smart card login with multiseat using PAM - cannot map device to session

Julian Bui julianbui at gmail.com
Mon Oct 12 20:04:35 UTC 2009


Hi all,

I want to know if anyone has done this successfully or if this functionality
even exists with PAM.

I am currently using centos 5.3 and pam_pkcs11 with a multi-seat setup (One
machine, two video outs, two sets of keyboards and mice to have two users on
running off the same machine.

Currently, the multi-seat setup allows me to map the two keyboard/mouse
pairs to the two monitors.  The multiseat service allows me to specify a usb
hub that is specific to a terminal so I can specify usb bus port 5-1 to my
first display and 5-2 to my second display, for example, so that each user
has his own keyboard & mouse.

To extend that idea, I have put a usb smart card reader on each port.

This, however, does not work.

When person A, at station A plugs in his CAC card into smart card reader A
and the OS/session manager asks him for his pin.  This works and allows him
to login using CAC card, BUT when you look at station B, station B's session
manager is now also asking for the smart card pin even though he has not
even put in his CAC...it would seem like the authentication module linked to
the login module does not allow you to map authentication device to session.

Has anyone gotten something like this to work?  Does anyone use PAM &
multiseat?  Is this even possible with the latest version of PAM?  Is this a
problem with PAM or something with a KDE manager or maybe coolkey or maybe
the enterprise smart card module (ESC)?

I would really appreciate any help I can.

Thanks,
Julian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pam-list/attachments/20091012/e0becde4/attachment.htm>


More information about the Pam-list mailing list