On 07/25/2014 12:01 AM, Jeremy White wrote: >>> I think I have a tentative, but sufficient grasp of how the Smart Card >>> stuff flows from the client into the server. It's not quite as clear >>> how the server bridges it into qemu, but I think I have the gist of it. >>> >>> However, that doesn't work for XSpice sessions. >> >> I'm not sure why it shouldn't. The qemu portion simply forwards the ccid >> APDU's from the host. Spice has libcaccard which translates the CAC >> requests into calls against your PKCS #11 token on your client side. > > Alright, my ignorance is showing; perhaps I need to understand the qemu > path better. > > In what I think of a typical use case, you have a client with a smart > card reader attached. Let's say that is a Fedora 20 box. Then you have > a host system which runs qemu to start a guest VM; let's say the host > system is RHEL and the guest VM is Fedora RawHide. > > My understanding is that the client (essentially spice-gtk) interacts > with the physical hardware, and uses libcacard to put the smartcard data > onto the Spice smartcard channel. > > This is passed over the spice channel into qemu (running on the host), > which uses the spice server calls to decode the data, and then it writes > the data to a virtual character device that appears in the guest as a > USB CCID device. RawHide detects that and treats it a 'real' hardware > device. > > How am I doing so far? Is that about right? Yes. But just note that spice-server doesn't do anything except move bytes around. The actual protocols involved are: qemu: ccid protocol: usb smartcard reader spice-client via libcacard: smartcard > > In the XSpice case, we have no qemu. Instead, the host system runs Xorg > against what is a virtual framebuffer, and runs the xf86-video-qxl xorg > driver. > > In my use case, I've got Xorg running, with spice, and I'm just about to > launch xdm. I'd really like to have a smartcard, if available, be part > of the pam stack prior to launching xdm, so that it can be used by pam. > > Given that, how do you expect the smartcard data to flow into that Xorg > session? I imagine that either the qxl driver, or a different utility > (e.g. vd_agent) would be required in order to relay the smartcard data > from the channel and into the pam stack. Is there something I'm missing? You are fine with only apps using pam_pkcs11 (i.e. anything using pam) using the smartcard? if so your direction makes sense. But the protocol is very low level for that - it passes what the CCID expects to get from the card. In the guest there is a CCID driver (there are multiple, but for coolkey I tested pcsclite http://pcsclite.alioth.debian.org/ccid.html ), which is consumed by coolkey via winscard.h and uses pcscd. There are a few things you can do: 1. same components, minus usb bus nss-libcacard-APDU-[:removed: ccid_device]-[:removed: usb bus]-[:removed: usb bus driver]-[:new: spiceccid pcsc module]-pcscd-pam_pkcs11/coolkey 2. new protocol - I guess you ruled that out already. 3. pam modlue consuming APDUs from card - what you proposed - same as 1 but using a pam module to consume the APDUs. > >> >>> >>> It looks to me that this should be possible. My research suggests >>> that pam_pkcs11 is pluggable, and that it should be possible to write >>> a module that would receive the cert information. >> pam_pkcs11 uses plugable PKCS #11 modules (which also work in firefox >> and other NSS applications). You would have to install this module in >> your guest, however. I think redirecting the CCID USB data would be >> easier, though. > > Yeah, I saw that ccid was also pluggable, and I begin to see why that > would be a better layer to plug into. (Saves me the hassle of parsing > the cert data, right?) > > > Cheers, > > Jeremy > _______________________________________________ > Spice-devel mailing list > Spice-devel@xxxxxxxxxxxxxxxxxxxxx > http://lists.freedesktop.org/mailman/listinfo/spice-devel _______________________________________________ Spice-devel mailing list Spice-devel@xxxxxxxxxxxxxxxxxxxxx http://lists.freedesktop.org/mailman/listinfo/spice-devel