Re: combine pam-usb and pam-ldapd ?

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Karl Kashofer <karl.kashofer [at] gmx.at>
To: nss-pam-ldapd-users [at] lists.arthurdejong.org
Subject: Re: combine pam-usb and pam-ldapd ?
Date: Mon, 12 Dec 2011 09:09:26 +0100

Am 12.12.2011 06:12, schrieb Hatem Nassrat:



On Sun, Dec 11, 2011 at 10:04 PM, Tim White <weirdit@gmail.com
<weirdit [at] gmail.com>> wrote:

    On 12/12/11 06:38, Arthur de Jong wrote:


            I would really want to have users authenticated by a private
            key on a
            usb stick, with/without a password.

[...]

    Correctly setup, PAM is designed to be modular. So you can for
    example, use libnss to provide all the passwd/group information, and
    then use pam_usb to attempt to authenticate, and then failback to
    libpam_ldapd on failure. Do some reading into pam (man pam, man
    pam.conf) and


I believe what he is trying to do is to store the public keys in ldap
somehow. I think a quicker approach maybe to  use autofs with pam-usb
rather than pam-ldap.

It took me a while to figure out what you are wanting to do, somehow
adding to the ldap schema to add a public key to each user as well as
modifying the pam side to lookup the key and do what pam-usb does. This
does seem like a lot of work though ...


Thanks for the fast replies, Hatem, Tim and Arthur !

Yes, what i want is central user management on the server and easy andsecure authentication on clients.

We would create users on the server and issue usb-sticks with keys toemployees. The stick contains a secret that together with the secret onthe server allows the identification, authentication and login withoutany user intervention (or alternatively with a password to unlock the key).

pam-usb seems to store one-time pads on the usb-stick, but anything thatallows to identify the user in a secure way should suffice.

With the sticks the user can unlock any machine on the network, whichthen mounts their ~home. Basically its like a smartcard solution, justwithout smartcard.


Is that possible with existing tools ?
Cheers,
Karl


--

Hatem Nassrat
Chief Technical Officer
T:  (902) 431-4847 ext. 112
F:  (902) 431-4848

GenieKnows Inc. <http://www.genieknows.com/>
Yellowee <http://www.yellowee.com/>

The opinions expressed are those of the individual and not the company.
Internet communications are not secure and therefore GenieKnows Inc.
("the company") does not accept liability for any claims arising as a
result of the use of this medium for transmissions by or to the company.
This email and any files transmitted with it are confidential. If you
are not the intended recipient, you are hereby notified that any
disclosure, distribution or copying of this communication is strictly
prohibited. Whilst we take every reasonable precaution to screen out
computer viruses from emails, attachments to the email may contain such
viruses. We cannot accept liability for loss or damage resulting from
such viruses. GenieKnows Inc. registered office: 1567 Argyle Street,
Halifax, Nova Scotia, B3J 2B2, Canada.

--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/

combine pam-usb and pam-ldapd ?, Karl Kashofer
- Re: combine pam-usb and pam-ldapd ?, Arthur de Jong
  - Re: combine pam-usb and pam-ldapd ?, Tim White
    - Re: combine pam-usb and pam-ldapd ?, Hatem Nassrat
      - Re: combine pam-usb and pam-ldapd ?, Karl Kashofer

Prev by Date: Re: combine pam-usb and pam-ldapd ?
Next by Date: Re: combine pam-usb and pam-ldapd ?
Previous by thread: Re: combine pam-usb and pam-ldapd ?
Next by thread: Re: combine pam-usb and pam-ldapd ?