<p>Just to clarify, I am not specifically looking for an OpenPGP smartcard... anything that'll do for auth is fine.<br>
</p>
<div class="gmail_quote">On Oct 6, 2011 3:57 PM, "David Tomaschik" <<a href="mailto:david@systemoverlord.com">david@systemoverlord.com</a>> wrote:<br type="attribution">> On Thu, Oct 6, 2011 at 3:28 PM, Michael B. Trausch <<a href="mailto:mike@trausch.us">mike@trausch.us</a>> wrote:<br>
>> Hello,<br>>><br>>> I'm doing some looking at an idea, but I am having a hard time finding<br>>> information. I want to toy with the idea of creating a sign-on system<br>>> using smart cards; something where you don't even need a username. I<br>
>> know that this is possible for Web applications with relative ease,<br>>> but I would like to cook up something that'd be useful for distributed<br>>> administrative management. For example, I could use a smart card to<br>
>> authenticate to my home network when I'm away from home, and my laptop<br>>> (or whatever computer I am at) would only be allowed to access certain<br>>> resources on my home network when a valid and non-revoked card<br>
>> (certificate) is used.<br>>><br>>> I've read quite a bit about _how_ to get the software to do such<br>>> things, but the important question is the one that I don't have an<br>>> answer to. I want cards that can be setup with keys and used from<br>
>> both Linux and Windows systems without a great deal of effort. Is<br>>> that actually possible? Shouldn't I be able to have a card and a USB<br>>> reader, for example, and be able to use my smart card to access a Web<br>
>> site, or SSH connection, or whatever, without having to worry about<br>>> "it won't work with system X because there isn't a library for it" or<br>>> whatever?<br>>><br>>> Or are the only options for such a thing truly to order from out of<br>
>> the country?<br>>><br>>> --- Mike<br>> <br>> <br>> Mike,<br>> <br>> I can't address absolutely everything in your post, but I'll address<br>> what I can. The scope of your problem is bigger than the scope of my<br>
> knowledge, but hopefully I can get you started.<br>> <br>> So, first off, there are MANY sources for smartcards. However, the<br>> only source for smartcards that have software that complies with the<br>> OpenPGP/GPG spec is Kernel Concepts in Germany. (I know you didn't<br>
> ask specifically about OpenPGP, but I'll get to that below.) The<br>> readers are fairly standard and are commonly sold in the states for<br>> use with the US Military CAC cards.<br>> <br>> For the OpenPGP/GPG smartcards, you can use gpg-agent as a drop-in<br>
> replacement for SSH agent and use an authentication-capable key from<br>> the smartcard for SSH authentication. You can also use libpam-poldi<br>> to enable local PAM authentication using the smartcard.<br>> <br>
> As far as using it for problems outside the realm of PAM and SSH,<br>> well, I haven't tried those. I haven't even found a way to do webapp<br>> authentication via GPG smartcard. (I know you can do it with X.509,<br>
> but I'd rather use one key & one card for everything.)<br>> <br>> Let me know what you find -- I'd be interested to know.<br>> <br>> -- <br>> David Tomaschik, RHCE, LPIC-1<br>> System Administrator/Open Source Advocate<br>
> OpenPGP: 0x5DEA789B<br>> <a href="http://systemoverlord.com">http://systemoverlord.com</a><br>> <a href="mailto:david@systemoverlord.com">david@systemoverlord.com</a><br>> <br>> _______________________________________________<br>
> Ale mailing list<br>> <a href="mailto:Ale@ale.org">Ale@ale.org</a><br>> <a href="http://mail.ale.org/mailman/listinfo/ale">http://mail.ale.org/mailman/listinfo/ale</a><br>> See JOBS, ANNOUNCE and SCHOOLS lists at<br>
> <a href="http://mail.ale.org/mailman/listinfo">http://mail.ale.org/mailman/listinfo</a><br></div>