Re: Help with SmartCards and XSpice

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 07/22/2014 12:41 PM, Jeremy White wrote:
I'm hoping to get some guidance / clue bats / shock and horror in implementing Smart Card support for XSpice clients.

I think I have a tentative, but sufficient grasp of how the Smart Card stuff flows from the client into the server. It's not quite as clear how the server bridges it into qemu, but I think I have the gist of it.

However, that doesn't work for XSpice sessions.

I'm not sure why it shouldn't. The qemu portion simply forwards the ccid APDU's from the host. Spice has libcaccard which translates the CAC requests into calls against your PKCS #11 token on your client side.


It looks to me that this should be possible. My research suggests that pam_pkcs11 is pluggable, and that it should be possible to write a module that would receive the cert information.
pam_pkcs11 uses plugable PKCS #11 modules (which also work in firefox and other NSS applications). You would have to install this module in your guest, however. I think redirecting the CCID USB data would be easier, though.


So presuming I have a module hook ready to receive certs, the next question is how to get them there.

The way that 'feels' right to me is to extend the Linux vd_agent to receive the smart card traffic, and so it is then vd_agent that communicates with my hypothetical pam hook.

The alternate would be to put it into the spiceqxl_drv.so. That seems less ideal, but would probably be less code, and wouldn't require messing with the vdagent protocol.

Thoughts?  Comments?  Clue bats?

Thanks,

Jeremy
_______________________________________________
Spice-devel mailing list
Spice-devel@xxxxxxxxxxxxxxxxxxxxx
http://lists.freedesktop.org/mailman/listinfo/spice-devel


Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Spice-devel mailing list
Spice-devel@xxxxxxxxxxxxxxxxxxxxx
http://lists.freedesktop.org/mailman/listinfo/spice-devel

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]     [Monitors]