[Pki-users] ESC doesn't recognize smartcard / standalone operation?

Dave Sirrine dsirrine at redhat.com
Thu May 21 14:15:06 UTC 2015 

Bryce, 

To piggyback on what Jack was saying, I'd like to confirm your usecase that you're only using the cards to authenticate into a system. Can you confirm the cards you're using and what OS you're trying to enable? 

This is a pretty solid doc on how to do this: https://docs.fedoraproject.org/en-US/Fedora//html/Security_Guide/sect-Security_Guide-Single_Sign_on_SSO-Getting_Started_with_your_new_Smart_Card.html 

I would recommend looking more deeply into pam_pkcs11 as it provides several mechanisms by which you can authenticate, so picking the right one for you may take some reading. Happy to help! 

----- Original Message -----

> From: "John Magne" <jmagne at redhat.com>
> To: "Bryce L Nordgren -FS" <bnordgren at fs.fed.us>
> Cc: pki-users at redhat.com
> Sent: Monday, May 18, 2015 1:03:45 PM
> Subject: Re: [Pki-users] ESC doesn't recognize smartcard / standalone
> operation?

> Bryce:

> I would imagine that the smart card manager relies upon coolkey to recognize
> cards.

> As per your other question, I think you are fine. The whole TMS system
> ESC/TPS is used to
> provision cards with the coolkey applet. For other types of cards it will do
> nothing but
> display some minor information about the token.

> ----- Original Message -----
> > From: "Bryce L Nordgren -FS" <bnordgren at fs.fed.us>
> > To: pki-users at redhat.com
> > Sent: Saturday, May 16, 2015 3:03:17 PM
> > Subject: [Pki-users] ESC doesn't recognize smartcard / standalone
> > operation?
> >
> >
> >
> > My system is to the point where command line interaction with the smart
> > card
> > behaves as expected, as long as I use the OpenSC middleware to pam_pkcs11,
> > and not coolkey. Using pklogin_finder asks for the PIN, verifies the
> > certificates, and maps the user to a local system account. System details
> > in
> > previous thread:
> > https://www.redhat.com/archives/pki-users/2015-April/msg00041.html
> >
> >
> >
> > My expectation was that the “smart card manager” should pop up when the
> > card
> > is inserted. It doesn’t. I can type “esc” at the command line, and it says
> > “No Cards Present” with everything greyed out. Likewise, inserting the
> > smart
> > card at the login prompt does nothing. There _ is _ an “./escd” process
> > running. Is ESC hardwired to use coolkey, which can’t read my card? How can
> > I debug this?
> >
> >
> >
> > Final question: Am I correct to assume that my situation does not call for
> > a
> > TPS, TKS, or even a CA? I must not touch the info on these smart cards:
> > Never format, never issue certs, never save, never change. My machines just
> > need to respect a totally external PKI infrastructure: ask for PIN, verify
> > cert against the CA bundle, and start a login session. For any of the
> > things
> > I would need a PKI infrastructure for, I need to make an appointment at a
> > GSA Credentialing Center, then physically show up with two forms of ID in
> > hand.
> >
> >
> >
> > Many thanks for your helpful advice!
> >
> > Bryce
> >
> > _______________________________________________
> > Pki-users mailing list
> > Pki-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/pki-users

> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20150521/36decca7/attachment.htm>

More information about the Pki-users mailing list