[ale] CAC Smart cards or similiar for Linux

Mike Harrison cluon at geeklabs.com
Mon Nov 22 17:24:01 EST 2010


> RSA (and clones) have been making keys with 1-time passwords for years.
> At work we used RSA SecurID and my broker uses VeriSign fobs.

RSA They want $25k for a "server appliance" and 150 fobs to get started.
If this was for a mass-market application like a bank or broker, it might 
be worth the headache.

It's not so much for ciphering/encryption as validating what is essentally 
a distributed "point of sale" application. I'm looking to make it
as complicated as possible to login from someplace they should not..
(like at home) or what actually seems to happen is login as a co-worker.

And.. knowing the real world, I fully expect to find a bunch of these 
taped to the front of the system so the never leave, with the logins and 
passwords for everyone on a piece of paper taped to the wall in plain 
sight.

What I am hoping is:
login+password+clientcertificate+ipaddressrestrictions+physicalsomething
is enough factors to ensure Mindy/password, at x.x.x.x with Mindy's 
physical key... really is Mindy so the cash she collects is accountable to 
her.. and it's not co-worker Brandy with Mindys password on her 
computer... logging up sales as Mindy and stashing the cash,
which Mindy will get fired for not having.

What I really want is smarter honest end-users.. but I also want Santa 
Claus to deliver a John Cooper Special Mini Cooper..

My other expectation is the clients IT director will pass on the whole 
thing because he's the kind of person that sends password protected PDF's
as secure e-mails.







More information about the Ale mailing list