Smartcard authentication
Include OpenSC in Ubuntu for smartcard authentication
Blueprint information
- Status:
- Complete
- Approver:
- Martin Pitt
- Priority:
- Low
- Drafter:
- Gary Ekker
- Direction:
- Needs approval
- Assignee:
- None
- Definition:
- Obsolete
- Series goal:
- None
- Implementation:
- Unknown
- Milestone target:
- None
- Started by
- Completed by
- Martin Pitt
Whiteboard
[TeTeT]: MIR for opensc, we need this supported by platform due to demand in corporate world
[TeTeT]: In general the smartcard stack (opensc, pcscd) needs to be injected into the upstart boot sequence; as pcscd seems to take a while for initialization I heard reports from a customer that on a SSD gdm is up before pcscd is ready
[TeTeT]: code refresh to 0.12.2.
Notes:
- This was discussed last UDS
- Not much work needed to integrate this with Ubuntu
- Need a driver for each implementation, but all drivers are currently in the archive
* Main? Universe?
- Often the card readers are integrated into the laptop, but it can be a USB dongle as well.
- Omnikey is the most common manufacturer identified
* Supported by current drivers
- Any current customers are using proprietary software for programming the cards
- Schlumberger makes cards that can be programmed from Linux
* Actually that unit was sold to Gemalto - http://
* Not clear whether it is still supported in Linux
* http://
Technology choices:
- OpenSC - http://
- PCSC-lite - http://
- Not clear what the difference is here
- There are patches in gnome-screensaver to detect the removal of the smartcard
* Locks the screen immediately
- Gooze - http://
Use cases:
- pkinit with kerberos
- NTLMv2 or kerberos in RDP Network Level Authentication
- smartcard device redirection
- authentication -- lightdm
For LightDM:
- How do we do test cases?
* Even if we can get devs a smartcard, what do they auth against?
* We do have some hardware in Canonical, so there are resources for testing and debugging
- What is the user experience when using a smart card?
* The user experience depends on the PAM implementation, so this would require Desgin work if implemented
- There was already a session earlier this week to handle the PAM stuff
- Probably need to go through ConsoleKit for lockscreen support
Work items:
- [etienne] Define a team to support the effort
- [etienne] Investigate overlap of capabilities in OpenSC and PCSC-lite
- [etienne] Find a card that works with Linux
- [etienne] Create some test cases
- [ ] MIR for OpenSC
- [ ] MIR for OpenCT
- [ ] MIR for PCSC-lite