On 8/7/06, Jan Rottkamp <[EMAIL PROTECTED]> wrote:
> Bob Doolittle wrote:
> What are you hoping to accomplish by using [pam_smartcard.so] with Sun Ray?
This is not my aim.
I want that you have to authenticate with a smartcard and PIN on the server
with its local built-in smartcard reader independent of the authentication
policies for Sun Ray login.
It should protect the access to the server login.
I do not want to use OCF in connection with Sun Ray authentication.
Is there a way to use the local server authentication with smartcard and PIN
without affecting the Sun Ray configuration?
That's what the 'dtlogin-SunRay' and 'dtsession-SunRay' entries
in pam.conf are supposed to achieve. They were invented so that
Sun Ray could have its own PAM definitions separate from the
normal 'dtlogin' and 'dtsession' entries ('dtsession' is the CDE
screen lock). Your 'dtlogin-SunRay' and 'dtsession-SunRay'
entries look good to me, so I can't explain why the CDE screen
lock misbehaves. Please make sure that /ertc/dt/config/Xconfig
on this system contains the line:
Dtlogin.validPAMclasses: SunRay
although it's almost certain that that line is correct, otherwise you
would not have been able to log in through a Sun Ray.
To get more information please create a file named /etc/pam_debug
containing the line:
debug_flags=7
This will cause PAM to emit syslog messages with a facility.priority
class of auth.debug. You can edit your syslog.conf to deliver that
class of messages to some convenient file. (Or you can tell PAM to
emit messages with some other facility and priority value by putting
"log_priority=<P>" and "log_facility=<F>" lines into /etc/pam_debug,
where <P> is a numeric priority value (0-7) and <F> is a numeric
facility value (0-23) taken from /usr/include/sys/syslog.h.) You might
have to log out and log back in after making these changes in order
to get them noticed and put into effect.
'xscreensaver' and 'xlock' do not know how to run a separate
set of PAM entries for a Sun Ray session so they're always going
to run the same entries for Sun Ray as they do everywhere else.
If pam_smartcard is one of those entries then that will always
cause trouble because, I think, pam_smartcard will always cause
authentication to fail. It should be possible to "wrap" pam_smartcard.so
with another module in such a way that it does not cause a PAM
failure for non-console sessions but I don't have such a module
lying around.
OttoM.
__
ottomeister
Disclaimer: These are my opinions. I do not speak for my employer.
> Jan Rottkamp wrote:
> >> On 8/6/06, Jan Rottkamp <[EMAIL PROTECTED]> wrote:
> >>
> >>> When using Gnome as GUI, a white screen appears on the monitor with
> the
> >>> following output:
> >>> Enter password to unlock; select icon to lock.
> >>>
> >> This is the 'xlock' program. SRSS uses 'xlock' to lock your screen
> >> when 'xscreensaver' is unable to lock it.
> >>
> >>
> >>> And nothing happens.
> >>>
> >>> When using CDE as GUI, after the user inserts the smartcard, the CDE
> >>>
> >> dialog
> >>
> >>> appears to unlocking the locked screen with the users' password, but
> no
> >>> password will be accept and nothing happens.
> >>>
> >> [snip]
> >>
> >>> In the system log I find at this time the line (it is a German
> system):
> >>>
> >>> Aug 7 01:20:12 picasso xlock[15300]: [ID 112702 auth.error]
> >>>
> >> pam_smartcard:
> >>
> >>> Unexpected error from SCF_Session_getTerminal: Unbekannter
> Terminalname
> >>> (unknown terminal name)
> >>>
> >> It looks like the PAM configuration on this machine is broken.
> >> Please post the contents of /etc/pam.conf from this system.
> >>
> >>
> >
> > Here is the /etc/pam.conf
> >
> > #
> > #ident "@(#)pam.conf 1.28 04/04/21 SMI"
> > #
> > # Copyright 2004 Sun Microsystems, Inc. All rights reserved.
> > # Use is subject to license terms.
> > #
> > # PAM configuration
> > #
> > # Unless explicitly defined, all services use the modules
> > # defined in the "other" section.
> > #
> > # Modules are defined with relative pathnames, i.e., they are
> > # relative to /usr/lib/security/$ISA. Absolute path names, as
> > # present in this file in previous releases are still acceptable.
> > #
> > # Authentication management
> > #
> > # login service (explicit because of pam_dial_auth)
> > #
> > login auth requisite pam_authtok_get.so.1
> > login auth required pam_dhkeys.so.1
> > login auth required pam_unix_cred.so.1
> > login auth required pam_unix_auth.so.1
> > login auth required pam_dial_auth.so.1
> > #
> > # rlogin service (explicit because of pam_rhost_auth)
> > #
> > rlogin auth sufficient pam_rhosts_auth.so.1
> > rlogin auth requisite pam_authtok_get.so.1
> > rlogin auth required pam_dhkeys.so.1
> > rlogin auth required pam_unix_cred.so.1
> > rlogin auth required pam_unix_auth.so.1
> > #
> > # Kerberized rlogin service
> > #
> > krlogin auth required pam_unix_cred.so.1
> > krlogin auth binding pam_krb5.so.1
> > krlogin auth required pam_unix_auth.so.1
> > #
> > # rsh service (explicit because of pam_rhost_auth,
> > # and pam_unix_auth for meaningful pam_setcred)
> > #
> > rsh auth sufficient pam_rhosts_auth.so.1
> > rsh auth required pam_unix_cred.so.1
> > #
> > # Kerberized rsh service
> > #
> > krsh auth required pam_unix_cred.so.1
> > krsh auth binding pam_krb5.so.1
> > krsh auth required pam_unix_auth.so.1
> > #
> > # Kerberized telnet service
> > #
> > ktelnet auth required pam_unix_cred.so.1
> > ktelnet auth binding pam_krb5.so.1
> > ktelnet auth required pam_unix_auth.so.1
> > #
> > # PPP service (explicit because of pam_dial_auth)
> > #
> > ppp auth requisite pam_authtok_get.so.1
> > ppp auth required pam_dhkeys.so.1
> > ppp auth required pam_unix_cred.so.1
> > ppp auth required pam_unix_auth.so.1
> > ppp auth required pam_dial_auth.so.1
> > #
> > # Default definitions for Authentication management
> > # Used when service name is not explicitly mentioned for authentication
> > #
> > other auth requisite pam_authtok_get.so.1
> > other auth required pam_dhkeys.so.1
> > other auth required pam_unix_cred.so.1
> > other auth required pam_unix_auth.so.1
> > #
> > # passwd command (explicit because of a different authentication module)
> > #
> > passwd auth required pam_passwd_auth.so.1
> > #
> > # cron service (explicit because of non-usage of pam_roles.so.1)
> > #
> > cron account required pam_unix_account.so.1
> > #
> > # Default definition for Account management
> > # Used when service name is not explicitly mentioned for account
> management
> > #
> > other account requisite pam_roles.so.1
> > other account required pam_unix_account.so.1
> > #
> > # Default definition for Session management
> > # Used when service name is not explicitly mentioned for session
> management
> > #
> > other session required pam_unix_session.so.1
> > #
> > # Default definition for Password management
> > # Used when service name is not explicitly mentioned for password
> management
> > #
> > other password required pam_dhkeys.so.1
> > other password requisite pam_authtok_get.so.1
> > other password requisite pam_authtok_check.so.1
> > other password required pam_authtok_store.so.1
> > #
> > # Support for Kerberos V5 authentication and example configurations can
> > # be found in the pam_krb5(5) man page under the "EXAMPLES" section.
> > #
> >
> > # dtlogin settings added by /usr/bin/smartcard
> > dtlogin auth requisite pam_smartcard.so.1
> > dtlogin auth requisite pam_authtok_get.so.1
> > dtlogin auth required pam_dhkeys.so.1
> > dtlogin auth required pam_unix_cred.so.1
> > dtlogin auth required pam_unix_auth.so.1
> >
> > # dtsession settings added by /usr/bin/smartcard
> > dtsession auth requisite pam_smartcard.so.1
> > dtsession auth requisite pam_authtok_get.so.1
> > dtsession auth required pam_dhkeys.so.1
> > dtsession auth required pam_unix_cred.so.1
> > dtsession auth required pam_unix_auth.so.1
> >
> > # xlock settings added by /usr/bin/smartcard
> > xlock auth requisite pam_smartcard.so.1
> > xlock auth requisite pam_authtok_get.so.1
> > xlock auth required pam_dhkeys.so.1
> > xlock auth required pam_unix_cred.so.1
> > xlock auth required pam_unix_auth.so.1
> > # added to xscreensaver by SunRay Server Software -- xscreensaver
> > xscreensaver auth requisite pam_smartcard.so.1
> > xscreensaver auth sufficient /opt/SUNWut/lib/pam_sunray.so syncondisplay
> > xscreensaver auth requisite pam_authtok_get.so.1
> > xscreensaver auth required pam_dhkeys.so.1
> > xscreensaver auth required pam_unix_cred.so.1
> > xscreensaver auth required pam_unix_auth.so.1
> > xscreensaver account requisite pam_roles.so.1
> > xscreensaver account required pam_unix_account.so.1
> > xscreensaver session required pam_unix_session.so.1
> > xscreensaver password required pam_dhkeys.so.1
> > xscreensaver password requisite pam_authtok_get.so.1
> > xscreensaver password requisite pam_authtok_check.so.1
> > xscreensaver password required pam_authtok_store.so.1
> > # added to dtlogin-SunRay by SunRay Server Software -- dtlogin-SunRay
> > dtlogin-SunRay auth sufficient /opt/SUNWut/lib/pam_sunray.so
> > dtlogin-SunRay auth requisite /opt/SUNWut/lib/sunray_get_user.so.1
> > property=username
> > dtlogin-SunRay auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1
> > dtlogin-SunRay auth requisite /opt/SUNWut/lib/sunray_get_user.so.1
> prompt
> > dtlogin-SunRay auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1
> clearuser
> > dtlogin-SunRay auth requisite pam_authtok_get.so.1
> > dtlogin-SunRay auth required pam_dhkeys.so.1
> > dtlogin-SunRay auth required pam_unix_cred.so.1
> > dtlogin-SunRay auth required pam_unix_auth.so.1
> > dtlogin-SunRay account sufficient /opt/SUNWut/lib/pam_sunray.so
> > dtlogin-SunRay account requisite pam_roles.so.1
> > dtlogin-SunRay account required pam_unix_account.so.1
> > # added to dtsession-SunRay by SunRay Server Software -- dtsession-
> SunRay
> > dtsession-SunRay auth sufficient /opt/SUNWut/lib/pam_sunray.so
> syncondisplay
> > dtsession-SunRay auth requisite pam_authtok_get.so.1
> > dtsession-SunRay auth required pam_dhkeys.so.1
> > dtsession-SunRay auth required pam_unix_cred.so.1
> > dtsession-SunRay auth required pam_unix_auth.so.1
> > # added to utnsclogin by SunRay Server Software -- utnsclogin
> > utnsclogin auth requisite /opt/SUNWut/lib/sunray_get_user.so.1
> > property=username
> > utnsclogin auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1
> > utnsclogin auth requisite pam_authtok_get.so.1
> > utnsclogin auth required pam_dhkeys.so.1
> > utnsclogin auth required pam_unix_cred.so.1
> > utnsclogin auth required pam_unix_auth.so.1
> > # added to utadmingui by SunRay Server Software -- utadmingui
> > utadmingui auth sufficient /opt/SUNWut/lib/pam_sunray_admingui.so.1
> > # added to utgulogin by SunRay Server Software -- utgulogin
> > utgulogin auth requisite /opt/SUNWut/lib/sunray_get_user.so.1
> > property=username
> > utgulogin auth requisite /opt/SUNWut/lib/sunray_get_user.so.1
> > token=auth,JavaBadge
> > utgulogin auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1
> > utgulogin auth requisite /opt/SUNWut/lib/sunray_get_user.so.1 prompt
> > utgulogin auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1
> >
> >
> >> Are you intentionally trying to use some sort of additional
> >> smartcard-based authentication for your Sun Ray logins?
> >>
> >
> > What do you mean whith additional smartcard-based authentication?
> >
> > I only use smartcard-based authentication with PIN on the server
> (ocfserv
> > daemon), but I think this is only a local configuration with the
> smartcard
> > reader in the server and the local dtlogin, or is it not?
> >
> >
> >> OttoM.
> >> __
> >> ottomeister
> >>
> >> Disclaimer: These are my opinions. I do not speak for my employer.
> >> _______________________________________________
> >> SunRay-Users mailing list
> >> [email protected]
> >> http://www.filibeto.org/mailman/listinfo/sunray-users
> >>
> >
> > _______________________________________________
> > SunRay-Users mailing list
> > [email protected]
> > http://www.filibeto.org/mailman/listinfo/sunray-users
> >
>
> _______________________________________________
> SunRay-Users mailing list
> [email protected]
> http://www.filibeto.org/mailman/listinfo/sunray-users
_______________________________________________
SunRay-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sunray-users
_______________________________________________
SunRay-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sunray-users
