Douglas E. Engert wrote:
Thank you for your help. Please see my comments below ...
>
>
> Huie-Ying Lee wrote:
>> Hi,
>>
>>
>> I'm a Solaris engineer at Sun Micros. We have been working on porting
>> the OpenSC/pam_pkcs11 module, version 0.6.0, to Solaris. During the
>> porting, I encountered a couple of build issues and I would appreciate
>> if you can help me with them.
>>
>> Q1: According to the configure.in file, the default value of the
>> "--with-nss" option is "No". In my build, I am pretty sure that it was
>> not built with NSS on, because the output of build indicated there was
>> no NSS support as below.
>>
>> ---------------------------------
>> Debugging: yes
>> DocBook support: yes
>> PC/SC support: no
>> CURL support: no
>> LDAP support: yes
>> NSS support: no
>> OPENSSL support: yes
>> ---------------------------------
>>
>> However, the resulting module is linked with the NSS libraries.
>> -----------------------------------------------
>> $ldd pam_pkcs11.so
>> ....
>> libnspr4.so => /usr/lib/mps/libnspr4.so
>> libplc4.so => /usr/lib/mps/libplc4.so
>> libnss3.so => /usr/lib/mps/libnss3.so
>
>
> What other libraries are include? Could it be that the Solaris ldap
> which uses nss is included?
>
Yes, Solaris ldap uses nss and this is exactly the cause. Thanks!
> ldd libldap.so
> on Solaris 10 shows it uses /usr/lib/mps/libnss3.so
>
>
>> ------------------------------------------------
>>
>> Any hint about the reason that these NSS libraries are linked with
>> pam_pkcs11.so ? How can I get rid of them ?
>
>
> Use OpenLDAP built on OpenSSL :-)
>
>>
>>
>> Q2: To meet the Solaris file location convention, I changed the
>> default location of the pam_pkcs11.conf file in the pam_config.c
>> file. To reserve the original code, I used CPP "#ifdef" to
>> differenciate the new code from the original code. For example,
>> pam_config.c file,
>>
>> -----------------------------------------------------------------------------------
>>
>>
>> 34 struct configuration_st configuration = {
>> 35 "/etc/pam_pkcs11/pam_pkcs11.conf", /* char *
>> config_file; */
>> 36 NULL, /* scconf_context *ctx; */
>> -----------------------------------------------------------------------------------
>>
>>
>>
>
> A better to do this would be to make the path a define, and change
> configure.in to add it to the config.h
>
Yes, making the path a define will be better for this case.
However, I need to make other changes to get it work on Solaris. Most of them
are not location related. I think I have picked a bad example to show the
#ifdef problem that I am trying to solve.
>
>> I changed the above code tp the code below and added the -DSUN_SOLARIS
>> flag to the Maekfile.am file.
>>
>> -------------------------------------------------------------------------------------
>>
>>
>> struct configuration_st configuration = {
>> #ifdef SUN_SOLARIS
>> "/etc/security/pam_pkcs11/pam_pkcs11.conf",
>> #else
>> "/etc/pam_pkcs11/pam_pkcs11.conf", /* char *
>> config_file; */
>> #endif
>> NULL, /* scconf_context *ctx; */
>> -------------------------------------------------------------------------------------
>>
>>
>>
>> However, the resulting file still picked up the original line. It
>> seems that the generated Makefile file doesn't recognize the new
>> "SUN_SOLARIS" flag. Currently, I worked around this problem, but I
>> would like to know which file that I should update so that the
>> "-DSUN_SOLARIS" will be recognized.
>>
>
> Did you run the ./bootstrap after updating the Makefile.am?
No, I didn't run the ./bootstrap script but I did run ".configure".
The reason that I didn't run the "./bootstrap" script is because this script
will remove the config.sub file and the config.guress file. However, these two
config.* files are needed by the configure script. Is this a bug in the
bootstrap command ?
>
>>
>> Q3: For the NLS support, I found that the only file that has the
>> gettext support is the pam_pkcs11.c file which is part of the
>> pam_pkcs11 module. All the utility commands under the src/tools
>> directory currently do not have the NLS support. Is this correct ?
>>
>>
>> Note that in order to make it work on Solaris, I also made a design
>> change to resolve an incompatibility problem between the pam_pkcs11
>> module and the Solaris Cryptographic framework, a PKCS#11
>> implementation. I will explain this problem and my changes in a
>> seperate email later.
>>
>
> Are you also working with the Kerberos groups at Sun who are looking
> pam_krb5 with PKINIT?
Yes, I am working with the Kerberos group at Sun.
> In many environments, this is a better way to use smartcardas for logon.
> You not only
> login to the local machine, you login to the realm/domain...
>
Yes, a Kerberos engineer and I have discussed about this a while before.
We concluded that if pam_krb5 is enhanced to support PKINIT, then stacking a
"pam_pkcs11.so" below the PAM stack is probably redundent. However, the
pam_pkcs11 module is still useful for a system that is not a Kerberos client.
Huie-Ying
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
