Hello Folks!
We are working on getting smart card authentication working using pinpad card readers for
improved security.
To do this we use:
FreeIPA Server is running on Fedora32 with latest updates. FreeIPA is also configured to
be Certificate Authority.
FreeIPA Clients are Fedora 32 based with latest updates with connected usb card reader
Gemalto C700 with pinpad, we use several user individual SmartCard HSM 4K with FreeIPA
signed certificates on them. FreeIPA Clients run OpenSC and are configured to use
smartcard certificate based authentication, setup per Smartare HSM best practice. Further
clients are using SSSD and not PAM_PKCS#11.
All working great using smartcard for authentication, as long not enabling the pinpad in
opensc.
If doing so we are prompted for the PIN not only in the pinpad reader but also GDM prompts
you to enter PIN on keyboard.
Expected result is to be logged in directly after entering correct PIN code on pinpad
reader, not being prompted by GDM to enter PIN on keyboard as well.
If enabling pinpad, login gets a bit odd:
1. Fedora 32 workstation GDM menu prompts a few users that can login
2. Smartcard is inserted in reader
3. GDM blanks out the screen and smartcard reader prompts to enter PIN.
4. Entering pin on smartcard reader followed by pressing ok button on smartcard reader at
getting result Pin OK in reader display.
5. GDM now prompts for entering PIN on keyboard, this is unexpected, instead of being
logged in to the window manager, here Gnome or xfce.
6. Any number can be entered, it does not matter, followed by hitting enter.
7. Once again smartcard reader now prompts for PIN.
8. Entering PIN on the smartcard pinpad reader followed by pressing pinpad ok button.
9. You are now logged in, and all is normal. If ripping out the smartcard from reader the
screen locks, as expected.
What could this be, anyone who have seen this before or know how to set it up ?
Show replies by date