pam_pkcs11 status [u]

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

pam_pkcs11 status [u]

Andreas Jellinghaus-2
Hi,

I tried compiling trunk so far and it works :)
more test once I got the opensc/openct issues
figured out.

I wonder about this:
 - add a --with-openssl or similiar configure option,
   so you can point to an openssl installed in a non-standard
   place?
 - make pcsc-lite optional? (that tool wouldn't work on my
   openct+opensc setup anyway)
 - make most mappers optional? (i.e. still compile the others
   if those libraries are not installed?

I'm primarely interested in pam_pkcs11 as replacement for pam_opensc
so we can drop it. also the openssh mapper sounds great, as I won't
need to manage two files anymore.

my 0.02 €...

Regards, Andreas
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: pam_pkcs11 status [u]

Ludovic Rousseau
On 12/06/05, Andreas Jellinghaus [c] <[hidden email]> wrote:
> Hi,

Hello,

> I tried compiling trunk so far and it works :)
> more test once I got the opensc/openct issues
> figured out.

Good news :-)

> I wonder about this:
>  - add a --with-openssl or similiar configure option,
>    so you can point to an openssl installed in a non-standard
>    place?

That should be easy

>  - make pcsc-lite optional? (that tool wouldn't work on my
>    openct+opensc setup anyway)

The card_eventmgr requires pcsc-lite. But it should be possible to
make pcsc-lite optional if some features/component are removed.

>  - make most mappers optional? (i.e. still compile the others
>    if those libraries are not installed?

Why? You want to limit the dependencies to other libs or is it something else?

> I'm primarely interested in pam_pkcs11 as replacement for pam_opensc
> so we can drop it.

Can you file 3 bugs on [1] so we don't forget to correct them?

Thanks,

[1] http://www.opensc.org/pam_pkcs11/report

--
 Dr. Ludovic Rousseau
 For private mail use [hidden email] and not "big brother" Google
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: pam_pkcs11 status [u]

Jonsy (teleline)
In reply to this post by Andreas Jellinghaus-2
El dom, 12-06-2005 a las 23:51, Andreas Jellinghaus [c] escribió:

> Hi,
>
> I tried compiling trunk so far and it works :)
> more test once I got the opensc/openct issues
> figured out.
>
> I wonder about this:
>  - add a --with-openssl or similiar configure option,
>    so you can point to an openssl installed in a non-standard
>    place?
Sure, you're right.

>  - make pcsc-lite optional? (that tool wouldn't work on my
>    openct+opensc setup anyway)

We currently manages two packages: pam_pkcs11 and pam_pkcs11-tools.
This implies a third one pam_pkcs11-pcsctools. Ludovic is
currently the maintainer of pcsc-lite related items

>  - make most mappers optional? (i.e. still compile the others
>    if those libraries are not installed?

Not sure on what you mean: most of mappers are just frontends
for the mapper library. Perhaps a better solution is grouping
each individual mapper into a generic one. Note that in current
version some mappers are just subsets of "generic mapper", and
my idea is remove redundant ones in a near future

> I'm primarely interested in pam_pkcs11 as replacement
> for pam_opensc so we can drop it.

I'm next to finish support of ${HOME}/.eid/authorized_certificates
Next task is create ldap mapper. My idea is same as you: use
your pam-opensc-ldap implementation and duplicate it in a
pkcs11-only style

> also the openssh mapper sounds great, as I won't
> need to manage two files anymore.

Well, just done :-). Works fine for me in local login: just
extract certificate public key from smartcard, convert to ssh
format ant store it in .ssh/authorized_keys. Anyway, for
remote login, ssh with smartcard support is still needed

Cheers

FYI Mandriva people told me that incoming version will include
pam_pkcs11 as standard package. Great news!

Juan Antonio Martinez
--
Jonsy (teleline) <[hidden email]>
Teleline

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel

signature.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: pam_pkcs11 status [u]

Andreas Jellinghaus-2
In reply to this post by Ludovic Rousseau
On Monday 13 June 2005 09:52, Ludovic Rousseau wrote:
> >  - make most mappers optional? (i.e. still compile the others
> >    if those libraries are not installed?
>
> Why? You want to limit the dependencies to other libs or is it something
> else?

yes, make it compileable without needind to install all those libraries.

> Can you file 3 bugs on [1] so we don't forget to correct them?

sure. could you review the different options in the new ticket
form and tell me how I should reconfigure trac? unfortunatly
this can't be done via web frontend. (e.g. replace "component1,component2"
with a component list of your choice, same with version numbers
and so on...)

Andreas
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: pam_pkcs11 status [u]

Andreas Jellinghaus-2
In reply to this post by Jonsy (teleline)
On Monday 13 June 2005 10:10, Jonsy (teleline) wrote:
> >  - make pcsc-lite optional? (that tool wouldn't work on my
> >    openct+opensc setup anyway)
>
> We currently manages two packages: pam_pkcs11 and pam_pkcs11-tools.
> This implies a third one pam_pkcs11-pcsctools. Ludovic is
> currently the maintainer of pcsc-lite related items

From my point of view that would not need to result in a new package,
but rather: if pcsc is available, those tools would be build and installed,
if not, then not.

like opensc includes the ssl engines, but they are only build and installed
if openssl is available.

> Not sure on what you mean: most of mappers are just frontends
> for the mapper library.

let's say: I neither have nor need kerberos. why should I install
the kerberos libraries and header files, only to compile pam_pkcs11,
when it results in a mapper that I will never use?

the configure code could simply check: ah, no kerberos library available,
and then not create the kerberos mapper lib.

> I'm next to finish support of ${HOME}/.eid/authorized_certificates

ah, great. the current pam module in opensc has a big bug: it will
try a pin with every key in authorized_certificates, and thus block
a card if you have several certificates in it and enter a wrong pin.

btw: I don't know if that is possible, but it might be nice to
be able to unblock a smart card in the login module. with mobile
phones if you block the pin, you can unblock it at the "login"
dialog, and I think that is a good idea.

> FYI Mandriva people told me that incoming version will include
> pam_pkcs11 as standard package. Great news!

congratulations!

hmm, need to check if they include openct and opensc :-)

Regards, Andreas
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: pam_pkcs11 status [u]

Ludovic Rousseau
In reply to this post by Andreas Jellinghaus-2
On 13/06/05, Andreas Jellinghaus [c] <[hidden email]> wrote:
> On Monday 13 June 2005 09:52, Ludovic Rousseau wrote:
> > Can you file 3 bugs on [1] so we don't forget to correct them?
>
> sure. could you review the different options in the new ticket
> form and tell me how I should reconfigure trac? unfortunatly
> this can't be done via web frontend. (e.g. replace "component1,component2"
> with a component list of your choice, same with version numbers
> and so on...)

Components:
- build/install
- mappers
- pam module
- card_eventmgr

Versions:
- 0.5.1
- subversion (?)

Any comment Jonsy?

Bye,

--
 Dr. Ludovic Rousseau
 For private mail use [hidden email] and not "big brother" Google
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: pam_pkcs11 status

Jonsy (teleline)
In reply to this post by Andreas Jellinghaus-2
El lun, 13-06-2005 a las 10:58, Andreas Jellinghaus [c] escribió:

> On Monday 13 June 2005 10:10, Jonsy (teleline) wrote:
> > >  - make pcsc-lite optional? (that tool wouldn't work on my
> > >    openct+opensc setup anyway)
> >
> > We currently manages two packages: pam_pkcs11 and pam_pkcs11-tools.
> > This implies a third one pam_pkcs11-pcsctools. Ludovic is
> > currently the maintainer of pcsc-lite related items
>
> >From my point of view that would not need to result in a new package,
> but rather: if pcsc is available, those tools would be build and installed,
> if not, then not.
I'ts ok when compiling from sources, but in order to generate .rpm
packages, I should be able to create a separate one for pcsc
dependent stuff

> let's say: I neither have nor need kerberos. why should I install
> the kerberos libraries and header files, only to compile pam_pkcs11,
> when it results in a mapper that I will never use?
> the configure code could simply check: ah, no kerberos library available,
> and then not create the kerberos mapper lib.

Aside note: actual Kerberos Principal Name support is just for
search kpn entry in certificate (in the same way as ms mapper
looks for ms universal principal name), and compare against
allowed ones in mapping files. No need of any kerberos nor
ADS libs (yet).
But we want to implement ldap, ADS, and PKINIT support. So you're
right: when these features get coded, we should modify configure
options to compile only desired mappers, or make compilation dependent
on available libraries.

> > I'm next to finish support of ${HOME}/.eid/authorized_certificates
> ah, great. the current pam module in opensc has a big bug: it will
> try a pin with every key in authorized_certificates, and thus block
> a card if you have several certificates in it and enter a wrong pin.

well, pam_pkcs11 works in a different way: extracts only one
certificate from card, (as specified in configuration file),
and compare it against authorized_certificates file. PIN is
used to ensure that user is allowed to use selected certificate,
( by  signing a random text with associated private key and
then verify signature with public key of selected certificate ).
So the pin only is used with selected certificate, not with
all certificates stored in the card

I'll study if is possible to unlock card on sucessfull login.
....

[ I've just received comment from Ludovic :-) .... ]

> Components:
> - build/install
> - mappers
> - pam module
(openssl, ldap and/or curl dependent)...

> - card_eventmgr
(pcsc-lite dependent)

- pkinit support ( kerberos dependent )
- ADS support ( ¿LDAP dependent? )

> Versions:
> - 0.5.1
> - subversion (?)
When opensc_mapper get finished, I plan to release a 0.5.2 version

Cheers
Juan Antonio
--
Jonsy (teleline) <[hidden email]>
Teleline

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel

signature.asc (192 bytes) Download Attachment