[SmartcardServices-Users] [Fed-Talk] Re: Require smart card login

Miller, Timothy J. tmiller at mitre.org
Thu Oct 14 07:03:51 PDT 2010 

For local logon, use pam-pkcs11 from the OpenSC project:

http://www.opensc-project.org/pam_pkcs11/

Plus the OpenSC PKCS#11 module:

http://www.opensc-project.org/opensc/wiki/PKCS11

Plus, of course, OpenSC itself for the PIV support.

This will work with most PAM-enabled applications, including sudo.  gksu/gksudo (which are basically GUI wrappers around sudo) had a bug where they wouldn't recognize the changed 'password' prompt, but this may be fixed in current releases.

If you're looking for PKINIT with Linux, use Russ Allbery's pam_krb5 module with a recent Heimdal or MIT Kerberos library.  Configuration details depend on the version of Windows Server you're using, but are all online.

-- Tim


________________________________________
From: smartcardservices-users-bounces at lists.macosforge.org [smartcardservices-users-bounces at lists.macosforge.org] On Behalf Of Inati, Souheil (NIH/NIMH) [E] [souheil.inati at nih.gov]
Sent: Wednesday, October 13, 2010 5:26 PM
To: Bram Cymet
Cc: Shawn A. Geddis; Fed Talk; Inati, Souheil (NIH/NIMH) [E]; Smart Card Services-Users
Subject: Re: [SmartcardServices-Users] [Fed-Talk] Re: Require smart     card    login

Hi Bram,

In our group, the workstations are split about 60/40 OS X/Linux based on user preference.  Nearly all the laptops are macs.  None of the scientists use windows unless they have to for specialized data acquisition systems.
Like I said, heterogeneous :-)

BTW, we'll have to burn the Linux bridge too, could you point me to how you would require PIV login on the Linux machines?

-Souheil

On Oct 13, 2010, at 5:57 PM, Bram Cymet wrote:

>  Is OS X a requirement? This can very easily be done on Linux.
>
> On 10/13/2010 05:42 PM, Inati, Souheil (NIH/NIMH) [E] wrote:
>> Sorry, not an option.  We have terabytes of data on disks in a heterogeneous environment.
>>
>> On Oct 13, 2010, at 5:37 PM, Bram Cymet wrote:
>>
>>>  If it is the data you are looking to protect you can put it in a
>>> filevault and protect the filevault with your smartcard. This is very
>>> easy to do. I have yet to find a way to lock access to the machine to
>>> smartcard only.  Then as long as the vault is not left open when the
>>> machine in unattended you will be fine.
>
>
> --
> Bram Cymet
> Software Developer
> Canadian Bank Note Co. Ltd.
> Cell: 613-608-9752
>
>

_______________________________________________
SmartcardServices-Users mailing list
SmartcardServices-Users at lists.macosforge.org
http://lists.macosforge.org/mailman/listinfo.cgi/smartcardservices-users

More information about the SmartcardServices-Users mailing list