[SmartcardServices-Users] [Fed-Talk] Re: Require smart card login
Miller, Timothy J.
tmiller at mitre.org
Thu Oct 14 07:03:51 PDT 2010
For local logon, use pam-pkcs11 from the OpenSC project:
http://www.opensc-project.org/pam_pkcs11/
Plus the OpenSC PKCS#11 module:
http://www.opensc-project.org/opensc/wiki/PKCS11
Plus, of course, OpenSC itself for the PIV support.
This will work with most PAM-enabled applications, including sudo. gksu/gksudo (which are basically GUI wrappers around sudo) had a bug where they wouldn't recognize the changed 'password' prompt, but this may be fixed in current releases.
If you're looking for PKINIT with Linux, use Russ Allbery's pam_krb5 module with a recent Heimdal or MIT Kerberos library. Configuration details depend on the version of Windows Server you're using, but are all online.
-- Tim
________________________________________
From: smartcardservices-users-bounces at lists.macosforge.org [smartcardservices-users-bounces at lists.macosforge.org] On Behalf Of Inati, Souheil (NIH/NIMH) [E] [souheil.inati at nih.gov]
Sent: Wednesday, October 13, 2010 5:26 PM
To: Bram Cymet
Cc: Shawn A. Geddis; Fed Talk; Inati, Souheil (NIH/NIMH) [E]; Smart Card Services-Users
Subject: Re: [SmartcardServices-Users] [Fed-Talk] Re: Require smart card login
Hi Bram,
In our group, the workstations are split about 60/40 OS X/Linux based on user preference. Nearly all the laptops are macs. None of the scientists use windows unless they have to for specialized data acquisition systems.
Like I said, heterogeneous :-)
BTW, we'll have to burn the Linux bridge too, could you point me to how you would require PIV login on the Linux machines?
-Souheil
On Oct 13, 2010, at 5:57 PM, Bram Cymet wrote:
> Is OS X a requirement? This can very easily be done on Linux.
>
> On 10/13/2010 05:42 PM, Inati, Souheil (NIH/NIMH) [E] wrote:
>> Sorry, not an option. We have terabytes of data on disks in a heterogeneous environment.
>>
>> On Oct 13, 2010, at 5:37 PM, Bram Cymet wrote:
>>
>>> If it is the data you are looking to protect you can put it in a
>>> filevault and protect the filevault with your smartcard. This is very
>>> easy to do. I have yet to find a way to lock access to the machine to
>>> smartcard only. Then as long as the vault is not left open when the
>>> machine in unattended you will be fine.
>
>
> --
> Bram Cymet
> Software Developer
> Canadian Bank Note Co. Ltd.
> Cell: 613-608-9752
>
>
_______________________________________________
SmartcardServices-Users mailing list
SmartcardServices-Users at lists.macosforge.org
http://lists.macosforge.org/mailman/listinfo.cgi/smartcardservices-users
More information about the SmartcardServices-Users
mailing list