smart card authentication with Linux?
Bill McGonigle
bill at bfccomputing.com
Tue Nov 15 09:36:00 EST 2005
On Nov 14, 2005, at 20:53, Paul Lussier wrote:
> What I'm looking for is something that when an honest person leaves
> the company, or switches out of a position where this type of access
> is required, the card can then be passed on to another person without
> necessitating the change of keys on all customer systems.
Do you have smart users? It sounds like you just need a $10 32MB USB
pendrive with an encrypted filesystem image on it that gets mounted
loopback using a user-specific password. Then setup ~/.ssh/config to
point to /mnt/crytopen/id_rsa or some such contraption.
If you don't trust the user to not copy the ssh key off the image (you
mentioned honest users) and you're not using SELinux and you allow them
root on their machines then you need a smart-card. I belive OpenSSH
has hooks to use them. Maybe someone here has set this up before?
-Bill
-----
Bill McGonigle, Owner Work: 603.448.4440
BFC Computing, LLC Home: 603.448.1668
bill at bfccomputing.com Mobile: 603.252.2606
http://www.bfccomputing.com/ Pager: 603.442.1833
Jabber: flowerpt at gmail.com Text: bill+text at bfccomputing.com
Blog: http://blog.bfccomputing.com/
More information about the gnhlug-discuss
mailing list