On Mon, Sep 14, 2015 at 11:25:39AM +0200, Nikos Mavrogiannopoulos wrote: > Hello, > I've been writing some text to integrate freeipa/sssd with openconnect > server [0], and for single password or OTP that seems to integrate > seamlessly. However, when PAM-SSSD is configured to use smart cards, > that only works with locally inserted cards. That is even if one uses > the smart card to establish the channel used for VPN, the PAM module > wouldn't know that. Would it make sense to use a flag (e.g., via > pam_putenv()) and the caller of the PAM functions set the information > provided by the certificate used for the session for SSSD to assume a > card is present? (*)
Hi Nikos, I'm not sure I can follow, can you described with a bit more details how it should work? bye, Sumit > > regards, > Nikos > > [0]. > https://github.com/openconnect/recipes/blob/master/ocserv-freeipa.md > > (*). Unfortunately with TLS you can verify a signature from a smart > card but you cannot have a proof that you did it recently. > > _______________________________________________ > sssd-devel mailing list > sssd-devel@lists.fedorahosted.org > https://lists.fedorahosted.org/mailman/listinfo/sssd-devel _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel