Nikos Mavrogiannopoulos:
I remember I have practical issues with polkit authentication enabled,
and that why it was explicitly disabled. It's been some time and I may
be wrong, but you may know better whether an application (e.g. a gnome
component) could potentially use a single pcscd connection for multiple
requests sent in parallel. If Stanislav has, however, tested such use
cases and they cause no issue I have no problem with the change.
Well, in this case, please disable it by changing "auth_admin" to "no"
(my second patch in the thread).
Yes, "auth_admin" still causes issues: Second app is waiting until you
authorize first waiting app. Then second app wakes, and asks for
password as well. And you will be asked twice. First time to obtain
permission to access the reader, second time to access the card.
This is ugly, but it is the correct behavior of "auth_admin".
You can use "auth_admin_keep" to prevent these problems: In the next 5
minutes, all applications in the same session will be allowed to access
without the consequent authorization.
Maybe more complicated implementation of polkit integration would make
possible auth_admin asking just once. But it is a lot of work with a
small benefit.
Stanislav Brabec wrote:
Well, We can keep the patch and change defaults. Then the default
configuration can never cause delays, but users of ssh remote sessions
and so will still be able to authorize after admin's conscious changes
of configuration.
I find that wrong. The policy should not be used to correct a software
issue.
Well, the current default configuration with "auth_admin" for inactive
and non-logged users with the current version (without the first patch)
works exactly the same as "no". Without
POLKIT_CHECK_AUTHORIZATION_FLAGS_ALLOW_USER_INTERACTION "auth_admin"
behaves exactly as "no".
If project applies both patches, pcsc-lite will behave exactly like
before, but keeping open a chance to allow challenge/response auth
possible after a configuration change.
Well, I don't see a reason for auth_admin in the default configuration.
no:no:yes looks OK for me.
But the patch allow more configurations possible:
- relaxing rule: Allow ssh user to access after entering admin password.
auth_admin:auth_admin:yes
- hardening rule: Even local user must repeat password to use
card/reader.
no:no:auth_user_keep
--
Best Regards / S pozdravem,
Stanislav Brabec
software developer
---------------------------------------------------------------------
SUSE LINUX, s. r. o. e-mail: [email protected]
Lihovarská 1060/12 tel: +49 911 7405384547
190 00 Praha 9 fax: +420 284 084 001
Czech Republic http://www.suse.cz/
PGP: 830B 40D5 9E05 35D8 5E27 6FA3 717C 209F A04F CD76
_______________________________________________
Pcsclite-muscle mailing list
[email protected]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pcsclite-muscle