[ale] CAC Smart cards or similiar for Linux

Michael H. Warfield mhw at WittsEnd.com
Mon Nov 22 17:04:39 EST 2010


On Mon, 2010-11-22 at 15:50 -0500, John wrote: 
> I don't know about "smart cards" since that means a specific hardware 
> reader to me, but .... if you're looking for two-factor authentication ....

Actually, you can get smart-cards as USB devices (yes, slightly more
expensive) and then you don't need special readers.

> You may have already considered these and disqualified them. I'd be 
> interested in your reasons, if so.

> YubiKey?  But I wouldn't deploy this for too many non-technical people, 
> but for nerds it is easy enough - http://www.yubico.com/yubikey   The 
> server is Apache licensed http://code.google.com/p/yubikey-val-server-php/ .

> RSA (and clones) have been making keys with 1-time passwords for years.  
> At work we used RSA SecurID and my broker uses VeriSign fobs.

Gag.  Those are terrible.  Time-based 2-factor are a plague.  Users hate
them (I hate them) and admins hate them worse (I've had to admin a site
with them).  We had a site we were hosting for a while and the ACE
server caused more administrative and maintenance headaches than what it
was worth and we eventually convinced them to go with certificates and
the private keys can be stored on smart cards for certificates.

Mike

> There's also WiKID http://www.wikidsystems.com/  They are local. I think 
> there is a GPL version avail. 
> http://freshmeat.net/search?q=Wikid&submit=Search
> 
> And if you want to go old school - paper - https://www.grc.com/ppp.htm 
> there have been many versions of paper-based cyphers over the years. 
> There are Linux, Windows AND Mac implementations. New BSD license.
> 
> Obviously, if they want more security tell them to stop running 
> MS-Windows. ;)  There are hacks for most of these things, especially for 
> web sites, across all platforms. If the computer (client or server) is 
> hacked, all the n-factors in the world aren't going to make a difference 
> in security.
> 
> I'm fairly certain some lurkers have experience with these. Perhaps they 
> can add to the list and comment?
> 
> 
> 
> On 11/22/2010 03:20 PM, Mike Harrison wrote:
> > I trying to figure out how to use CAC (Common Access Control) or similiar
> > smart cards for an access control to a web system. There are some
> > MS-Specific solutions, but I'm looking for something that works well with
> > a Linux server and MS or Linux clients running FireFox.
> >
> > Specifically, I'd love to find a "Package" of a few hundred "cards"
> > or "USB Tokens", a card/token creator/writer and the server side
> > components that all work together.
> >
> > I'm trying to add a physical '3rd factor' to accessing a special web
> > application. We are already using client certs... but some people want
> > even more.  A USB Key or CAC card would be perfect.
> >
> > Any clues, or are we in the famous: "built it from scratch yourself"
> > territory?
> >
> >
> >    
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
> 

-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://mail.ale.org/pipermail/ale/attachments/20101122/5027bd3f/attachment.bin 


More information about the Ale mailing list