I'm using RHEL4. I think CoolKey kept freezing on me and I ended up with muscle + commonAccessCard for PAM and CoolKey for Firefox; it's been a while since I messed with all that because I read some message in a mailing list archive that said you really shouldn't have anything that takes a PIN in the same PAM stack with anything that takes a password: when the card is inserted and removed you should switch between different PAM stacks. This implies code changes in gdm and the screensaver, some of which I'm sure have happened in FC6, but I haven't tried them out yet. > -----Original Message----- > From: Allshouse, Brian M CTR NSWCDD XDT > [mailto:brian.allshouse.ctr@xxxxxxxx] > Sent: Wednesday, December 13, 2006 7:28 AM > To: Jennings Jared L CTR USAF 46 SK/CCI > Subject: RE: CAC screen locking/unlocking > > My only problem with that is that, FC6 doesn't come with xscreensaver > and after the testing I did in FC4 I could never get unlocking the > screen to work right with pam & xscreensaver. I noticed the changes to > all of this in FC6 and it appears to be really close to working right > out of the box, you can enable this through the > "Authentication" gui in > FC6. What version are you using (Fedora/Redhat)? Have you seen this > stuff in FC6 yet? > > > Sincerely, > > Brian M. Allshouse > Network Operations - XDT > Bowhead Information Technology Services > (540) 653-6692 > brian.allshouse.ctr@xxxxxxxx > > -----Original Message----- > From: coolkey-devel-bounces@xxxxxxxxxx > [mailto:coolkey-devel-bounces@xxxxxxxxxx] On Behalf Of > Jennings Jared L > CTR USAF 46 SK/CCI > Sent: Monday, December 11, 2006 12:51 > To: 'coolkey-devel@xxxxxxxxxx' > Subject: RE: CAC screen locking/unlocking > > There isn't as much magic about it as you may think. My > pkcs11_eventmgr.conf just has > > event card_insert { > ... > action = "play /usr/share/sounds/warning.wav", > "xscreensaver-command > -deactivate"; } > > event card_remove { > ... > action = "play /usr/share/sounds/error.wav", "xscreensaver-command > -lock"; } > > The PIN prompting is taken care of by xscreensaver through PAM + > pam_pkcs11 > - it looks like any password prompt. > > I found card_eventmgr rather more interesting at the time though, > because I wanted my box to beep at me if I tried to lock the > screen with > the CAC in. > card_eventmgr is run per-user and has nearly the same sort of > configuration as pkcs11_eventmgr. It doesn't always look for > its config > file where you think you told it to, as I recall. I have my > card_eventmgr write the inserted/removed state of the card to a little > text file, and I made a shell script to run instead of > "xscreensaver-command -activate", which checks the text file for > "inserted" and makes sounds, so I'm alerted if I lock my screen but my > card's still in. > > If you're using GNOME, I have no clue how you'd go about making the > "Lock Screen" button/menu item do that little shell script instead of > talking to the screensaver itself. :P > > > > -----Original Message----- > > From: coolkey-devel-bounces@xxxxxxxxxx > > [mailto:coolkey-devel-bounces@xxxxxxxxxx] On Behalf Of Allshouse, > > Brian M CTR NSWCDD XDT > > Sent: Friday, December 08, 2006 7:49 AM > > To: coolkey-devel@xxxxxxxxxx > > Subject: CAC screen locking/unlocking > > > > > > I was referred to this list by Rob Crittenden and was > hoping someone > > could help me out. I've been doing some CAC testing in FC6 and was > > trying to get screen locking/unlocking to work with a DoD CAC using > > coolkey, pam_pkcs11, etc. and I notice in the > > "/etc/pam_pkcs11/pkcs11_eventmgr.conf" file there's a > script listed in > > > there that's supposed to lock the screen on card removal and unlock > > the screen on card insertion (w/pin I assume). The script is called > > "lockhelper.sh" and should be in the "/etc/pki" directory, but it > > doesn't exist, I even tried installing the whole > distribution in hopes > > > I would find it. Does anyone have any clue as to what's going on > > there? > > Any advice to make that work would be helpful, thanks. > > > > > > Sincerely, > > > > Brian M. Allshouse > > Network Operations - XDT > > Bowhead Information Technology Services > > (540) 653-6692 > > brian.allshouse.ctr@xxxxxxxx > > > > > > _______________________________________________ > Coolkey-devel mailing list > Coolkey-devel@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/coolkey-devel > _______________________________________________ Coolkey-devel mailing list Coolkey-devel@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/coolkey-devel
