[ale] Smart cards

Michael Trausch mike at trausch.us
Thu Oct 6 16:11:32 EDT 2011


Just to clarify, I am not specifically looking for an OpenPGP smartcard...
anything that'll do for auth is fine.
 On Oct 6, 2011 3:57 PM, "David Tomaschik" <david at systemoverlord.com> wrote:
> On Thu, Oct 6, 2011 at 3:28 PM, Michael B. Trausch <mike at trausch.us>
wrote:
>> Hello,
>>
>> I'm doing some looking at an idea, but I am having a hard time finding
>> information.  I want to toy with the idea of creating a sign-on system
>> using smart cards; something where you don't even need a username.  I
>> know that this is possible for Web applications with relative ease,
>> but I would like to cook up something that'd be useful for distributed
>> administrative management.  For example, I could use a smart card to
>> authenticate to my home network when I'm away from home, and my laptop
>> (or whatever computer I am at) would only be allowed to access certain
>> resources on my home network when a valid and non-revoked card
>> (certificate) is used.
>>
>> I've read quite a bit about _how_ to get the software to do such
>> things, but the important question is the one that I don't have an
>> answer to.  I want cards that can be setup with keys and used from
>> both Linux and Windows systems without a great deal of effort.  Is
>> that actually possible?  Shouldn't I be able to have a card and a USB
>> reader, for example, and be able to use my smart card to access a Web
>> site, or SSH connection, or whatever, without having to worry about
>> "it won't work with system X because there isn't a library for it" or
>> whatever?
>>
>> Or are the only options for such a thing truly to order from out of
>> the country?
>>
>>    --- Mike
>
>
> Mike,
>
> I can't address absolutely everything in your post, but I'll address
> what I can. The scope of your problem is bigger than the scope of my
> knowledge, but hopefully I can get you started.
>
> So, first off, there are MANY sources for smartcards. However, the
> only source for smartcards that have software that complies with the
> OpenPGP/GPG spec is Kernel Concepts in Germany. (I know you didn't
> ask specifically about OpenPGP, but I'll get to that below.) The
> readers are fairly standard and are commonly sold in the states for
> use with the US Military CAC cards.
>
> For the OpenPGP/GPG smartcards, you can use gpg-agent as a drop-in
> replacement for SSH agent and use an authentication-capable key from
> the smartcard for SSH authentication. You can also use libpam-poldi
> to enable local PAM authentication using the smartcard.
>
> As far as using it for problems outside the realm of PAM and SSH,
> well, I haven't tried those. I haven't even found a way to do webapp
> authentication via GPG smartcard. (I know you can do it with X.509,
> but I'd rather use one key & one card for everything.)
>
> Let me know what you find -- I'd be interested to know.
>
> --
> David Tomaschik, RHCE, LPIC-1
> System Administrator/Open Source Advocate
> OpenPGP: 0x5DEA789B
> http://systemoverlord.com
> david at systemoverlord.com
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20111006/1898f82c/attachment-0001.html 


More information about the Ale mailing list