Jeffrey Hutzelman wrote: > > PolicyKit may be useful for pcsc-lite/openct as well, to block remote > > users access to daemon. > > I'm not sure how you intend to do that, or even that it's a good idea.
You can apply policy on /var/run/pcscd/pcscd.comm. (Not tested yet.) > In > fact, I'm pretty sure it's not a good idea to assume that all cards belong > to a user physically sitting at some terminal; I expect to see a usage > model in my organization that involves forwarding of reader access over an > ssh connection, in a manner analogous to how the ssh agent works. The default policy for input devices, sound, cameras, removable devices say: Never allow access for remote users. Other defaults have security implications (e. g. remote users can turn on camera and sound recording). I think that Smart Cards should use the same default policy for daemon access, otherwise remote users can authorize their requests by default. System administrator can change it. If direct access will be explicitly requested for applications using reader directly, then it should use the same policy as well. > >> HAL _can_ report these devices, and does, to pcscd. > > > > Yes, it reports them, but as unknown USB devices. > > Which is OK, because all smartcard reader devices are _not_ alike, and > pcscd needs to identify the device specifically in order to determine which > driver to use. Smart Cards readers are devices just like any others. Most of them can be identified just by reading USB ID, and even the correct driver can be identified by USB ID. -- Best Regards / S pozdravem, Stanislav Brabec software developer --------------------------------------------------------------------- SUSE LINUX, s. r. o. e-mail: sbra...@suse.cz Lihovarská 1060/12 tel: +420 284 028 966, +49 911 740538747 190 00 Praha 9 fax: +420 284 028 951 Czech Republic http://www.suse.cz/ _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
