Ubuntu

Smartcard authentication

Registered by Gary Ekker on 2011-10-24

Include OpenSC in Ubuntu for smartcard authentication

Blueprint information

Status:: Complete

Approver:: Martin Pitt

Priority:: Low

Drafter:: Gary Ekker

Direction:: Needs approval

Assignee:: None

Definition:: Obsolete

Series goal:: None

Implementation:: Unknown

Milestone target:: None

Completed by: Martin Pitt on 2012-05-15

Related branches

Related bugs

Sprints

uds-p

Whiteboard

[TeTeT]: MIR for opensc, we need this supported by platform due to demand in corporate world
[TeTeT]: In general the smartcard stack (opensc, pcscd) needs to be injected into the upstart boot sequence; as pcscd seems to take a while for initialization I heard reports from a customer that on a SSD gdm is up before pcscd is ready
[TeTeT]: code refresh to 0.12.2.

Notes:
- This was discussed last UDS
- Not much work needed to integrate this with Ubuntu
- Need a driver for each implementation, but all drivers are currently in the archive
    * Main? Universe?
- Often the card readers are integrated into the laptop, but it can be a USB dongle as well.
- Omnikey is the most common manufacturer identified
    * Supported by current drivers
- Any current customers are using proprietary software for programming the cards
- Schlumberger makes cards that can be programmed from Linux
    * Actually that unit was sold to Gemalto - http://www.gemalto.com/index.html
    * Not clear whether it is still supported in Linux
    * http://www.gemalto.com/products/dotnet_card/

Technology choices:
- OpenSC - http://www.opensc-project.org/opensc/wiki/SupportedHardware
- PCSC-lite - http://pcsclite.alioth.debian.org/pcsclite.html
- Not clear what the difference is here
- There are patches in gnome-screensaver to detect the removal of the smartcard
* Locks the screen immediately
- Gooze - http://www.gooze.eu/

Use cases:
- pkinit with kerberos
- NTLMv2 or kerberos in RDP Network Level Authentication
- smartcard device redirection
- authentication -- lightdm

For LightDM:
- How do we do test cases?
    * Even if we can get devs a smartcard, what do they auth against?
    * We do have some hardware in Canonical, so there are resources for testing and debugging
- What is the user experience when using a smart card?
    * The user experience depends on the PAM implementation, so this would require Desgin work if implemented
- There was already a session earlier this week to handle the PAM stuff
- Probably need to go through ConsoleKit for lockscreen support

Work items:
- [etienne] Define a team to support the effort
- [etienne] Investigate overlap of capabilities in OpenSC and PCSC-lite
- [etienne] Find a card that works with Linux
- [etienne] Create some test cases
- [ ] MIR for OpenSC
- [ ] MIR for OpenCT
- [ ] MIR for PCSC-lite

(?)

Work Items

This blueprint contains Public information

Everyone can see this information.

Subscribers

Ayan George

Etienne Goyer

Evan Broder

Gary Ekker

Ike Panhc

James Ferguson

Jamie Strandboge

Kent Baxley

Marc Deslauriers

Mathieu Trudel-Lapierre

Stef Walter

Stephen M. Webb

Steve Beattie

Tom Ellis

Torsten Spindler

Tyler Hicks