Looking for a solution for Linux Smart Card Login

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Looking for a solution for Linux Smart Card Login

Rodney Sullivan

I’m developing a software system with some uncommon login requirements, and I’m wondering if anyone here can help me find a solution.

 

My system will require shift-based users to login to a common Red Hat Enterprise Linux workstation using Smart Cards. The workstation will remain active as long as the card is in the reader. If the card is removed from the reader, the workstation will lock. When the next user arrives for the next shift, he or she will insert his or her card into the card reader, unlocking the workstation and giving the user access to the same session used by the previous user.

 

Because users share a session from one shift to the next, I suspect that users will share a common set of login credentials, encoded on each user’s Smart Card. However, the system must log the identity of the last person who unlocked the workstation, for security auditing purposes, so the system must be able to automatically read a card number, or some other ID information from the card in addition to the login credentials.

 

Some additional requirements:

- If the card reader is removed from the workstation, the workstation will lock.

- Ideally, when the workstation is locked, the screen will still update, so that neighbouring users can still see status updates on the locked workstation screen (something like xtrlock or alock). This is a “nice-to-have” feature, not a required feature.  

 

Please let me know if you have any thoughts on a potential solution. Although I have development capability in-house, I would prefer a COTS solution that just took care of everything for me, if such a solution even exists.

 

Best regards,

Rodney


_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Looking for a solution for Linux Smart Card Login

Jean-Michel Pouré - GOOZE
Le vendredi 21 janvier 2011 à 13:22 -0400, Rodney Sullivan a écrit :
> My system will require shift-based users to login to a common Red Hat
> Enterprise Linux workstation using Smart Cards. The workstation will
> remain active as long as the card is in the reader. If the card is
> removed from the reader, the workstation will lock. When the next user
> arrives for the next shift, he or she will insert his or her card into
> the card reader, unlocking the workstation and giving the user access
> to the same session used by the previous user.

You may read screen lockoing features from PAM PKCS11
http://www.gooze.eu/howto/gnu-linux-smartcard-logon-using-pam-pkcs11/gnome-smartcard-screen-locking

> Because users share a session from one shift to the next, I suspect
> that users will share a common set of login credentials, encoded on
> each user’s Smart Card. However, the system must log the identity of
> the last person who unlocked the workstation, for security auditing
> purposes, so the system must be able to automatically read a card
> number, or some other ID information from the card in addition to the
> login credentials.

It is always safer to have one Unix account for each user.
Users should belong to groups, giving them priviledges.

Kind regards,
--
                  Jean-Michel Pouré - Gooze - http://www.gooze.eu

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Looking for a solution for Linux Smart Card Login

Rodney Sullivan
Thank you for the links to Gooze. Unfortunately, many of their offerings are not available in Canada. However, I will still be able to benefit from their tutorials, like the one you sent.

As for your comment on user accounts, I tend to agree that each user should have his or her own account. I am working under some constraints from the customer, however. The current vision is to have shared accounts, but this may change in the end.

Best regards,
Rodney


_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user