smart card authentication with Linux?

[Paul Lussier]

Ben Scott <dragonhawk at gmail.com> writes:

>   So let me get this straight.  You want an authentication mechanism
> which does not require central coordination, but allows rejection of
> compromised keys.  How are the auth clients going to determine when a
> key is compromised, then?  Use the Force or something?  :) 

Generate them based on a sequence number similar to S/Key.

>   It seems to me that the "hardware-based" part of this is just an
> attempt to reduce the likelihood of a key being compromised.  You're
> assuming that the hardware key will be more likely to be turned in,
> and more likely to be resistant to duplication.  Sure, you're probably
> right on both counts, but "more likely" is not the same as "absolutely
> assured".  Ultimately, you still have to solve the compromised key
> problem.

Correct.

>   Is there a reason the auth clients can't automatically download a
> signed CKL from the 'net?

Yes, many of the systems we need to access are not allowed to make
connections to the internet.  We need to ssh into a "secure" bastion
host between the internet and the company's intranet.  From there we
can ssh into the system we need to service.
-- 

Seeya,
Paul