Nicolas Williams wrote: > On Tue, Oct 07, 2008 at 11:46:10AM -0500, Douglas E. Engert wrote: >> More on using OpenSC-0.11.6 with Solaris 10 and >> /usr/lib/libpkcs11.so. >> >> I rebuilt OpenSC to use the OpenSSL from /usr/sfw > > Good idea. You don't want to end up with two different versions of > OpenSSL in the same process' image (that'd not be supported, first of > all, second, you can expect things to fail). > >> With the metaslot disabled, sshd works, >> but it does load the opensc-pkcs11, and if a card >> is present, opensc will access the card to get >> info need to setup for use with pkcs11. This >> adds about 5 seconds to the ssh connection! > > How could sshd tell OpenSSL/the PKCS#11 engine/libpkcs11/OpenSC, that > smartcards need not apply in this code path? > > One hack might be to use an environment variable that OpenSC might > understand to mean: make believe there are no tokens. Another might be > a way to tell libpkcs11 not to load OpenSC in this process (also through > an env var?).
The smart card reader (I am using a USB reader) is similar to the kbd, mouse screen, speakers, microphone, dvd, and other locally attached USB devices. They should be usable only by the console user. So what would it take to add the smart card reader to this list of devices? Login type functions like pam_krb5, pam_pkcs11, and kinit with PKINIT could tell libpkcs11 to include local reader devices. Other software like a browser, or e-mail program might also need access to the reader and card. I am using pcsc-lite with libusb to control the readers. It runs as root I don't see any way today to control what readers it presents. OpenSC can also use OpenCT to access readers. I have not looked at how it controls access. > > Nico -- Douglas E. Engert <DEEngert at anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444
