WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] PKCS#11 passthrough for Smartcards

Hi,

I think the problem is that for the majority of usecases Xen is
employed in there is little if not absolutely no physical access to
the hypervisors.
As such physical authentication and authorization methods don't seem
to be of much interest to the majority of the userbase.

You indicated KVM has support for it and to me this makes alot of
sense. KVM is much more a desktop hypervisor, you were generally going
to be able to reach down and plug your smart card in to auth to a
virtual machine etc. Xen is generally not often used for this same
usecase but there are a small number of people in the Xen community
that do however - you will find alot of them on the xen-devel list as
I noted.
I don't see KVM and Xen as competing at all but rather complementary,
Xen for servers, KVM for desktops.

I suggest you post to xen-devel to see if anyone is working on it
already or to find someone willing to help you implement it.

Joseph.

On 12 May 2011 06:18,  <J.Witvliet@xxxxxxxxx> wrote:
>
>
> -----Original Message-----
> From: Joseph Glanville [mailto:joseph.glanville@xxxxxxxxxxxxxx]
> Sent: woensdag 11 mei 2011 18:01
> To: Witvliet, J, CDC/IVENT/OPS/I&S/HIN
> Cc: xen-users@xxxxxxxxxxxxxxxxxxx; hwit@xxxxxxxxxxx
> Subject: Re: [Xen-users] PKCS#11 passthrough for Smartcards
>
> Hi,
>
> As far as I am aware this isn't supported - it would require a 
> paravirtualised backend to be possible. I think I have seen you request it a 
> few times and noone is yet to reply. You could try the xen-devel list to see 
> if anyone has been working on one but once again, I doubt it.
> Have you had any luck with KVM or the other hypervisors? This seems like a 
> much more "desktop" feature so you might be better off looking at a less 
> server consolidation oriented hypervisor if that makes sense.
>
> Joseph.
>
> On 11 May 2011 23:34,  <J.Witvliet@xxxxxxxxx> wrote:
>>
>> Hi all,
>>
>> Someone mentioned today to me, that the "competing virtualisation product"
>> is capable of doing PKCS-forwarding towards a virtual client.
>>
>> So, my question here, does XEN supports PKCS-passthrough?
>> As i also need my smartcard locally (on the hypervisor), i can not use
>> neither pci nor usb-forwarding....
>>
>>
>> Hans
>>
>
> Hi Joseph,
>
> It's strange that in a world that is "conceived as" more insecure, devices 
> like tokens and smartcard are not becoming mainstream.
> RedHat can currently do virtualisation af an (USA) CAC-card for their KVM.
> And it looks like a business-case is being made to alter their code to 
> support generic smartcards.
> As a longterm SuSE/XEN user, it is something i'm not all to pleased about.
>
> Bit in generally, from the response, it looks like nobody is interested in it 
> at all.
>
> Actually, i'm beginning to contemplate in another direction: the possibility 
> for accessing via the opensc-libs a reader&smartcard on a remote node in 
> general, not just between a virtualmachine hoster/clients.
> If i can pull it off, it would not only be usable for any virtuaization 
> technique, but also for any remote desktops, like vnc, nomachine, etc etc.
>
> But i just want to be shure that this isn't done yet, or just to be released: 
> time is precious.....
>
>
> Hans
>
> ______________________________________________________________________
> Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet 
> de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt 
> u verzocht dat aan de afzender te melden en het bericht te verwijderen. De 
> Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die 
> verband houdt met risico's verbonden aan het elektronisch verzenden van 
> berichten.
>
> This message may contain information that is not intended for you. If you are 
> not the addressee or if this message was sent to you by mistake, you are 
> requested to inform the sender and delete the message. The State accepts no 
> liability for damage of any kind resulting from the risks inherent in the 
> electronic transmission of messages.
>



-- 
Kind regards,
Joseph.
Founder | Director
Orion Virtualisation Solutions | www.orionvm.com.au | Phone: 1300 56
99 52 | Mobile: 0428 754 846

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

<Prev in Thread] Current Thread [Next in Thread>