[Spice-devel] Help with SmartCards and XSpice
Robert Relyea
rrelyea at redhat.com
Wed Jul 23 17:20:10 PDT 2014
On 07/22/2014 12:41 PM, Jeremy White wrote:
> I'm hoping to get some guidance / clue bats / shock and horror in
> implementing Smart Card support for XSpice clients.
>
> I think I have a tentative, but sufficient grasp of how the Smart Card
> stuff flows from the client into the server. It's not quite as clear
> how the server bridges it into qemu, but I think I have the gist of it.
>
> However, that doesn't work for XSpice sessions.
I'm not sure why it shouldn't. The qemu portion simply forwards the ccid
APDU's from the host. Spice has libcaccard which translates the CAC
requests into calls against your PKCS #11 token on your client side.
>
> It looks to me that this should be possible. My research suggests
> that pam_pkcs11 is pluggable, and that it should be possible to write
> a module that would receive the cert information.
pam_pkcs11 uses plugable PKCS #11 modules (which also work in firefox
and other NSS applications). You would have to install this module in
your guest, however. I think redirecting the CCID USB data would be
easier, though.
>
> So presuming I have a module hook ready to receive certs, the next
> question is how to get them there.
>
> The way that 'feels' right to me is to extend the Linux vd_agent to
> receive the smart card traffic, and so it is then vd_agent that
> communicates with my hypothetical pam hook.
>
> The alternate would be to put it into the spiceqxl_drv.so. That seems
> less ideal, but would probably be less code, and wouldn't require
> messing with the vdagent protocol.
>
> Thoughts? Comments? Clue bats?
>
> Thanks,
>
> Jeremy
> _______________________________________________
> Spice-devel mailing list
> Spice-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/spice-devel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4521 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freedesktop.org/archives/spice-devel/attachments/20140723/91f81ae3/attachment.bin>
More information about the Spice-devel
mailing list