Aaron Lippold wrote, On 04/01/2008 12:20 AM:
I just setup my F8 box and it seems that GDM and xscreensaver aren't
playing nicely with coolkey again. My GDM session doesn't 1) add the
"username or smartcard" text and doesn't acknowledge insertion of the
card even though the SCM app does. xscreensaver does not even though I
set it to 'Lock' in the auth settings. Most of my testing was done in
RHEL5.0 so maybe its just a matter of patches.
FF/TB with the libcoolkey.so modules works so I know that pcscd, etc
seem to be working.
did you mod /etc/pam.d/gdm ?
echo "echo \"Nothing but PKCS11 cards\" >> /etc/nologin" >> /etc/rc.d/rc.local
--- gdm 2007/11/15 14:52:54 1.1
+++ gdm 2007/12/03 21:34:48
@@ -1,9 +1,11 @@
+auth sufficient /lib/security/pam_pkcs11.so
+account required pam_nologin.so
auth [success=done ignore=ignore default=bad] pam_selinux_permit.so
auth required pam_env.so
auth include system-auth
auth optional pam_gnome_keyring.so
-account required pam_nologin.so
+#account required pam_nologin.so
account include system-auth
password include system-auth
session required pam_selinux.so close
and /etc/pam.d/login and /etc/pam.d/xscreensaver need similar patches.
also don't forget to use redhat's undocumented tool "certutil" to stuff the
CA's in the appropriate barely documented nssdb place.
One of these days, I need to learn enough pam to get by with this without
having to use /etc/nologin, i.e., all users but root require pkcs11, however
root can login with password.
Hope this helps.
Crane Division, Naval Surface Warfare Center (NSWC Crane)
Harnessing the Power of Technology for the Warfighter
Coolkey-devel mailing list