'=?utf-8?q?=5BSSSD-users=5D?= Re: pam_sss force smartcard for TTY logins'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       sssd-users
Subject:    =?utf-8?q?=5BSSSD-users=5D?= Re: pam_sss force smartcard for TTY logins
From:       "Winberg, Adam" <adam.winberg () smhi ! se>
Date:       2017-10-20 18:21:07
Message-ID: CAHSGfpKrd3_i6d_AyOknZ=0DzRW1NQMuKdx1W-Yoi1L11Az=yQ () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


Hey, while we're talking features: another feature I really like about
pam_pkcs11 is that, in GDM, you can type your PIN and press enter before
inserting your smartcard. I'm not even sure the feature belongs in
pam_pkcs11 or in gdm, but the behaviour changed when i switched to pam_sss
so I'm thinking the former.

It's a little thing, but its a little annoying to have to wait for the
smart card to be recognized before you can start typing the PIN.

Have a good weekend!

//Adam

2017-10-20 16:59 GMT+02:00 Winberg, Adam <adam.winberg@smhi.se>:

> Ok - great work by the way, keep it up!
>
> //Adam
>
> 2017-10-20 16:37 GMT+02:00 Sumit Bose <sbose@redhat.com>:
>
>> On Fri, Oct 20, 2017 at 04:25:52PM +0200, Winberg, Adam wrote:
>> > Using pam_pkcs11 we can use the parameter 'wait_for_card' to halt the
>> pam
>> > process until a smart card is inserted. Is there any feature like that
>> with
>> > pam_sss?
>> >
>> > Use case is to require smart card for logins. With GDM this is
>> configured
>> > via dconf, but with console/tty logins there is no such configuration
>> > available as I know of. So with pam_sss you can freely logon to a TTY
>> > without using smartcard. Or maybe there is a solution out there I'm
>> missing?
>>
>> This is work-in-progress, I'll try to implement missing features from
>> pam_pkcs11 step by step.
>>
>> bye,
>> Sumit
>>
>> >
>> > Regards
>> > Adam
>>
>> > _______________________________________________
>> > sssd-users mailing list -- sssd-users@lists.fedorahosted.org
>> > To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
>> _______________________________________________
>> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
>> To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
>>
>
>

[Attachment #5 (text/html)]

<div dir="ltr">Hey, while we&#39;re talking features: another feature I really like \
about pam_pkcs11 is that, in GDM, you can type your PIN and press enter before \
inserting your smartcard. I&#39;m not even sure the feature belongs in pam_pkcs11 or \
in gdm, but the behaviour changed when i switched to pam_sss so I&#39;m thinking the \
former.<div><br></div><div>It&#39;s a little thing, but its a little annoying to have \
to wait for the smart card to be recognized before you can start typing the PIN.  \
</div><div><br></div><div>Have a good \
weekend!</div><div><br></div><div>//Adam</div></div><div class="gmail_extra"><br><div \
class="gmail_quote">2017-10-20 16:59 GMT+02:00 Winberg, Adam <span dir="ltr">&lt;<a \
href="mailto:adam.winberg@smhi.se" \
target="_blank">adam.winberg@smhi.se</a>&gt;</span>:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div dir="ltr">Ok - great work by the way, keep it up!<span \
class="HOEnZb"><font \
color="#888888"><div><br></div><div>//Adam</div></font></span></div><div \
class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div \
class="gmail_quote">2017-10-20 16:37 GMT+02:00 Sumit Bose <span dir="ltr">&lt;<a \
href="mailto:sbose@redhat.com" \
target="_blank">sbose@redhat.com</a>&gt;</span>:<br><blockquote class="gmail_quote" \
style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span>On Fri, \
Oct 20, 2017 at 04:25:52PM +0200, Winberg, Adam wrote:<br> &gt; Using pam_pkcs11 we \
can use the parameter &#39;wait_for_card&#39; to halt the pam<br> &gt; process until \
a smart card is inserted. Is there any feature like that with<br> &gt; pam_sss?<br>
&gt;<br>
&gt; Use case is to require smart card for logins. With GDM this is configured<br>
&gt; via dconf, but with console/tty logins there is no such configuration<br>
&gt; available as I know of. So with pam_sss you can freely logon to a TTY<br>
&gt; without using smartcard. Or maybe there is a solution out there I&#39;m \
missing?<br> <br>
</span>This is work-in-progress, I&#39;ll try to implement missing features from<br>
pam_pkcs11 step by step.<br>
<br>
bye,<br>
Sumit<br>
<br>
&gt;<br>
&gt; Regards<br>
&gt; Adam<br>
<br>
&gt; ______________________________<wbr>_________________<br>
&gt; sssd-users mailing list -- <a href="mailto:sssd-users@lists.fedorahosted.org" \
target="_blank">sssd-users@lists.fedorahosted.<wbr>org</a><br> &gt; To unsubscribe \
send an email to <a href="mailto:sssd-users-leave@lists.fedorahosted.org" \
target="_blank">sssd-users-leave@lists.fedorah<wbr>osted.org</a><br> \
______________________________<wbr>_________________<br> sssd-users mailing list -- \
<a href="mailto:sssd-users@lists.fedorahosted.org" \
target="_blank">sssd-users@lists.fedorahosted.<wbr>org</a><br> To unsubscribe send an \
email to <a href="mailto:sssd-users-leave@lists.fedorahosted.org" \
target="_blank">sssd-users-leave@lists.fedorah<wbr>osted.org</a><br> \
</blockquote></div><br></div> </div></div></blockquote></div><br></div>


[Attachment #6 (text/plain)]

_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic