For local logon, use pam-pkcs11 from the OpenSC project: http://www.opensc-project.org/pam_pkcs11/ Plus the OpenSC PKCS#11 module: http://www.opensc-project.org/opensc/wiki/PKCS11 Plus, of course, OpenSC itself for the PIV support. This will work with most PAM-enabled applications, including sudo. gksu/gksudo (which are basically GUI wrappers around sudo) had a bug where they wouldn't recognize the changed 'password' prompt, but this may be fixed in current releases. If you're looking for PKINIT with Linux, use Russ Allbery's pam_krb5 module with a recent Heimdal or MIT Kerberos library. Configuration details depend on the version of Windows Server you're using, but are all online. -- Tim ________________________________________ From: smartcardservices-users-bounces@lists.macosforge.org [smartcardservices-users-bounces@lists.macosforge.org] On Behalf Of Inati, Souheil (NIH/NIMH) [E] [souheil.inati@nih.gov] Sent: Wednesday, October 13, 2010 5:26 PM To: Bram Cymet Cc: Shawn A. Geddis; Fed Talk; Inati, Souheil (NIH/NIMH) [E]; Smart Card Services-Users Subject: Re: [SmartcardServices-Users] [Fed-Talk] Re: Require smart card login Hi Bram, In our group, the workstations are split about 60/40 OS X/Linux based on user preference. Nearly all the laptops are macs. None of the scientists use windows unless they have to for specialized data acquisition systems. Like I said, heterogeneous :-) BTW, we'll have to burn the Linux bridge too, could you point me to how you would require PIV login on the Linux machines? -Souheil On Oct 13, 2010, at 5:57 PM, Bram Cymet wrote:
Is OS X a requirement? This can very easily be done on Linux.
On 10/13/2010 05:42 PM, Inati, Souheil (NIH/NIMH) [E] wrote:
Sorry, not an option. We have terabytes of data on disks in a heterogeneous environment.
On Oct 13, 2010, at 5:37 PM, Bram Cymet wrote:
If it is the data you are looking to protect you can put it in a filevault and protect the filevault with your smartcard. This is very easy to do. I have yet to find a way to lock access to the machine to smartcard only. Then as long as the vault is not left open when the machine in unattended you will be fine.
-- Bram Cymet Software Developer Canadian Bank Note Co. Ltd. Cell: 613-608-9752
_______________________________________________ SmartcardServices-Users mailing list SmartcardServices-Users@lists.macosforge.org http://lists.macosforge.org/mailman/listinfo.cgi/smartcardservices-users