pinpad with pam authentication

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

pinpad with pam authentication

Johannes Becker-5
Hello,

I got pam_pkcs11 working. If I use the card reader's pin pad, there
is still the prompt to enter the PIN. No matter what you enter,
after 'return' the pinpad awakes and you can enter the PIN there.

This is a confusing behaviour, especially if you have a graphical login
with gdm or kdm.

How to get rid off this prompt?


--
Grüße
  Johannes


_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: pinpad with pam authentication

Eddy Nigg (StartCom Ltd.)
Hi Johannes,

It requires modification of g/kdm, something we intend to suggest/propose/modify in the future.

--
Regards
 
Signer:      Eddy Nigg, StartCom Ltd.
Phone:       +1.213.341.0390

Johannes Becker wrote:
Hello,

I got pam_pkcs11 working. If I use the card reader's pin pad, there
is still the prompt to enter the PIN. No matter what you enter,
after 'return' the pinpad awakes and you can enter the PIN there.

This is a confusing behaviour, especially if you have a graphical login
with gdm or kdm.

How to get rid off this prompt?


  


_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel

eddy_nigg.vcf (874 bytes) Download Attachment
smime.p7s (9K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Pinpad again

Johannes Becker-5
Eddy Nigg (StartCom Ltd.) wrote:
> It requires modification of g/kdm, something we intend to
> suggest/propose/modify in the future.
>  
I guess, you wouldn't have to modify gdm/kdm. My Pinpad beeps and blinks,
as soon as the system asks for the PIN. So it would be nice to have no
prompt
for a keyboard action at all.
I get the unneccessary prompts in at least 3 different cases:

1. Authentication with pam_pkcs11.so
2. Using Mozilla Firefox
3. Sign with |pkcs15-crypt

Of course I can live with that while testing,
but it's impossible to explain how to use the
pinpad in this way to several thousand students here...


Regards
  Johannes
|
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Pinpad again

Martin Paljak-2

On 16.11.2006, at 11:01, Johannes Becker wrote:

> 1. Authentication with pam_pkcs11.so
Probly needs support in PAM level and modifications in pam_pkcs11.


> 2. Using Mozilla Firefox
Some time ago there was a blog post asking people to pick up PSM (the  
stuff that manages such GUI issues in mozilla products) development  
as it has not been developed or improved in many years. I guess this  
is still the case.

> 3. Sign with |pkcs15-crypt
There was a previous post i promised to dig up the old code for,  
where you could indicate explicitly, that 'use pinpad for asking the  
pin' for command line utilities.

m.
--
Martin Paljak / [hidden email]
martin.paljak.pri.ee / ideelabor.ee
+372 515 64 95


_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Pinpad again

Ludovic Rousseau
In reply to this post by Johannes Becker-5
Hello,

On 16/11/06, Johannes Becker <[hidden email]> wrote:
> Eddy Nigg (StartCom Ltd.) wrote:
> > It requires modification of g/kdm, something we intend to
> > suggest/propose/modify in the future.
> >
> I guess, you wouldn't have to modify gdm/kdm. My Pinpad beeps and blinks,
> as soon as the system asks for the PIN. So it would be nice to have no
> prompt for a keyboard action at all.

What do you use for the authentication in this precise case? Do you
use a PAM module? Which one?

> I get the unneccessary prompts in at least 3 different cases:
>
> 1. Authentication with pam_pkcs11.so

As Martin said we should correct this. So if you can show us a PAM
module that does not prompt for PIN that would help.

Bye,

--
  Dr. Ludovic Rousseau
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Pinpad again

Eddy Nigg (StartCom Ltd.)
In reply to this post by Johannes Becker-5
Obviously not everyone is using a Pinpad...So for dgm/kdm to work with smart cards / tokens in conjunction with pam_pkcs11 some modifications are required...I really hope to get this at some point...

Perhaps it would be appropriate to take pinpads into account once we are at it...

--
Regards
 
Signer:      Eddy Nigg, StartCom Ltd.
Phone:       +1.213.341.0390

Johannes Becker wrote:
Eddy Nigg (StartCom Ltd.) wrote:
It requires modification of g/kdm, something we intend to
suggest/propose/modify in the future.
 
I guess, you wouldn't have to modify gdm/kdm. My Pinpad beeps and blinks,
as soon as the system asks for the PIN. So it would be nice to have no prompt
for a keyboard action at all.
I get the unneccessary prompts in at least 3 different cases:

1. Authentication with pam_pkcs11.so
2. Using Mozilla Firefox
3. Sign with |pkcs15-crypt

Of course I can live with that while testing,
but it's impossible to explain how to use the
pinpad in this way to several thousand students here...


Regards
 Johannes
|


_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel

eddy_nigg.vcf (870 bytes) Download Attachment
smime.p7s (9K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Pinpad again

Johannes Becker-5
In reply to this post by Ludovic Rousseau
Hello,

Am Donnerstag, 16. November 2006 14:59 schrieb Ludovic Rousseau:

>
> What do you use for the authentication in this precise case? Do you
> use a PAM module? Which one?

/usr/local/lib/security/pam_pkcs11.so

I compiled pam_pkcs11-0.5.3

> As Martin said we should correct this. So if you can show us a PAM
> module that does not prompt for PIN that would help.

Well, nearly every other pam module  has to get the password via the keyboard
and prompts for it. The only exception I know, is
  pam_rootok.so
which is used in /etc/pam.d/su to allow the root user to become every other
user without password.

Now, pam_pkcs11.so prints the line
  Password for token Smartkey Card TypA (globale PIN):
and it doesn't use at all what you type at this prompt.
After you type the return key, the pinpad awakes and everything
works fine.

Regards
  Johannes

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Pinpad again

Ludovic Rousseau
On 17/11/06, Johannes Becker <[hidden email]> wrote:
> > As Martin said we should correct this. So if you can show us a PAM
> > module that does not prompt for PIN that would help.
>
> Well, nearly every other pam module  has to get the password via the keyboard
> and prompts for it. The only exception I know, is
>   pam_rootok.so
> which is used in /etc/pam.d/su to allow the root user to become every other
> user without password.

A PAM module do not have to ask for a password or PIN.

> Now, pam_pkcs11.so prints the line
>   Password for token Smartkey Card TypA (globale PIN):
> and it doesn't use at all what you type at this prompt.
> After you type the return key, the pinpad awakes and everything
> works fine.

pam_pkcs11 gets a PIN (or whatever you enter) and then send it to the
PKCS#11 lib. OpenSC then detect the PIN PAD reader and ask the PIN on
it instead of using the PIN sent by pam_pkcs11.

I don't know if pam_pkcs11 can know:
- that a PIN pad is connected
- that the PKCS#11 lib will/can use the PIN pad so the PAM module do
not have to ask for a PIN on the keyboard.

Bye,

--
  Dr. Ludovic Rousseau
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Pinpad again

Jonsy (teleline)
El vie, 17-11-2006 a las 14:47 +0100, Ludovic Rousseau escribió:

I don't know if pam_pkcs11 can know:
- that a PIN pad is connected

Sure no, unless pkcs11 interface could inform us that pinpad
is attached. Anyway this issue is not handled by my code

- that the PKCS#11 lib will/can use the PIN pad so
the PAM module do not have to ask for a PIN on the keyboard.

I ask pin/password by mean of pam libraries. so no control on
where pam stack takes the data.... perhaps an extra pam module
is needed to retrieve password from pinpad

Note that this applies to my last version of pam_pkcs11.
Fedora people have been working intensively in this module
(is now part of FC6) and their one is much better (NSS support
for instance). Perhaps you should study their code

Juan Antonio

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Pinpad again

Ludovic Rousseau
On 17/11/06, Jonsito <[hidden email]> wrote:
> El vie, 17-11-2006 a las 14:47 +0100, Ludovic Rousseau escribió:
> - that the PKCS#11 lib will/can use the PIN pad so
> the PAM module do not have to ask for a PIN on the keyboard.
>
> I ask pin/password by mean of pam libraries. so no control on
> where pam stack takes the data.... perhaps an extra pam module
> is needed to retrieve password from pinpad

You can't retrieve a password from a pinpad. That is the main purpose
of a pinpad. The PIN only goes from the reader to the card without any
possibility for the PC to know it. So when a pinpad is used no PAM
module will ever know the PIN.

> Note that this applies to my last version of pam_pkcs11.
> Fedora people have been working intensively in this module
> (is now part of FC6) and their one is much better (NSS support
> for instance). Perhaps you should study their code

Robert, do you (RedHat) plan to integrate your changes back in the
upstream pam_pkcs11 or is it a fork?
I got pam_pkcs11-0.5.3-22.src.rpm and the patches look fine. What
would be nice is a comment on each patch and/or a link between a patch
and a comment in the .spec file.

Bye,

--
  Dr. Ludovic Rousseau
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Pinpad again

Peter Stuge
In reply to this post by Ludovic Rousseau
On Fri, Nov 17, 2006 at 02:47:31PM +0100, Ludovic Rousseau wrote:
> I don't know if pam_pkcs11 can know:
> - that a PIN pad is connected
> - that the PKCS#11 lib will/can use the PIN pad so the PAM module do
> not have to ask for a PIN on the keyboard.

Supposedly, it can.

CKF_PROTECTED_AUTHENTICATION_PATH in CK_TOKEN_INFO.flags.

Try using pkcs11-spy, it pretty-prints CK_TOKEN_INFO on successful
calls to C_GetTokenInfo.

See PKCS#11 v2.11 page 16, 6.7.4 on page 28, page 152 and page 154.

--8<-- framework-pkcs15.c:pkcs15_init_slot()
if (card->card->slot->capabilities & SC_SLOT_CAP_PIN_PAD) {
        slot->token_info.flags |= CKF_PROTECTED_AUTHENTICATION_PATH;
        sc_pkcs11_conf.cache_pins = 0;
}
-->8--

--8<-- libopensc/reader-ctapi.c:
if (priv->ctapi_functional_units & CTAPI_FU_KEYBOARD)
reader->slot[i].capabilities |= SC_SLOT_CAP_PIN_PAD;
-->8--

--8<-- libopensc/reader-openct.c:
if (data->info.ct_keypad)
        reader->slot[i].capabilities |= SC_SLOT_CAP_PIN_PAD;
-->8--

--8<-- libopensc/reader-pcsc.c:
/* Set slot capabilities based on detected IOCTLs */
if (pslot->verify_ioctl || (pslot->verify_ioctl_start && pslot->verify_ioctl_finish)) {
        char *log_text = "Reader supports pinpad PIN verification";
        if (priv->gpriv->enable_pinpad) {
                sc_debug(reader->ctx, log_text);
                slot->capabilities |= SC_SLOT_CAP_PIN_PAD;
        } else {
                sc_debug(reader->ctx, "%s %s", log_text, log_disabled);
        }
}
-->8--

libopensc/card-belpic.c has a BELPIC_PIN_PAD ifdef and lots of pinpad
code within..

What reader were you using again?


//Peter
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Pinpad again

relyea
In reply to this post by Ludovic Rousseau
Ludovic Rousseau wrote:
> On 17/11/06, Jonsito <[hidden email]> wrote:
>
>> Note that this applies to my last version of pam_pkcs11.
>> Fedora people have been working intensively in this module
>> (is now part of FC6) and their one is much better (NSS support
>> for instance). Perhaps you should study their code
>
> Robert, do you (RedHat) plan to integrate your changes back in the
> upstream pam_pkcs11 or is it a fork?
We plan to integrate it upstream. I need to carve out some time before
the end of the year to do that. I've talked with Juan about making a
patch, it's currently in my court do do that.
> I got pam_pkcs11-0.5.3-22.src.rpm and the patches look fine. What
> would be nice is a comment on each patch and/or a link between a patch
> and a comment in the .spec file.
I hope to rebuild the patches for the current tip, with much more
comments on how the changes work and why.

bob
>
> Bye,
>


_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel

smime.p7s (4K) Download Attachment