[Muscle] multiuser pcscd?

Paul Klissner Paul.Klissner at Sun.COM
Sun Jul 20 02:04:39 PDT 2008 

Hi Harald,

I'm heading out on vacation and it's late, so I don't have the
URL to the branch of the svn repository where the code I integrated  
awhile
ago is, but if you poke around you'll find a Solaris implementation that
handles most of the issues you're describing, which we'd like to try to
port to Linux and ultimately merge with the trunk.  Although there is
a substantial amount of effort to do that and no specific timeframe yet.

In that directory is an architectural document you may want to review
to understand the model and see how well it fits your needs.

On Solaris with Sun Ray windows connector, we use it to handle
smart card transactions over a large number of RDP sessions.

If you want to participate in the effort to make this code
more platform neutral and work toward getting it into the trunk,
let me know.

Paul


On Jul 20, 2008, at 12:37 AM, Harald Milz wrote:

> Hi,
>
> I am new to this list so please bear with me ... I've been trying to  
> find
> out if any progress has been made as far as multiuser operation of  
> pcscd.
> There has been a discussion around Sun-Ray thinclients in 2006 but I
> haven't been able to find out if there was any result.
>
> Specifically, I want to find ways to run USB smartcard readers in a
> NoMachine (NX) environment, where many users are remotely connected
> with thinclients or Windows or Linux workstations, and working in
> Windows terminal server (i.e. RDP) sessions. (If you are unfamiliar  
> with
> NoMachine, see http://www.nomachine.com/technology.php for a  
> technology
> overview). The smartcards should be visible in the Windows sessions.  
> The
> current plan involves running USB over IP (usbip.sf.net) and making  
> the
> USB devices available within the Linux NX node environment, then using
> "rdesktop -r scard" to import the SC into the RDP session. Apart from
> the fact that the usbip project needs some more work done, I need to
> find out how I can use pcscd in a secure way when tens or even  
> hundreds
> of users are connected to the same NX node. The major question is, how
> does the NX administrator distinguish all these card readers (which  
> are
> potentially of the same vendor and model) virtually connected to the  
> NX
> node in order to forward each user only her/his SC reader into their  
> RDP
> sessions. The end users have no access to the nx node sessions per se
> when running a RDP session. So the scenario is, we have tens or  
> hundreds
> of rdesktop processes linked against libpscslite.so which in turn  
> wants
> to talk with the pcscd unix domain socket.
>
> Q1: does pcscd support talking to multiple pcsc clients at the same  
> time?
> If yes, is there an architectural limit how many?
>
>
> Q2: on the pcsc client level, how do I tell the smartcard readers  
> apart
> when they are the same make and model, in order to build the proper
> rdesktop command for each user?
>
> Q3: has any progress been made as far as access security? In 2006  
> there
> were talks about running pcscd against PAM. Would that include  
> separating
> card readers from each other, and allowing a user to see only her/his
> reader?
>
> Thanks for any insight or hint!
>
> -- 
> You might have mail
> _______________________________________________
> Muscle mailing list
> Muscle at lists.musclecard.com
> http://lists.drizzle.com/mailman/listinfo/muscle

More information about the Muscle mailing list