Gary.Morton at sun.com wrote: > On 10/06/08 14:47, Nicolas Williams wrote: > >> On Mon, Oct 06, 2008 at 01:44:34PM -0700, Anthony Scarpino wrote: >> >>>> Note that sc_pkcs11_get_mechanism_list is called with p11card=0x0. >>>> Ticket #181 gets around this. >>>> >>>> I have not tracked down the sshd and login problems yet. >>>> I am assuming that is related to no mechanism list. >>>> >>> Just a wild stab here.. If metaslot is enabled, it will retrieve a list >>> of mechanisms from all the providers. You may try disabling metaslot, >>> 'cryptoadm disable metaslot', to see if that helps.. >>> >>> >>>> Note that sshd should not be using the console user's >>>> smartcard for any crypto! >>>> >>> OpenSC and the smartcard are providers in PKCS#11. If it is providing >>> crypto to the system, it is available to be used. Granted no one would >>> ever want a smartcard to do the crypto ops, but there is nothing in >>> PKCS#11 to stop it.. >>> >> Is there any way to provide a provider preference order so that >> smartcards are never used for crypto other than in relation to >> non-extractable keys? >> > > Nope. There is an open RFE (6419307) I created for similar reasons a > while back. >
This RFE is for kernel crypto providers. For user level providers, which is the case here, there is a preference order. It is the order in which they appear in /etc/crypto/pkcs11.conf. I believe this is not a documented. But, it should solve the problem for opensc-pkcs11.so. Regards, -Krishna -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.opensolaris.org/pipermail/kerberos-discuss/attachments/20081006/bc5d6f75/attachment.html>
