[ale] Smart cards

Michael H. Warfield mhw at WittsEnd.com
Sun Oct 9 14:53:17 EDT 2011


On Thu, 2011-10-06 at 15:28 -0400, Michael B. Trausch wrote: 
> Hello,
> 
> I'm doing some looking at an idea, but I am having a hard time finding
> information.  I want to toy with the idea of creating a sign-on system
> using smart cards; something where you don't even need a username.  I
> know that this is possible for Web applications with relative ease,
> but I would like to cook up something that'd be useful for distributed
> administrative management.  For example, I could use a smart card to
> authenticate to my home network when I'm away from home, and my laptop
> (or whatever computer I am at) would only be allowed to access certain
> resources on my home network when a valid and non-revoked card
> (certificate) is used.

> I've read quite a bit about _how_ to get the software to do such
> things, but the important question is the one that I don't have an
> answer to.  I want cards that can be setup with keys and used from
> both Linux and Windows systems without a great deal of effort.  Is
> that actually possible?  Shouldn't I be able to have a card and a USB
> reader, for example, and be able to use my smart card to access a Web
> site, or SSH connection, or whatever, without having to worry about
> "it won't work with system X because there isn't a library for it" or
> whatever?

You might want to look into the CoolKey and 389 directory server stuff.
Looks like they have some stuff for Windows as well as Linux.  There are
also instructions for pam_pkcs11 (which was the module I could NOT
remember, when I mentioned the pam_usb stuff earlier).  I haven't worked
with the CoolKey stuff personally.  If you can get the CoolKey drivers
and SSP (Security Service Provider) working under Windows, it looks that
that should cover the vast majority of what you are looking for and you
won't have to install keys in two different formats on the cards or use
the Aladdin software (other than the middleware drivers).  Get the
kerberos integration in there and I think it will do what you want to
do.

http://directory.fedoraproject.org/wiki/CoolKey

http://docs.fedoraproject.org/en-US/Fedora/14/html/Security_Guide/sect-Security_Guide-Single_Sign_on_SSO.html

> Or are the only options for such a thing truly to order from out of
> the country?

In all that documentation, any references to "Schlumberger", "Axalto",
"Gemalto", "Gemplus", or "Cyberflex", can be read as the Aladdin eToken
Pros which you can purchase from CDW on-line.  Schlumberger sold their
smartcard business to Atos Origin which spun it off as Axalto.  That
later merged with Gemplus forming GemAlto.  The GemAlto eGate cards and
tokens are now the Aladdin eTokens.  Same line of products.  The Gemalto
stuff specifically referred to the credit card format smartcards.
Unless you are talking about users with a dozen or more smart cards only
requiring a single reader, it's almost impossible to justify the expense
of the reader with the cheaper cards vs the slightly more expensive
equivalent USB based tokens.

> --- Mike

Regards,
Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://mail.ale.org/pipermail/ale/attachments/20111009/7e74ffc5/attachment.bin 


More information about the Ale mailing list