2014/1/6 Nikos Mavrogiannopoulos <n...@redhat.com>: > On Sat, 2014-01-04 at 21:57 +0100, Ludovic Rousseau wrote: > >> > Hello, >> > Indeed smart cards _may_ have some access control method (but they are >> > not required to). The smart card access control currently is very >> > coarse (as I can erase every smart card in the system without any >> > special permissions), and several files on the card like certificates are >> > almost never protected. >> > >> > What the patch ensures is that only admin-authorized processes can talk >> > to the hardware. That means: >> > * Only authorized processes can extract the public information in the >> > card. >> > * Only authorized processes can erase the card. >> > * Only authorized processes can talk to the card firmware (cards may >> > have bugs as any other kind of software). >> > >> > Moreover, authorization policy is tied to the system processes rather >> > than being an external process that depends on the smart card in >> > use. For example, a PIN-enabled smart card can never distinguish a >> > local user from a console one, however polkit policies can. >> >> I am still not convinced that Policy Kit is a good solution for the >> problems you describe. > > I agree there may be other solutions as the ones you suggest below, but > they require changing the hardware. Access control with polkit works > with any smart card and any smart card access control method. Also the > 3rd point I make (access to the card firmware) cannot be solved by > additional hardware, but is solved with polkit. > >> If the card can be erased or modified without any previous >> authentication (PIN or secure message) then that is the problem of the >> card (or card provider). > > All the smart cards I ever had can be erased by anyone in the system > using "pkcs15-init -E". So using polkit there will allow the > administrator of the system to define the "anyone" part.
I guess you only have PKCS#15 cards with default (known) transport keys. You can't reinitialize a correctly configured smart card. Try to erase a SIM or banking card. >> If you want to avoid a remote user to use a PIN protected card the >> best is to use a pinpad reader with a firewall. The PIN will only be >> entered using the pinpad. Any PIN verification command will be >> rejected by the reader firewall. > > Or I can use polkit :) The latter requires no additional hardware and is > already used for access control (to access hard disks) in most systems. > > In general administrating a system doesn't always imply selection of the > authenticating tokens. Typically the tokens are fixed and the > administrator tries to make the best use of the system access controls > to prevent misuse. In 99% of the cases a smart card is used > interactively from the guy sitting on the PC and currently there is no > way to enforce that. OK. PolKit may solve some some problems in some cases. My concern is: what default security policy should be provided by pcsc-lite? To _not_ break existing system the default configuration should be: access allowed for any process. Can we propose something better than that? Bye -- Dr. Ludovic Rousseau _______________________________________________ Muscle mailing list Muscle@lists.musclecard.com http://lists.musclecard.com/mailman/listinfo/muscle_lists.musclecard.com
