Re: [Muscle] Re: MusclePAM?

Tue, 25 Feb 2003 01:07:15 -0800

Hi Martin,
I've decided to first try the skeleton module pam which just verifies that there is infact a smartcard in the reader, but I'm not sure if the pam_musclecard.so library actually loads up, because for this very simple verification all I have to do is add :-
auth required /lib/security/pam_musclecard.so, yet it doesn't verify
Anyways, thanks for your help.

Sim


Martin Buechler wrote:

Hi Sim,

Here are some yes-only-questions to track down the problem:

1. Does mucleTool's encrypt and PIN-authentication work with your musclecard/terminal/pcsc setup?

yes


2. Does an 'ldd pam_musclecard.so' find all linked libraries, with an unset LD_LIBRARY_PATH? 

[EMAIL PROTECTED] dahmad]$ ldd /lib/security/pam_musclecard.so
libpcsclite.so.0 => /usr/local/lib/libpcsclite.so.0 (0x40019000)
libpthread.so.0 => /lib/i686/libpthread.so.0 (0x40029000)
libpam.so.0 => /lib/libpam.so.0 (0x40059000)
libcrypto.so.2 => /lib/libcrypto.so.2 (0x40063000)
libdl.so.2 => /lib/libdl.so.2 (0x40137000)
libc.so.6 => /lib/i686/libc.so.6 (0x42000000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x80000000)

3. If you use a Root CA cert, is it configured in /etc/pam-muscle.conf; is your card cert signed by this CA cert?
or
3. If you use a user cert, is it configured in /etc/pam-muscle.conf?
4. Does your system have an account named exactly like the first part of the email field in the DN entry of your X509 card cert?

I cannot test the effects of the following, since my distributin uses a slightly different pam setup, this is more a suggestion:

login:

#%PAM-1.0
auth required /lib/security/pam_securetty.so
#auth required /lib/security/pam_stack.so service=system-auth
auth required /lib/security/pam_musclecard.so
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
session optional /lib/security/pam_console.so

Maybe someone else has more experience with your setup.

Cheers

Martin

_______________________________________________
Muscle mailing list
[EMAIL PROTECTED]
http://lists.musclecard.com/mailman/listinfo/muscle



_______________________________________________
Muscle mailing list
[EMAIL PROTECTED]
http://lists.musclecard.com/mailman/listinfo/muscle

Reply via email to