<J.Witvliet@mindef.nl>
2011-May-11 13:34 UTC
[Xen-users] PKCS#11 passthrough for Smartcards
Hi all, Someone mentioned today to me, that the "competing virtualisation product" is capable of doing PKCS-forwarding towards a virtual client. So, my question here, does XEN supports PKCS-passthrough? As i also need my smartcard locally (on the hypervisor), i can not use neither pci nor usb-forwarding.... Hans ______________________________________________________________________ Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico''s verbonden aan het elektronisch verzenden van berichten. This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hi, As far as I am aware this isn''t supported - it would require a paravirtualised backend to be possible. I think I have seen you request it a few times and noone is yet to reply. You could try the xen-devel list to see if anyone has been working on one but once again, I doubt it. Have you had any luck with KVM or the other hypervisors? This seems like a much more "desktop" feature so you might be better off looking at a less server consolidation oriented hypervisor if that makes sense. Joseph. On 11 May 2011 23:34, <J.Witvliet@mindef.nl> wrote:> > Hi all, > > Someone mentioned today to me, that the "competing virtualisation product" > is capable of doing PKCS-forwarding towards a virtual client. > > So, my question here, does XEN supports PKCS-passthrough? > As i also need my smartcard locally (on the hypervisor), i can not use > neither pci nor usb-forwarding…. > > > Hans > > > > ________________________________ > Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u > niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, > wordt u verzocht dat aan de afzender te melden en het bericht te > verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van > welke aard ook, die verband houdt met risico''s verbonden aan het > elektronisch verzenden van berichten. > > This message may contain information that is not intended for you. If you > are not the addressee or if this message was sent to you by mistake, you are > requested to inform the sender and delete the message. The State accepts no > liability for damage of any kind resulting from the risks inherent in the > electronic transmission of messages. > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users >-- Kind regards, Joseph. Founder | Director Orion Virtualisation Solutions | www.orionvm.com.au | Phone: 1300 56 99 52 | Mobile: 0428 754 846 _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
<J.Witvliet@mindef.nl>
2011-May-11 20:18 UTC
RE: [Xen-users] PKCS#11 passthrough for Smartcards
-----Original Message----- From: Joseph Glanville [mailto:joseph.glanville@orionvm.com.au] Sent: woensdag 11 mei 2011 18:01 To: Witvliet, J, CDC/IVENT/OPS/I&S/HIN Cc: xen-users@lists.xensource.com; hwit@a-domani.nl Subject: Re: [Xen-users] PKCS#11 passthrough for Smartcards Hi, As far as I am aware this isn''t supported - it would require a paravirtualised backend to be possible. I think I have seen you request it a few times and noone is yet to reply. You could try the xen-devel list to see if anyone has been working on one but once again, I doubt it. Have you had any luck with KVM or the other hypervisors? This seems like a much more "desktop" feature so you might be better off looking at a less server consolidation oriented hypervisor if that makes sense. Joseph. On 11 May 2011 23:34, <J.Witvliet@mindef.nl> wrote:> > Hi all, > > Someone mentioned today to me, that the "competing virtualisation product" > is capable of doing PKCS-forwarding towards a virtual client. > > So, my question here, does XEN supports PKCS-passthrough? > As i also need my smartcard locally (on the hypervisor), i can not use > neither pci nor usb-forwarding.... > > > Hans >Hi Joseph, It''s strange that in a world that is "conceived as" more insecure, devices like tokens and smartcard are not becoming mainstream. RedHat can currently do virtualisation af an (USA) CAC-card for their KVM. And it looks like a business-case is being made to alter their code to support generic smartcards. As a longterm SuSE/XEN user, it is something i''m not all to pleased about. Bit in generally, from the response, it looks like nobody is interested in it at all. Actually, i''m beginning to contemplate in another direction: the possibility for accessing via the opensc-libs a reader&smartcard on a remote node in general, not just between a virtualmachine hoster/clients. If i can pull it off, it would not only be usable for any virtuaization technique, but also for any remote desktops, like vnc, nomachine, etc etc. But i just want to be shure that this isn''t done yet, or just to be released: time is precious..... Hans ______________________________________________________________________ Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico''s verbonden aan het elektronisch verzenden van berichten. This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hi, I think the problem is that for the majority of usecases Xen is employed in there is little if not absolutely no physical access to the hypervisors. As such physical authentication and authorization methods don''t seem to be of much interest to the majority of the userbase. You indicated KVM has support for it and to me this makes alot of sense. KVM is much more a desktop hypervisor, you were generally going to be able to reach down and plug your smart card in to auth to a virtual machine etc. Xen is generally not often used for this same usecase but there are a small number of people in the Xen community that do however - you will find alot of them on the xen-devel list as I noted. I don''t see KVM and Xen as competing at all but rather complementary, Xen for servers, KVM for desktops. I suggest you post to xen-devel to see if anyone is working on it already or to find someone willing to help you implement it. Joseph. On 12 May 2011 06:18, <J.Witvliet@mindef.nl> wrote:> > > -----Original Message----- > From: Joseph Glanville [mailto:joseph.glanville@orionvm.com.au] > Sent: woensdag 11 mei 2011 18:01 > To: Witvliet, J, CDC/IVENT/OPS/I&S/HIN > Cc: xen-users@lists.xensource.com; hwit@a-domani.nl > Subject: Re: [Xen-users] PKCS#11 passthrough for Smartcards > > Hi, > > As far as I am aware this isn''t supported - it would require a paravirtualised backend to be possible. I think I have seen you request it a few times and noone is yet to reply. You could try the xen-devel list to see if anyone has been working on one but once again, I doubt it. > Have you had any luck with KVM or the other hypervisors? This seems like a much more "desktop" feature so you might be better off looking at a less server consolidation oriented hypervisor if that makes sense. > > Joseph. > > On 11 May 2011 23:34, <J.Witvliet@mindef.nl> wrote: >> >> Hi all, >> >> Someone mentioned today to me, that the "competing virtualisation product" >> is capable of doing PKCS-forwarding towards a virtual client. >> >> So, my question here, does XEN supports PKCS-passthrough? >> As i also need my smartcard locally (on the hypervisor), i can not use >> neither pci nor usb-forwarding.... >> >> >> Hans >> > > Hi Joseph, > > It''s strange that in a world that is "conceived as" more insecure, devices like tokens and smartcard are not becoming mainstream. > RedHat can currently do virtualisation af an (USA) CAC-card for their KVM. > And it looks like a business-case is being made to alter their code to support generic smartcards. > As a longterm SuSE/XEN user, it is something i''m not all to pleased about. > > Bit in generally, from the response, it looks like nobody is interested in it at all. > > Actually, i''m beginning to contemplate in another direction: the possibility for accessing via the opensc-libs a reader&smartcard on a remote node in general, not just between a virtualmachine hoster/clients. > If i can pull it off, it would not only be usable for any virtuaization technique, but also for any remote desktops, like vnc, nomachine, etc etc. > > But i just want to be shure that this isn''t done yet, or just to be released: time is precious..... > > > Hans > > ______________________________________________________________________ > Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico''s verbonden aan het elektronisch verzenden van berichten. > > This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages. >-- Kind regards, Joseph. Founder | Director Orion Virtualisation Solutions | www.orionvm.com.au | Phone: 1300 56 99 52 | Mobile: 0428 754 846 _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users