smart card authentication with Linux?
John Abreau
jabr at blu.org
Mon Nov 14 15:59:00 EST 2005
Paul Lussier wrote:
> Yes, many of the systems we need to access are not allowed to make
> connections to the internet. We need to ssh into a "secure" bastion
> host between the internet and the company's intranet. From there we
> can ssh into the system we need to service.
It sounds like OpenVPN would fit here. Run the OpenVPN server on your
bastion host, it allows access for clients that have SSL certificates
signed by the same CA that signed the server certificate. When someone
leaves the company, add their certificate to the server's revocation
list, and they no longer have access.
You'd still use ssh to connect; just set up iptables on the VPN server
so it only allows ssh on the tap0 interface, and then only VPN users can
reach port 22.
--
John Abreau / Executive Director, Boston Linux & Unix
ICQ 28611923 / AIM abreauj / JABBER jabr at jabber.org / YAHOO abreauj
Email jabr at blu.org / WWW http://www.abreau.net / PGP-Key-ID 0xD5C7B5D9
PGP-Key-Fingerprint 72 FB 39 4F 3C 3B D6 5B E0 C8 5A 6E F1 2C BE 99
More information about the gnhlug-discuss
mailing list