[ale] Smart cards

David Tomaschik david at systemoverlord.com
Thu Oct 6 15:53:23 EDT 2011


On Thu, Oct 6, 2011 at 3:28 PM, Michael B. Trausch <mike at trausch.us> wrote:
> Hello,
>
> I'm doing some looking at an idea, but I am having a hard time finding
> information.  I want to toy with the idea of creating a sign-on system
> using smart cards; something where you don't even need a username.  I
> know that this is possible for Web applications with relative ease,
> but I would like to cook up something that'd be useful for distributed
> administrative management.  For example, I could use a smart card to
> authenticate to my home network when I'm away from home, and my laptop
> (or whatever computer I am at) would only be allowed to access certain
> resources on my home network when a valid and non-revoked card
> (certificate) is used.
>
> I've read quite a bit about _how_ to get the software to do such
> things, but the important question is the one that I don't have an
> answer to.  I want cards that can be setup with keys and used from
> both Linux and Windows systems without a great deal of effort.  Is
> that actually possible?  Shouldn't I be able to have a card and a USB
> reader, for example, and be able to use my smart card to access a Web
> site, or SSH connection, or whatever, without having to worry about
> "it won't work with system X because there isn't a library for it" or
> whatever?
>
> Or are the only options for such a thing truly to order from out of
> the country?
>
>    --- Mike


Mike,

I can't address absolutely everything in your post, but I'll address
what I can.  The scope of your problem is bigger than the scope of my
knowledge, but hopefully I can get you started.

So, first off, there are MANY sources for smartcards.  However, the
only source for smartcards that have software that complies with the
OpenPGP/GPG spec is Kernel Concepts in Germany.  (I know you didn't
ask specifically about OpenPGP, but I'll get to that below.)  The
readers are fairly standard and are commonly sold in the states for
use with the US Military CAC cards.

For the OpenPGP/GPG smartcards, you can use gpg-agent as a drop-in
replacement for SSH agent and use an authentication-capable key from
the smartcard for SSH authentication.  You can also use libpam-poldi
to enable local PAM authentication using the smartcard.

As far as using it for problems outside the realm of PAM and SSH,
well, I haven't tried those.  I haven't even found a way to do webapp
authentication via GPG smartcard.  (I know you can do it with X.509,
but I'd rather use one key & one card for everything.)

Let me know what you find -- I'd be interested to know.

-- 
David Tomaschik, RHCE, LPIC-1
System Administrator/Open Source Advocate
OpenPGP: 0x5DEA789B
http://systemoverlord.com
david at systemoverlord.com



More information about the Ale mailing list