Re: Cac redirection through spice client

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



David,

Thank you! I will look into this and see if this can make a difference.

On Tue, May 19, 2015 at 10:34 AM, David Jaša <djasa@xxxxxxxxxx> wrote:
On Út, 2015-05-19 at 15:59 +0200, David Jaša wrote:
> On Út, 2015-05-19 at 09:00 -0400, Thomas Foster wrote:
> > David,
> >
> > While using the spice client have you put your cac into your local
> > reader?  If so, we're you able to use it?  I ask because if you look
> > at my screenshots from my last email I get the same usb device
> > (usbccid), but I also get an extra device that is a problem.
> >
> > _______________________________________________
> > Spice-devel mailing list
> > Spice-devel@xxxxxxxxxxxxxxxxxxxxx
> > http://lists.freedesktop.org/mailman/listinfo/spice-devel
>
> Hm, I think I start understanding your situation: you're using linux
> client (CentOS 7?), Windows 7 guest and the smart card doesn't work
> for you. When you write "drivers in spice client" you actually mean
> drivers for client OS. That's card-dependent. You need to have a
> "smart card middleware" installed in the system and registered in nss,
> e.g.:
>
> $ modutil -dbdir /etc/pki/nssdb -list
>
> Listing of PKCS #11 Modules
> -----------------------------------------------------------
>   1. NSS Internal PKCS #11 Module
>        slots: 2 slots attached
>       status: loaded
>
>        slot: NSS Internal Cryptographic Services
>       token: NSS Generic Crypto Services
>
>        slot: NSS User Private Key and Certificate Services
>       token: NSS Certificate DB
>
>   2. CoolKey PKCS #11 Module
>       library name: libcoolkeypk11.so
>        slots: 1 slot attached
>       status: loaded
>
>        slot: Gemalto PC Twin Reader 00 00
>       token: spice qe
>
>   3. p11-kit
>       library name: /usr/lib64/pkcs11/p11-kit-trust.so
>        slots: 2 slots attached
>       status: loaded
>
>        slot: /etc/pki/ca-trust/source
>       token: System Trust
>
>        slot: /usr/share/pki/ca-trust-source
>       token: Default Trust
> -----------------------------------------------------------
>
> Module 2. is the one that provides my smartcard, "slot: Gemalto PC
> Twin Reader 00 00" is my physical card reader, . Coolkey is not
> however officially sanctioned in windows (although unofficial builds
> exist)

So official builds exist as well but you'd need a Red Hat Certificate
System subscription in order to access them:
https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Managing_Smart_Cards_with_the_Enterprise_Security_Client/install-windows.html

David

> so if you intend to use the card in Windows, you'll need a different
> middleware for it and possibly, you'll need to register it to nss by
> hand:
>
> # modutil -dbdir /etc/pki/nssdb -add "some name for your pkcs#11 module" -libfile /usr/lib64/pkcs11/your_fancy_p11_library.so
>
> once done, the "spice client" will pick up the card automatically and
> it will show up in the working card reader in Windows with no further
> configuration.
> Alternatively, if your card doesn't have linux drivers (or it needs to
> be formatted by some Windows tool to a format specific for that
> tool...), the option for you is to use USB redirection of the whole
> card reader:
>
> Then the card won't be obviously available in the client OS but that's
> kind of irrelevant if it's format need to be incompatible with the
> client OS anyway.
> Please note also that I had to stop and mask pcscd in the client
> system in order to make the reader redirect. Note also that you'll
> need the driver for the physical reader in the guest OS in this
> scenario (the Gemalto driver for my card reader was also available
> through Windows update). The card was not recognized in my case
> beacause it's CoolKey/RHCS-formatted which would need the driver
> linked above in Windows:
>
>
> HTH,
>
> David
> _______________________________________________
> Spice-devel mailing list
> Spice-devel@xxxxxxxxxxxxxxxxxxxxx
> http://lists.freedesktop.org/mailman/listinfo/spice-devel



_______________________________________________
Spice-devel mailing list
Spice-devel@xxxxxxxxxxxxxxxxxxxxx
http://lists.freedesktop.org/mailman/listinfo/spice-devel

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]     [Monitors]