Hello, On Mar 13, 2011, at 3:52 PM, Mr Dash Four wrote: >>> I had to recompile the whole OpenSC/OpenCT framework from source as the >>> one shipped with Fedora was utter crap (and I mean *really* crap)! I >>> also had to upgrade gdm to 2.32 (again, compiled from source) in order >>> to get it to work with the rest of the framework in FC13. >>> >> >> Can you elaborate more? > "In short" and from what I remember, the OpenCT/OpenSC versions shipped > by Fedora were too old, introduced an unnecessary dependencies and, most > importantly, it didn't work with my smartcard at all (even though the > card was not that uncommon, as it turned out). The configuration files > used the bloody coolkey driver which was completely useless even though > I had openct/opensc specified in the configuration. I also had to adjust > the login files in the pam.d directory as the options preselected there > (automatically by the gnome smartcard manager) didn't work with the > modules supplied with openct/opensc either. a) If you have a smart card and a standard CCID reader and not a token, *forget OpenCT*! OpenCT only makes sense in the context of proprietary USB tokens. If the FAQ [1] is not clear enough about it, please help to improve it. b) There is no such thing as Gnome smart card manager. If it will ever be created in the context I assume the original poster thinkgs about it, it will probably be integrated to Gnome Keyring/Seahorse. But there's nothing there yet. c) It is virtually impossible to provide a ready made configuration file for a PKI related software component out of the box for a universal operating system (be it Debian or Fedora). PKI by definition requires configuring the trusted sources and endpoints (the public keys), I don't think you'd want to allow logon to your network or box to all the hundred-something "trusted issuers" you get by default with a browser installation....
> To top it all up, the Gnome smartcard manager couldn't talk to the > standard gdm shipped with FC13 (gdm 2.20 I think it was) and when I > managed to get it to start eventually, it did recognise the card, but > refused to present a prompt for me to type in my pin number to unlock > the key, which, again, turned out to be a fault with the openct/opensc > drivers shipped by Fedora as they were searching for the coolkey.so file > disregarding the options I put in my config files. OpenSC (again, forget OpenCT in this context) does not reference any coolkey files AFAIK. You're mixing up a bunch of projects as "OpenCT/OpenSC". Overall it would be nice if there was an "OpenSC suite" that would be a holistically configured set of software, but until that exists, please point out that you're talking about PAM-PKCS#11 configuration file. I guess you have very high expectations for the out-of-the-box functioning of Fedora :) For comparison: the flagship "Just Works" operating system, OS X, once advertised "improved out of the box support for smart cards" which in real life probably meant functioning with a specific DoD smart card and a single reader/token. OS X Leopard was horribly broken from the lowest levels, don't expect a well functioning logon solution from that! Fragmentation in smart card world is unfortunately as bad as with mobile devices... > Given all that, I had to compile everything from source (imagine the > number -devel dependencies packages I had to install for this!), build > gdm 2.32 (on FC13!), build openct/opensc drivers from source while strip > the dependencies I do not need and eventually made the whole thing work, > not without the critical help I received from a few members on this > list, Andre Zepezauer, Ludovic Rousseau, Martin Paljak and Peter Stuge > to name a few. There are two things to do here: a) provide up to date packages of all software that deals with the smart card experience (from CCID to NSS/Firefox combo) b) provide holistically configured software packages. Both are hard, because it is difficult to get the traction and attention of developers what Firefox gets. For the overall configuration: as RedHat is interested in selling their Dogtag/NDS solution, it is reasonable to expect that their packages are pre-configured to work with *their* holistic view of the PKI world. >> Unfortunately, I believe your use case is even less supported nowadays. >> Since the 0.12.0 release, opensc no longer supports building in both >> pcsc-lite and openct support, so starting with Fedora 15, the opensc >> package is built with only pcsc-lite support. I believe the quite small percentage of users who are affected by this is declining every day. If it would start to scratch someones itch bad enough so that someone would implement the bridge between the OpenCT drivers and pcsc-lite or create the "easy proprietary token driver framework for pcsc-lite" would be great. [1] http://www.opensc-project.org/opensc/wiki/FrequentlyAskedQuestions _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
