On 8/7/06, ottomeister <[EMAIL PROTECTED]> wrote:
> On 8/7/06, Jan Rottkamp <[EMAIL PROTECTED]> wrote:
> > > Bob Doolittle wrote:
> > > What are you hoping to accomplish by using [pam_smartcard.so] with Sun
> Ray?
> >
> > This is not my aim.
> > I want that you have to authenticate with a smartcard and PIN on the
> server
> > with its local built-in smartcard reader independent of the
> authentication
> > policies for Sun Ray login.
> > It should protect the access to the server login.
> >
> > I do not want to use OCF in connection with Sun Ray authentication.
> >
> > Is there a way to use the local server authentication with smartcard and
> PIN
> > without affecting the Sun Ray configuration?
>
> That's what the 'dtlogin-SunRay' and 'dtsession-SunRay' entries
> in pam.conf are supposed to achieve. They were invented so that
> Sun Ray could have its own PAM definitions separate from the
> normal 'dtlogin' and 'dtsession' entries ('dtsession' is the CDE
> screen lock). Your 'dtlogin-SunRay' and 'dtsession-SunRay'
> entries look good to me, so I can't explain why the CDE screen
> lock misbehaves. Please make sure that /ertc/dt/config/Xconfig
> on this system contains the line:
>
> Dtlogin.validPAMclasses: SunRay
this line is in the file.
>
> although it's almost certain that that line is correct, otherwise you
> would not have been able to log in through a Sun Ray.
>
> To get more information please create a file named /etc/pam_debug
> containing the line:
>
> debug_flags=7
>
> This will cause PAM to emit syslog messages with a facility.priority
> class of auth.debug. You can edit your syslog.conf to deliver that
> class of messages to some convenient file. (Or you can tell PAM to
> emit messages with some other facility and priority value by putting
> "log_priority=<P>" and "log_facility=<F>" lines into /etc/pam_debug,
> where <P> is a numeric priority value (0-7) and <F> is a numeric
> facility value (0-23) taken from /usr/include/sys/syslog.h.) You might
> have to log out and log back in after making these changes in order
> to get them noticed and put into effect.
I will give this a try, but temporarily I have to disable local smartcard
login on the server to allow the users hot desking with their smartcard on
the rays
Bob Doolittle wrote:
> > Jan Rottkamp wrote:
> > Is there a way to use the local server authentication with smartcard and
> PIN
> > without affecting the Sun Ray configuration?
> >
>
> Only with third-party software. pam_smartcard.so is obsolete and does not
> work with any smartcards currently supported or available from Sun.
>
> ActiveCard (http://www.actividentity.com/en/index.php) is one commercial
> smartcard-authentication solution which is supported on Sun Ray.
The single use of pam_smartcard.so on the server (with Sun smartcards) works
without problems.
Only the use with Sun Ray on the same server causes problems with
smartcard-authentication.
Thank you both for your help,
Jan
>
> 'xscreensaver' and 'xlock' do not know how to run a separate
> set of PAM entries for a Sun Ray session so they're always going
> to run the same entries for Sun Ray as they do everywhere else.
> If pam_smartcard is one of those entries then that will always
> cause trouble because, I think, pam_smartcard will always cause
> authentication to fail. It should be possible to "wrap" pam_smartcard.so
> with another module in such a way that it does not cause a PAM
> failure for non-console sessions but I don't have such a module
> lying around.
>
> OttoM.
> __
> ottomeister
>
> Disclaimer: These are my opinions. I do not speak for my employer.
>
>
> > > Jan Rottkamp wrote:
> > > >> On 8/6/06, Jan Rottkamp <[EMAIL PROTECTED]> wrote:
> > > >>
> > > >>> When using Gnome as GUI, a white screen appears on the monitor
> with
> > > the
> > > >>> following output:
> > > >>> Enter password to unlock; select icon to lock.
> > > >>>
> > > >> This is the 'xlock' program. SRSS uses 'xlock' to lock your screen
> > > >> when 'xscreensaver' is unable to lock it.
> > > >>
> > > >>
> > > >>> And nothing happens.
> > > >>>
> > > >>> When using CDE as GUI, after the user inserts the smartcard, the
> CDE
> > > >>>
> > > >> dialog
> > > >>
> > > >>> appears to unlocking the locked screen with the users' password,
> but
> > > no
> > > >>> password will be accept and nothing happens.
> > > >>>
> > > >> [snip]
> > > >>
> > > >>> In the system log I find at this time the line (it is a German
> > > system):
> > > >>>
> > > >>> Aug 7 01:20:12 picasso xlock[15300]: [ID 112702 auth.error]
> > > >>>
> > > >> pam_smartcard:
> > > >>
> > > >>> Unexpected error from SCF_Session_getTerminal: Unbekannter
> > > Terminalname
> > > >>> (unknown terminal name)
> > > >>>
> > > >> It looks like the PAM configuration on this machine is broken.
> > > >> Please post the contents of /etc/pam.conf from this system.
> > > >>
> > > >>
> > > >
> > > > Here is the /etc/pam.conf
> > > >
> > > > #
> > > > #ident "@(#)pam.conf 1.28 04/04/21 SMI"
> > > > #
> > > > # Copyright 2004 Sun Microsystems, Inc. All rights reserved.
> > > > # Use is subject to license terms.
> > > > #
> > > > # PAM configuration
> > > > #
> > > > # Unless explicitly defined, all services use the modules
> > > > # defined in the "other" section.
> > > > #
> > > > # Modules are defined with relative pathnames, i.e., they are
> > > > # relative to /usr/lib/security/$ISA. Absolute path names, as
> > > > # present in this file in previous releases are still acceptable.
> > > > #
> > > > # Authentication management
> > > > #
> > > > # login service (explicit because of pam_dial_auth)
> > > > #
> > > > login auth requisite pam_authtok_get.so.1
> > > > login auth required pam_dhkeys.so.1
> > > > login auth required pam_unix_cred.so.1
> > > > login auth required pam_unix_auth.so.1
> > > > login auth required pam_dial_auth.so.1
> > > > #
> > > > # rlogin service (explicit because of pam_rhost_auth)
> > > > #
> > > > rlogin auth sufficient pam_rhosts_auth.so.1
> > > > rlogin auth requisite pam_authtok_get.so.1
> > > > rlogin auth required pam_dhkeys.so.1
> > > > rlogin auth required pam_unix_cred.so.1
> > > > rlogin auth required pam_unix_auth.so.1
> > > > #
> > > > # Kerberized rlogin service
> > > > #
> > > > krlogin auth required pam_unix_cred.so.1
> > > > krlogin auth binding pam_krb5.so.1
> > > > krlogin auth required pam_unix_auth.so.1
> > > > #
> > > > # rsh service (explicit because of pam_rhost_auth,
> > > > # and pam_unix_auth for meaningful pam_setcred)
> > > > #
> > > > rsh auth sufficient pam_rhosts_auth.so.1
> > > > rsh auth required pam_unix_cred.so.1
> > > > #
> > > > # Kerberized rsh service
> > > > #
> > > > krsh auth required pam_unix_cred.so.1
> > > > krsh auth binding pam_krb5.so.1
> > > > krsh auth required pam_unix_auth.so.1
> > > > #
> > > > # Kerberized telnet service
> > > > #
> > > > ktelnet auth required pam_unix_cred.so.1
> > > > ktelnet auth binding pam_krb5.so.1
> > > > ktelnet auth required pam_unix_auth.so.1
> > > > #
> > > > # PPP service (explicit because of pam_dial_auth)
> > > > #
> > > > ppp auth requisite pam_authtok_get.so.1
> > > > ppp auth required pam_dhkeys.so.1
> > > > ppp auth required pam_unix_cred.so.1
> > > > ppp auth required pam_unix_auth.so.1
> > > > ppp auth required pam_dial_auth.so.1
> > > > #
> > > > # Default definitions for Authentication management
> > > > # Used when service name is not explicitly mentioned for
> authentication
> > > > #
> > > > other auth requisite pam_authtok_get.so.1
> > > > other auth required pam_dhkeys.so.1
> > > > other auth required pam_unix_cred.so.1
> > > > other auth required pam_unix_auth.so.1
> > > > #
> > > > # passwd command (explicit because of a different authentication
> module)
> > > > #
> > > > passwd auth required pam_passwd_auth.so.1
> > > > #
> > > > # cron service (explicit because of non-usage of pam_roles.so.1)
> > > > #
> > > > cron account required pam_unix_account.so.1
> > > > #
> > > > # Default definition for Account management
> > > > # Used when service name is not explicitly mentioned for account
> > > management
> > > > #
> > > > other account requisite pam_roles.so.1
> > > > other account required pam_unix_account.so.1
> > > > #
> > > > # Default definition for Session management
> > > > # Used when service name is not explicitly mentioned for session
> > > management
> > > > #
> > > > other session required pam_unix_session.so.1
> > > > #
> > > > # Default definition for Password management
> > > > # Used when service name is not explicitly mentioned for password
> > > management
> > > > #
> > > > other password required pam_dhkeys.so.1
> > > > other password requisite pam_authtok_get.so.1
> > > > other password requisite pam_authtok_check.so.1
> > > > other password required pam_authtok_store.so.1
> > > > #
> > > > # Support for Kerberos V5 authentication and example configurations
> can
> > > > # be found in the pam_krb5(5) man page under the "EXAMPLES" section.
> > > > #
> > > >
> > > > # dtlogin settings added by /usr/bin/smartcard
> > > > dtlogin auth requisite pam_smartcard.so.1
> > > > dtlogin auth requisite pam_authtok_get.so.1
> > > > dtlogin auth required pam_dhkeys.so.1
> > > > dtlogin auth required pam_unix_cred.so.1
> > > > dtlogin auth required pam_unix_auth.so.1
> > > >
> > > > # dtsession settings added by /usr/bin/smartcard
> > > > dtsession auth requisite pam_smartcard.so.1
> > > > dtsession auth requisite pam_authtok_get.so.1
> > > > dtsession auth required pam_dhkeys.so.1
> > > > dtsession auth required pam_unix_cred.so.1
> > > > dtsession auth required pam_unix_auth.so.1
> > > >
> > > > # xlock settings added by /usr/bin/smartcard
> > > > xlock auth requisite pam_smartcard.so.1
> > > > xlock auth requisite pam_authtok_get.so.1
> > > > xlock auth required pam_dhkeys.so.1
> > > > xlock auth required pam_unix_cred.so.1
> > > > xlock auth required pam_unix_auth.so.1
> > > > # added to xscreensaver by SunRay Server Software -- xscreensaver
> > > > xscreensaver auth requisite pam_smartcard.so.1
> > > > xscreensaver auth sufficient /opt/SUNWut/lib/pam_sunray.so
> syncondisplay
> > > > xscreensaver auth requisite pam_authtok_get.so.1
> > > > xscreensaver auth required pam_dhkeys.so.1
> > > > xscreensaver auth required pam_unix_cred.so.1
> > > > xscreensaver auth required pam_unix_auth.so.1
> > > > xscreensaver account requisite pam_roles.so.1
> > > > xscreensaver account required pam_unix_account.so.1
> > > > xscreensaver session required pam_unix_session.so.1
> > > > xscreensaver password required pam_dhkeys.so.1
> > > > xscreensaver password requisite pam_authtok_get.so.1
> > > > xscreensaver password requisite pam_authtok_check.so.1
> > > > xscreensaver password required pam_authtok_store.so.1
> > > > # added to dtlogin-SunRay by SunRay Server Software -- dtlogin-
> SunRay
> > > > dtlogin-SunRay auth sufficient /opt/SUNWut/lib/pam_sunray.so
> > > > dtlogin-SunRay auth requisite /opt/SUNWut/lib/sunray_get_user.so.1
> > > > property=username
> > > > dtlogin-SunRay auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1
> > > > dtlogin-SunRay auth requisite /opt/SUNWut/lib/sunray_get_user.so.1
> > > prompt
> > > > dtlogin-SunRay auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1
> > > clearuser
> > > > dtlogin-SunRay auth requisite pam_authtok_get.so.1
> > > > dtlogin-SunRay auth required pam_dhkeys.so.1
> > > > dtlogin-SunRay auth required pam_unix_cred.so.1
> > > > dtlogin-SunRay auth required pam_unix_auth.so.1
> > > > dtlogin-SunRay account sufficient /opt/SUNWut/lib/pam_sunray.so
> > > > dtlogin-SunRay account requisite pam_roles.so.1
> > > > dtlogin-SunRay account required pam_unix_account.so.1
> > > > # added to dtsession-SunRay by SunRay Server Software -- dtsession-
> > > SunRay
> > > > dtsession-SunRay auth sufficient /opt/SUNWut/lib/pam_sunray.so
> > > syncondisplay
> > > > dtsession-SunRay auth requisite pam_authtok_get.so.1
> > > > dtsession-SunRay auth required pam_dhkeys.so.1
> > > > dtsession-SunRay auth required pam_unix_cred.so.1
> > > > dtsession-SunRay auth required pam_unix_auth.so.1
> > > > # added to utnsclogin by SunRay Server Software -- utnsclogin
> > > > utnsclogin auth requisite /opt/SUNWut/lib/sunray_get_user.so.1
> > > > property=username
> > > > utnsclogin auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1
> > > > utnsclogin auth requisite pam_authtok_get.so.1
> > > > utnsclogin auth required pam_dhkeys.so.1
> > > > utnsclogin auth required pam_unix_cred.so.1
> > > > utnsclogin auth required pam_unix_auth.so.1
> > > > # added to utadmingui by SunRay Server Software -- utadmingui
> > > > utadmingui auth sufficient /opt/SUNWut/lib/pam_sunray_admingui.so.1
> > > > # added to utgulogin by SunRay Server Software -- utgulogin
> > > > utgulogin auth requisite /opt/SUNWut/lib/sunray_get_user.so.1
> > > > property=username
> > > > utgulogin auth requisite /opt/SUNWut/lib/sunray_get_user.so.1
> > > > token=auth,JavaBadge
> > > > utgulogin auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1
> > > > utgulogin auth requisite /opt/SUNWut/lib/sunray_get_user.so.1 prompt
> > > > utgulogin auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1
> > > >
> > > >
> > > >> Are you intentionally trying to use some sort of additional
> > > >> smartcard-based authentication for your Sun Ray logins?
> > > >>
> > > >
> > > > What do you mean whith additional smartcard-based authentication?
> > > >
> > > > I only use smartcard-based authentication with PIN on the server
> > > (ocfserv
> > > > daemon), but I think this is only a local configuration with the
> > > smartcard
> > > > reader in the server and the local dtlogin, or is it not?
> > > >
> > > >
> > > >> OttoM.
> > > >> __
> > > >> ottomeister
> > > >>
> > > >> Disclaimer: These are my opinions. I do not speak for my employer.
> > > >> _______________________________________________
> > > >> SunRay-Users mailing list
> > > >> [email protected]
> > > >> http://www.filibeto.org/mailman/listinfo/sunray-users
> > > >>
> > > >
> > > > _______________________________________________
> > > > SunRay-Users mailing list
> > > > [email protected]
> > > > http://www.filibeto.org/mailman/listinfo/sunray-users
> > > >
> > >
> > > _______________________________________________
> > > SunRay-Users mailing list
> > > [email protected]
> > > http://www.filibeto.org/mailman/listinfo/sunray-users
> >
> > _______________________________________________
> > SunRay-Users mailing list
> > [email protected]
> > http://www.filibeto.org/mailman/listinfo/sunray-users
> >
> _______________________________________________
> SunRay-Users mailing list
> [email protected]
> http://www.filibeto.org/mailman/listinfo/sunray-users
_______________________________________________
SunRay-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sunray-users
