smart card authentication with Linux?

Fred puissante at gcpy.com
Wed Nov 23 18:59:01 EST 2005


On Monday 14 November 2005 21:06, Paul Lussier wrote:
...
> Nope, you're mis-understanding the problem.  The bastion host in
> question is NOT something we control.  We're SSH'ing into a customer's
> bastion host, then from there to our systems installed at they're
> location.  Additionally, there are many, many of these types of sites,
> and, there are other sites to which no remote access at all is
> allowed, and we must be on-site and access the system directly.

Why not set up a bastion server AT YOU COMPANY that then connects to your 
client's bastion hosts? With some scripting, you can do *all* authenication 
on your bastion, and hide the authentication between your bastion and theirs 
from the user. Now, you only have one point of control to worry about, not 
many.

You'll have to work out the mapping details, of course, but ssh is born to do 
port forwarding. You'll just have an extra point of indirection. One under 
your absolute control.

-Fred



More information about the gnhlug-discuss mailing list