources/gdm >> ... the thing you see while you try to log in (also fronts >> RHEL/CentOS/Fedora boxes), right? >> > > Yes and any other vendor's GDM like the Ubuntu (2.28) or Solaris. I > don't know what > the Solaris version is based on. All of thes can use PAM. > > But in addition to GDM you will need to look at any screen lock > programs, as you > will want to unlock with the smart card too. Do the screen lock programs > have the > same pre-PAM detection of smart cards? >
As I understand your question, yes. If I move my mouse or punch a key without the card in, the unlock window only displays something along the lines of: "please insert {my Common Name} token" with an "OK or cancel" button, there is no prompting for a password. if I do the same things with the card in, the unlock window asks for the password (of the card) and only lets you in if the card allows you in. I realize I have been a bit vague here, but unlike the earlier work I did with fedora (FC4) I have had to do very little to get CentOS and RHEL to work** with the smart cards. Here is the 10Kfeet view of what I have to do now. 1) if not done while installing set authentication to use smart card authconfig --enablesmartcard --update ### do NOT use --enablerequiresmartcard unless your box is already setup to allow root in with only the smart card. (that was a tricky devil to get around without reinstalling. :) 2) use certutil to populate /etc/pki/nssdb/ with the Certificate Authorities. 3) populate the appropriate field in your password database (/etc/passwd || LDAP || NIS). on RHEL/CentOs the default appropriate fields are cn file, uid, pwent, according to /etc/pam_pkcs11/pam_pkcs11.conf 4) reboot or restart some services IIRC. 5) login and unlock X using smart card. **I may not like some of the design decisions the Fedora/RHEL engineers made, and some of the human documentation still sucks (when it exists at all), but the system is tolerable to use by default. example: Fedora & RHEL chose to use NSS** vs OpenSSL in pam_pkcs11, and did not even bother updating any of the documentation, i.e., grep make_hash_link /usr/share/doc/pam_pkcs11-0.5.3/* all these references should now be to how to use certutil, and certutil itself has thin if any documentation outside of "read the source". -- Todd Denniston Crane Division, Naval Surface Warfare Center (NSWC Crane) Harnessing the Power of Technology for the Warfighter _______________________________________________ Muscle mailing list Muscle@lists.musclecard.com http://lists.drizzle.com/mailman/listinfo/muscle