Andreas Jellinghaus wrote:
examples of advanced features: * list smart card readers and card status * let people know about the secure input led, so they check it is on (i.e. with pinpad readers, make sure people enter the pin to the card, and not with "INPUT" commands read by the pc). * display card info like name, photo id, whatever. * allow people to select the account they want to login (list thoses the cards is valid for - some people might see that as a security issue, if it is done before authentication). * allow people to unblock the pin - blocked pins happen and it is a problem if people can't unblock it with the puk. * (optional) leave the card in verified state, so network connections, crypto partitions and other stuff can be used without re-entering the pin. * lock screen if card is removed. * same features in xdm&friends and xlock&friends.
Yes, I really like to see something like this!!!
However Alon Bar-Lev did some development for kdm and pam. Perhaps his experience might help? The same features also for gdm and friends, please...pam is not suited to these advanced features. but neither is pkcs#11
I think one of the main issues are to check if a card is inserted and magically provide a list of certificates on the card. xdm/kdm/gdm should be modified to display this list (select box) and let the user choose a certificate...If there is no reader pam_pkcs11 should fail or be skipped. If the card is removed -> session end. Is this possible with pam?I fear, nor the opensc code, not the "library model" (as opposed to a daemon/agent model).back to the original issue: what can we (easily) add to the pam_p11 module to make max. number of users happy? please file new tickets. will try to implement (mostly as options).
-- Regards Signer: Eddy Nigg, StartCom Ltd. Phone: +1.213.341.0390
begin:vcard fn:Eddy Nigg n:Nigg;Eddy org:StartCom Ltd. - StartCom CA - MediaHost (TM) adr:;;P.O.Box 1630;Eilat;;88000;Israel email;internet:[EMAIL PROTECTED] tel;work:+1-(213)-341-0390 tel;cell:+972-57-631-5629 note;quoted-printable:StartCom Ltd: http://www.startcom.org=0D=0A= StartCom Linux: http://linux.startcom.org=0D=0A= StartCom Certification Authority: http://www.startssl.com=0D=0A= MediaHost (TM) http://www.mediahost.org=0D=0A= =0D=0A= StartCom Root CA import: http://cert.startcom.org/?app=3D109=0D=0A= Skype me: startcom x-mozilla-html:TRUE url:http://www.startcom.org version:2.1 end:vcard
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ opensc-devel mailing list [email protected] http://www.opensc-project.org/mailman/listinfo/opensc-devel
