smart card authentication with Linux?

[Paul Lussier]

Ben Scott <dragonhawk at gmail.com> writes:

>   So let me get this straight.  You want an authentication mechanism
> which does not require central coordination, but allows rejection of
> compromised keys.  How are the auth clients going to determine when a
> key is compromised, then?  Use the Force or something?  :)  Seriously,
> I don't think what you're asking for is possible.  If you want auth
> clients to reject compromised keys, they have to get a Compromised Key
> List from *somewhere*.

So, it seems to me that one could have a hardware based solution which
allows you to generate one-time passphrases based on some known
factor, i.e. a PIN, and a sequence number.

The card only needs just enough intelligence to create a passphrase
based on a sequence number and a user designated secret, i.e. password
or PIN. This is how S/Key works. I'm just looking for a hardware based
S/Key implementation where the *card* is the authorized entity, not
the person.  I want something that's "easy" to take away.

Obviously, if the card itself is compromised, whether lost, stolen, or
not returned, we have the same problem as we do now with SSH keys.
What I'm looking for is something that when an honest person leaves
the company, or switches out of a position where this type of access
is required, the card can then be passed on to another person without
necessitating the change of keys on all customer systems.

-- 

Seeya,
Paul