[Pcsclite-muscle] [PATCH] pcsc-lite & polkit: allow auth_admin

Stanislav Brabec sbrabec at suse.cz
Mon Dec 8 13:15:58 UTC 2014


Dne 6.12.2014 v 11:52 Ludovic Rousseau napsal(a):

>> It is not ugly, it is a description of a best case scenario. There are
>> multiple scenarios where that would break a lot of things if a user don't
>> enter a password at the prompt. I'd suggest to keep that patch system
>> specific.

If the user does not enter password, applications will stop until it 
happens or until user presses Cancel.

> Nikos, Stanislav, can you agree on a default configuration + code that
> should be provided in the "official" pcsc-lite archive?

For me:

If you decide to revert the first patch, then you should not use 
unsupported auth_admin in the proposed default configuration, suggest 
"no:no:yes", and mention, that challenge/response is intentionally not 
supported at all.

If you decide to keep the first patch, I would propose no:no:yes as 
well, and mention the delay/hang issue, when admin decides to use 
challenge/response authentication (auth_admin, auth_admin_keep, 
auth_user, auth_user_keep).

> If yes, which configuration is it?

The default configuration should be definitely no:no:yes, independently 
on the first patch:  only locally logged user at the active console is 
permitted to use smart card. All other users (user logged on inactive 
local console, user logged remotely) are not permitted.

Applying the first patch only changes behavior of challenge/response 
authentication:

- without the patch: "auth_*" will be handled as "no".

- with the patch: Auth request pop-up will appear. Support of it is not 
perfectly (especially auth-and-forget "auth_admin" and "auth_user" cause 
multiple pop-ups), but if the application survives delays in the check, 
whether the user is authorized to use reader or card, it works 
acceptably well.

-- 
Best Regards / S pozdravem,

Stanislav Brabec
software developer
---------------------------------------------------------------------
SUSE LINUX, s. r. o.                          e-mail: sbrabec at suse.cz
Lihovarská 1060/12                            tel: +49 911 7405384547
190 00 Praha 9                                 fax:  +420 284 084 001
Czech Republic                                    http://www.suse.cz/
PGP: 830B 40D5 9E05 35D8 5E27 6FA3 717C 209F A04F CD76



More information about the Pcsclite-muscle mailing list