Hi,
Sorry for the delay ( was on vacation).
The article you've mentioned is rather good for understanding of PAM
development.
Regarding your auth scheme, you could do it the following way ( just my
2 cents):
1) Store username/uid and password on the smartcard ( in some file.
let's name it "credentials file" )
2) Make CHV ( cardholder verification) file and set PIN/PUK
3) set AC ( access conditions ) for reading "credentials file" in such
way that only after successful PIN verification its contents can be read
Of course, make sure that line over which communication to SR is
established is secure ( to avoid snooping ):
- use externel hardware encryption device
- or use SM (secure messaging) when speaking to card.
- check whether SR170 is capable of traffic encryption ( in this case it
'll be TCP).
Or you can do it another way:
1) Do not store password on the card at all
2) make up some scheme that doesn't require transmitting password over
network.
You'll need to get Payflex manual from Axalto ( or Gemalto now IIRC) to
get to know all needed APDUs.
If you need further assistance feel free to mail me. I'll be glad to
help you out.
P.S. No I can't help with Payflex manual:) Sorry.
Best regards,
alexz.
Odin Ifrit wrote:
>
> ------------------------------------------------------------------------
>
> Subject:
> Re: [Muscle] sunray170 smartcard dtlogin authentication
> From:
> Odin Ifrit <[EMAIL PROTECTED]>
> Date:
> Sun, 30 Sep 2007 21:19:41 -0700 (PDT)
> To:
> MUSCLE <[email protected]>
>
> To:
> MUSCLE <[email protected]>
>
>
>
> Thanks a lot, I've downloaded the PCSC bypass for solaris and I'm
> begining to understand PAM development, I'm following this article
> http://72.5.124.65/solaris/articles/user_auth_solaris2.html (see also
> part1 and 3)
>
> I just want to know if I'm looking in the correct way and I'd appreciate
> if you can tell me how to implement the smartcard authentication there.
> I use the SolarisAuthApplet on the smartcard payflex, so I need to grab
> the user, pwd and PIN from there, and ask user for the PIN and then
> authenticate, in this part I cannot figure out how to do it..
> Can you give just a small example of how to achieve this?
> I really appreciate your help guys, you're awesome!
>
>
> ----- Mensaje original ----
> De: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
> Para: MUSCLE <[email protected]>
> Enviado: viernes, 28 de septiembre, 2007 3:08:56
> Asunto: Re: [Muscle] sunray170 smartcard dtlogin authentication
>
> of course, mispelled again:) PCSC bypass and custom pam module.
> You also have to plan how user/pass (or smth else in case you have
> custom auth scheme) will be stored on your card and based on that write
> the pam module.
> It's all up to you. Do whatever suits your needs:)
> Consider also security risks when designing.
>
>
> Best regards,
> alexz.
>
> [EMAIL PROTECTED] wrote:
>> Odin Ifrit wrote:
>>> Hello all!,
>>> I have a some sunray 170 terminals connected to a sunfire server running
>>> solaris10 and SRSS (Sun Ray Server Software) v4 and some payflex
> smartcards.
>>> I want the smartcard to be required on the dtlogin authentication , I
>>> mean the dtlogin to say "please insert your smartcard" and then you
>>> insert it, then dtlogin grabs user and pwd from card (previously loaded
>>> with solarisAuthApplet) and asks for PIN, if PIN is correct then user
>>> can login.
>>>
>>> That is the behavior I want, I did it on a sunblade1500 but I've been
>>> told that it cannot be done on sunray the same way I did it on blade, It
>>> seems that I need middleware software. My question is can I accomplish
>>> the behavior I want (or something similar, I mean maybe there is some
>>> solution that doesn't require dtlogin, i don't know) using some of your
>>> software or if you can provide me some tutorial of how to do it, or if
>>> it's necessary I can write code but I need orientation, where to start
>>> looking.
>>> I really appreciate your help guys! I'll provide anything necessary to
>>> accomplish this, thanks!!!
>>>
>>> ------------------------------------------------------------------------
>>>
>>> ¡Sé un mejor ambientalista!
>>> Encuentra consejos para cuidar el lugar donde vivimos en:
>>> http://mx.yahoo.com/promos/mejorambientalista.html
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> Muscle mailing list
>>> [email protected]
>>> http://lists.drizzle.com/mailman/listinfo/muscle
>>
>> Hi Odin,
>> It can be done with custom pam module and sun's pcsclite software ( PSCS
>> bypass).
>>
>> Best regards,
>> alexz.
>> _______________________________________________
>> Muscle mailing list
>> [email protected]
>> http://lists.drizzle.com/mailman/listinfo/muscle
>>
>
> _______________________________________________
> Muscle mailing list
> [email protected]
> http://lists.drizzle.com/mailman/listinfo/muscle
>
>
> ------------------------------------------------------------------------
>
> ¡Sé un mejor asador!
> Aprende todo sobre asados en:
> http://mx.yahoo.com/promos/mejorasador.html
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Muscle mailing list
> [email protected]
> http://lists.drizzle.com/mailman/listinfo/muscle
_______________________________________________
Muscle mailing list
[email protected]
http://lists.drizzle.com/mailman/listinfo/muscle
