smart card authentication with Linux?

Paul Lussier p.lussier at comcast.net
Mon Nov 14 21:08:01 EST 2005


John Abreau <jabr at blu.org> writes:

>   > Yes, many of the systems we need to access are not allowed to make
>> connections to the internet.  We need to ssh into a "secure" bastion
>> host between the internet and the company's intranet.  From there we
>> can ssh into the system we need to service.
>
> It sounds like OpenVPN would fit here. Run the OpenVPN server on your
> bastion host, it allows access for clients that have SSL certificates
> signed by the same CA that signed the server certificate. When someone
> leaves the company, add their certificate to the server's revocation
> list, and they no longer have access.

Nope, you're mis-understanding the problem.  The bastion host in
question is NOT something we control.  We're SSH'ing into a customer's
bastion host, then from there to our systems installed at they're
location.  Additionally, there are many, many of these types of sites,
and, there are other sites to which no remote access at all is
allowed, and we must be on-site and access the system directly.

Ideally, this implementation would be a PAM plug-in, such that login
access is identical regardless of whether via ssh, a serial
connection, or local terminal is connected.

I'm really surprised there aren't any hardware based S/Key
implementations out there...

-- 

Seeya,
Paul



More information about the gnhlug-discuss mailing list