Using pam_pkcs11 we can use the parameter 'wait_for_card' to halt the pam process until a smart card is inserted. Is there any feature like that with pam_sss?
Use case is to require smart card for logins. With GDM this is configured via dconf, but with console/tty logins there is no such configuration available as I know of. So with pam_sss you can freely logon to a TTY without using smartcard. Or maybe there is a solution out there I'm missing?
Regards Adam
On Fri, Oct 20, 2017 at 04:25:52PM +0200, Winberg, Adam wrote:
Using pam_pkcs11 we can use the parameter 'wait_for_card' to halt the pam process until a smart card is inserted. Is there any feature like that with pam_sss?
Use case is to require smart card for logins. With GDM this is configured via dconf, but with console/tty logins there is no such configuration available as I know of. So with pam_sss you can freely logon to a TTY without using smartcard. Or maybe there is a solution out there I'm missing?
This is work-in-progress, I'll try to implement missing features from pam_pkcs11 step by step.
bye, Sumit
Regards Adam
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Ok - great work by the way, keep it up!
//Adam
2017-10-20 16:37 GMT+02:00 Sumit Bose sbose@redhat.com:
On Fri, Oct 20, 2017 at 04:25:52PM +0200, Winberg, Adam wrote:
Using pam_pkcs11 we can use the parameter 'wait_for_card' to halt the pam process until a smart card is inserted. Is there any feature like that
with
pam_sss?
Use case is to require smart card for logins. With GDM this is configured via dconf, but with console/tty logins there is no such configuration available as I know of. So with pam_sss you can freely logon to a TTY without using smartcard. Or maybe there is a solution out there I'm
missing?
This is work-in-progress, I'll try to implement missing features from pam_pkcs11 step by step.
bye, Sumit
Regards Adam
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Hey, while we're talking features: another feature I really like about pam_pkcs11 is that, in GDM, you can type your PIN and press enter before inserting your smartcard. I'm not even sure the feature belongs in pam_pkcs11 or in gdm, but the behaviour changed when i switched to pam_sss so I'm thinking the former.
It's a little thing, but its a little annoying to have to wait for the smart card to be recognized before you can start typing the PIN.
Have a good weekend!
//Adam
2017-10-20 16:59 GMT+02:00 Winberg, Adam adam.winberg@smhi.se:
Ok - great work by the way, keep it up!
//Adam
2017-10-20 16:37 GMT+02:00 Sumit Bose sbose@redhat.com:
On Fri, Oct 20, 2017 at 04:25:52PM +0200, Winberg, Adam wrote:
Using pam_pkcs11 we can use the parameter 'wait_for_card' to halt the
pam
process until a smart card is inserted. Is there any feature like that
with
pam_sss?
Use case is to require smart card for logins. With GDM this is
configured
via dconf, but with console/tty logins there is no such configuration available as I know of. So with pam_sss you can freely logon to a TTY without using smartcard. Or maybe there is a solution out there I'm
missing?
This is work-in-progress, I'll try to implement missing features from pam_pkcs11 step by step.
bye, Sumit
Regards Adam
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
sssd-users@lists.fedorahosted.org