We’re trying to use Igel Smartcards for Login, but one of the clients also has a USB hardware token with a cert stored on it.
When both are inserted, the login hangs for as long as the dongle is connected, only when it’s removed the Smartcard is used an login proceeds.
Is there a way to tell Igel to only use a specific device for login (the client is running 10.06.130)?
Thanks!
Hi Florian, I don’t think so tbh. But we could create a script which unbinds the USB device and rebind it after logon. Never tried on Igel, but might work. Which Vendor / Product ID do the device show when issuing lsusb in a terminal?
The device is listed as: ID 08e6:3438 Gemalto (was Gemplus) GemPC Key SmartCard Reader
Thank you! Can you check if enabling USB ACL:
kb.igel.com/igelos-11.03.500/en/how-to-configure-usb-access-control-27246267.html kb.igel.com/igelos-11.03.500/en/how-to-configure-usb-access-control-27246267.html
Making the standard rule to ALLOW, and create a device rule that matches your client, set to deny.
Does that work after applying and a Reboot? If yes, We could remove the rule after login, and gives the Device back for work.
Sorry for not getting back sooner, still in home-office, so I didn’t get the chance to try out your suggestion quite yet. I’ll hope to test it out next week, if possible. Thank you for helping, in the meantime.
Hi, I finally tried your suggestion.
It seems the way disabling devices is implemented in Igel OS just unbinds the kernel driver for a given device. That doesn’t stop pcscd from accessing the device, since it uses its own drivers, apparently.
But you gave me the idea to try a custom script, so I added a quick bash script to `custom_cmd_x11_early` and `custom_cmd_x11_final` respectively disabling and re-enabling the device via the `/sys` filesystem (will attach the script separately).
It does solve the problem of logging in via the right smart card reader, but with pcscd occupying the devices, they can’t seem to be forwarded in an RDP session – but I will start a new thread for that.
Continue reading and comment on the thread ‘Is there a way to tell IGEL OS to only use a specific smartcard device for login? ‘. Not a member? Join Here!
Learn more, search the IGEL Knowledge Base
Ask a question or comment on the above message thread?
Join or log in to the IGEL Community to ask us anything and meet other IGEL customers, partners, and EUC enthusiasts.Submit a question, or Join Today!