Re: [opensc-commits] Re: [PKCS#11 Pam Module] #8: support XDMCP (remote) connections

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: [opensc-commits] Re: [PKCS#11 Pam Module] #8: support XDMCP (remote) connections

Andreas Jellinghaus-2
On Thursday 13 October 2005 10:31, PKCS#11 Pam Module wrote:
> #8: support XDMCP (remote) connections


well, we can't make XDMCP more secure. but with openct you can
have remote readers (very simple and insecure protocol).
You can tunnel that protocol via ssltunnel or ssh.
But the whole remote reader stuff is not well tested,
so feedback would be very welcome.

pam_p11 has no check for DISPLAY etc, so there shouldn't be
any issue. I'm not sure, but I hope pam_pkcs11 has a way
to disable that check. ludovic?

Regards, Andreas
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Re: [opensc-commits] Re: [PKCS#11 Pam Module] #8: support XDMCP (remote) connections

Ludovic Rousseau
On 13/10/05, Andreas Jellinghaus <[hidden email]> wrote:

> On Thursday 13 October 2005 10:31, PKCS#11 Pam Module wrote:
> > #8: support XDMCP (remote) connections
>
>
> well, we can't make XDMCP more secure. but with openct you can
> have remote readers (very simple and insecure protocol).
> You can tunnel that protocol via ssltunnel or ssh.
> But the whole remote reader stuff is not well tested,
> so feedback would be very welcome.
>
> pam_p11 has no check for DISPLAY etc, so there shouldn't be
> any issue. I'm not sure, but I hope pam_pkcs11 has a way
> to disable that check. ludovic?

No way (for now) to disable the check in pam_pkcs11 except by
modifying the source code.

I agree that a common solution for XDMCP and ssh and other remote
connection systems would be great. The problem for the pam module is:
how does it know where the connection comes from?
We can use DISPLAY for XDMCP, SSH_CLIENT or SSH_CONNECTIO for ssh?

I will embrace the problem... on day :-)

Bye,

--
 Dr. Ludovic Rousseau
 For private mail use [hidden email] and not "big brother" Google
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel