Re: pam_pkcs11 event manager sample configuration

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: pam_pkcs11 event manager sample configuration

Jonsy (teleline)
El mié, 18-06-2008 a las 23:29 +0200, Michael Grünewald escribió:
> Hello,
> during work for a seminar about smartcards and linux I found pam_pkcs11,
> which works really nice. But I think there is a major security issue in the
> card_eventmgr/pkcs11_cardmgr configuration samples. The screensaver is
> unlocked regardless of the card inserted. When someone locked the screen by
> removing the smartcard, I could easily place my own in the reader and unlock
> the workstation. Is there an error in reasoning on my side or am I right?

You're right: it's a (serious) bug. lock manager should ask pam
to ensure that provided card id matches logged user session

I'm not actually the mantainer of pam_pkcs11. So I'll forward your
question to opensc development mailing list.

Regards
Juan Antonio

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel

smime.p7s (2K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: pam_pkcs11 event manager sample configuration

Ludovic Rousseau
Hello Michael,

On Thu, Jun 19, 2008 at 5:08 PM, Juan Antonio Martinez
<[hidden email]> wrote:
> El mié, 18-06-2008 a las 23:29 +0200, Michael Grünewald escribió:
>> Hello,
>> during work for a seminar about smartcards and linux I found pam_pkcs11,
>> which works really nice. But I think there is a major security issue in the
>> card_eventmgr/pkcs11_cardmgr configuration samples. The screensaver is
>> unlocked regardless of the card inserted. When someone locked the screen by
>> removing the smartcard, I could easily place my own in the reader and unlock
>> the workstation. Is there an error in reasoning on my side or am I right?

Have you configured the screen saver to use the pam_pkcs11 to unlock
as decribed in [1]?

> You're right: it's a (serious) bug. lock manager should ask pam
> to ensure that provided card id matches logged user session
>
> I'm not actually the mantainer of pam_pkcs11. So I'll forward your
> question to opensc development mailing list.

Thanks for the forward Juan Antonio.

Regards,

[1] http://www.opensc-project.org/doc/pam_pkcs11/pam_pkcs11.html#id2525931

--
 Dr. Ludovic Rousseau
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel