Re: [opensc-commits] svn pam_pkcs11 changed [81] pam_sm_authenticate(): fail if the user is remote (XMDCP) [u]

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: [opensc-commits] svn pam_pkcs11 changed [81] pam_sm_authenticate(): fail if the user is remote (XMDCP) [u]

Andreas Jellinghaus-2
why?

I think it would be nice if I could run a test application in my xterm to
see if pam_pkcs11 works or not. to have environment dependend tests in it
looks strange to me.

Also I wonder: what about kdm/gdm/wdm/..., why shouldn't they work with
pam_pkcs11? they can handle additional output well (I was supprised they
work fine with pam_opensc, so they might work as well with pam_pkcs11?).

Regards, Andreas
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Re: [opensc-commits] svn pam_pkcs11 changed [81] pam_sm_authenticate(): fail if the user is remote (XMDCP) [u]

Ludovic Rousseau
On 06/07/05, Andreas Jellinghaus [c] <[hidden email]> wrote:
> why?

User Joe is using host A and starts an X11 server on his machine.
host B is running gdm/kdm/xdm/etc. and accepts XDMCP requests (XDMCP
is often disabled by default. Have a look at your /etc/gdm/gdm.conf
file).

Joe uses XDMCP [1] to use the gdm/kdm/xdm/etc. from host B.
gdm proposes a XDMCP query option or you can start the X server using
something like 'X -broadcast' or 'X -query hostB'.

The problem is that X11 (and XDMCP) redirects the mouse, the keyboard
and the display but not the smart card connections. So the PAM module
will get the password from host A (redirected throuh X11) but will try
to use a local PKCS#11 (on host B).

So the user is on host A but the PAM module will use the smart card on
host B. What is missing is a smart card redirection. I may implement
such a redirection in the future but I wanted first to avoid possible
problems first.

> I think it would be nice if I could run a test application in my xterm to
> see if pam_pkcs11 works or not. to have environment dependend tests in it
> looks strange to me.

The Debian package libpam0g-dev contains a very good test tool in
/usr/share/doc/libpam0g-dev/examples/blank.c.gz
It uses /etc/pam.d/blank configuration file and is very useful to test
a PAM module.

> Also I wonder: what about kdm/gdm/wdm/..., why shouldn't they work with
> pam_pkcs11? they can handle additional output well (I was supprised they
> work fine with pam_opensc, so they might work as well with pam_pkcs11?).

They work with pam_pkcs11.  The problem is not with kdm/gdm/xdm/etc.
but with a remote X11 login session.

It is possible that my test is too simple and will reject local login.
Just file a bug in such a case.

Bye,

[1] http://www.tldp.org/HOWTO/XDMCP-HOWTO/

--
 Dr. Ludovic Rousseau
 For private mail use [hidden email] and not "big brother" Google
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Re: [opensc-commits] svn pam_pkcs11 changed [81] pam_sm_authenticate(): fail if the user is remote (XMDCP) [u]

Andreas Jellinghaus-2
I think such code is not a good idea.
people can shoot themself in the foot,
there is no way to prevent it.

much better would be some documentation
on X11.

On Wednesday 06 July 2005 08:51, Ludovic Rousseau wrote:

> So the user is on host A but the PAM module will use the smart card on
> host B. What is missing is a smart card redirection.

Openct can do that.

> > I think it would be nice if I could run a test application in my xterm to
> > see if pam_pkcs11 works or not. to have environment dependend tests in it
> > looks strange to me.
>
> The Debian package libpam0g-dev contains a very good test tool in
> /usr/share/doc/libpam0g-dev/examples/blank.c.gz
> It uses /etc/pam.d/blank configuration file and is very useful to test
> a PAM module.

yes, and if my display is set to localhost:0 it will not work in an
xterm.

> They work with pam_pkcs11.  The problem is not with kdm/gdm/xdm/etc.
> but with a remote X11 login session.
>
> It is possible that my test is too simple and will reject local login.
> Just file a bug in such a case.

if I have openct set up to use a remote reader, pam_pkcs11 should work.

Also, there is nothing wrong to use an x terminal plus a smart card
plugged into the terminal server. ok, quite an ugly hack, but if
people want to do that: why should we stop them?

I'm sure you have good intentions, but code like this causes often
problems as you can't forsee how people will use it. my suggestion
is to remove any such check and instead write some documentation
about the issue.

Regards, Andreas
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Re: [opensc-commits] svn pam_pkcs11 changed [81] pam_sm_authenticate(): fail if the user is remote (XMDCP) [u]

Ludovic Rousseau
On 06/07/05, Andreas Jellinghaus [c] <[hidden email]> wrote:
> I think such code is not a good idea.
> people can shoot themself in the foot,
> there is no way to prevent it.

What do you call "shoot themself in the foot" in this previce case?

>> What is missing is a smart card redirection.
>
> Openct can do that.

I need to have a look a the code then. Do you have a pointer on a
documentation? The solution should also work with PC/SC.

> yes, and if my display is set to localhost:0 it will not work in an
> xterm.

As I said the test is simple. I have not yet seen gdm used
"localhost:0" instead of ":0". I do not want to fight against a hacker
:-) but keep the test simple.

> if I have openct set up to use a remote reader, pam_pkcs11 should work.

I don't know how the openct redirection works. Is it possible to
configure it dynamically after parsing the DISPLAY environment
variable? The host to redirect to is not known until the user starts
the login.

> Also, there is nothing wrong to use an x terminal plus a smart card
> plugged into the terminal server. ok, quite an ugly hack, but if
> people want to do that: why should we stop them?

If they know what they do they can change the code and comment the
test. The test could also depend on a configuration option but I don't
see the use case of using a smart card in a remote login if the card
is on the server.

> I'm sure you have good intentions, but code like this causes often
> problems as you can't forsee how people will use it. my suggestion
> is to remove any such check and instead write some documentation
> about the issue.

My intention was to not block a card (after 3 wrong PIN) possibly
inserted on the server.
I think a normal user will expect the login PAM to use the card
inserted locally and not the card on the server. Normal users do not
read documentation...

The rejection is logged so the admin should know what he wants to do
next: disable the test code or implement a smart card redirection.


Also note that AFAIK X11 messages are not protected when sent over the
network. So the PIN code entered by the user on the keyboard will be
sent from host A to host B in clear. The use a type-2 reader with a
PINPAD makes sense here. The smart card redirection should also be
protected.

Bye,

--
 Dr. Ludovic Rousseau
 For private mail use [hidden email] and not "big brother" Google
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Re: [opensc-commits] svn pam_pkcs11 changed [81] pam_sm_authenticate(): fail if the user is remote (XMDCP) [u]

Andreas Jellinghaus-2
On Wednesday 06 July 2005 11:55, Ludovic Rousseau wrote:
> What do you call "shoot themself in the foot" in this previce case?
using pam_pkcs11 without openct remote readers. it won't work.
but I don't see why it is bad: it might fail, sure, but there
is no security risk and no big problem.

some code that prevents doing that however is a problem, as there
are three legal scenarios that are no longer possible:
 - remote readers with openct
 - a long usb extension cord.
 - a test app in my xterm with "localhost:0" as DISPLAY.
   (or "myhostname:0". or even "warez.linux.de:0").

> I need to have a look a the code then. Do you have a pointer on a
> documentation? The solution should also work with PC/SC.
<shame on me> didn't try so far. but priit send in patches
last winter, so I guess it works now.
http://www.opensc.org/openct/wiki/RemoteAccess

it will work, if you use openct as reader in pcscd, too.
at least I think. completely untested....

> I don't know how the openct redirection works. Is it possible to
> configure it dynamically after parsing the DISPLAY environment
> variable? The host to redirect to is not known until the user starts
> the login.

no openct redirection simply gives you a reader on a machine that has none.
if you try to use it, a connection the the remove machine is established
and data is send back and forth. no encryption, but you could use stunnel
or ssh tunnels (untested). openct doesn't know anything about X11 and
DISPLAY (and I think that is a good thing).

> If they know what they do they can change the code and comment the
> test.

but that requires people to edit and recompile the source code,
and would rule out everyone who simply tries to use the packages
provided by his distribution.

> The test could also depend on a configuration option but I don't
> see the use case of using a smart card in a remote login if the card
> is on the server.

what is wrong with not testing at all or only a warning.

maybe I ran far too often into similiar code by trying unnatural things
and almost everytime it cost my a _lot_ of time to find, track down and
fix the problem. that's why I'm so opposed to the whole idea of having
such code. but if you realy want that code, and add an option to disable
it for hackers, that is ok, too.

> My intention was to not block a card (after 3 wrong PIN) possibly
> inserted on the server.

I don't see how that could happen often. people usualy don't leave
cards plugged in somewhere, but only insert them when needed. Or
leave them in a reader, but some app like ssh agent or mozilla
grabbed the card and uses it (I hope they do lock the card - not
100% sure, but I hope).

Andreas
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel