RE: CAC screen locking/unlocking

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


There isn't as much magic about it as you may think. My pkcs11_eventmgr.conf
just has 

event card_insert {
   action = "play /usr/share/sounds/warning.wav", "xscreensaver-command

event card_remove {
   action = "play /usr/share/sounds/error.wav", "xscreensaver-command

The PIN prompting is taken care of by xscreensaver through PAM + pam_pkcs11
- it looks like any password prompt.

I found card_eventmgr rather more interesting at the time though, because I
wanted my box to beep at me if I tried to lock the screen with the CAC in.
card_eventmgr is run per-user and has nearly the same sort of configuration
as pkcs11_eventmgr. It doesn't always look for its config file where you
think you told it to, as I recall. I have my card_eventmgr write the
inserted/removed state of the card to a little text file, and I made a shell
script to run instead of "xscreensaver-command -activate", which checks the
text file for "inserted" and makes sounds, so I'm alerted if I lock my
screen but my card's still in.

If you're using GNOME, I have no clue how you'd go about making the "Lock
Screen" button/menu item do that little shell script instead of talking to
the screensaver itself. :P

> -----Original Message-----
> From: coolkey-devel-bounces@xxxxxxxxxx 
> [mailto:coolkey-devel-bounces@xxxxxxxxxx] On Behalf Of 
> Allshouse, Brian M CTR NSWCDD XDT
> Sent: Friday, December 08, 2006 7:49 AM
> To: coolkey-devel@xxxxxxxxxx
> Subject:  CAC screen locking/unlocking
> I was referred to this list by Rob Crittenden and was hoping 
> someone could help me out. I've been doing some CAC testing 
> in FC6 and was trying to get screen locking/unlocking to work 
> with a DoD CAC using coolkey, pam_pkcs11, etc. and I notice 
> in the "/etc/pam_pkcs11/pkcs11_eventmgr.conf" file there's a 
> script listed in there that's supposed to lock the screen on 
> card removal and unlock the screen on card insertion (w/pin I 
> assume). The script is called "" and should be 
> in the "/etc/pki" directory, but it doesn't exist, I even 
> tried installing the whole distribution in hopes I would find 
> it. Does anyone have any clue as to what's going on there? 
> Any advice to make that work would be helpful, thanks. 
> Sincerely, 
> Brian M. Allshouse 
> Network Operations - XDT 
> Bowhead Information Technology Services 
> (540) 653-6692 
> brian.allshouse.ctr@xxxxxxxx 

Coolkey-devel mailing list

[Index of Archives]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Women]

  Powered by Linux