[Samba] Samba and the use of smart cards for authentication
Philip Edelbrock
phil at Ren.netroedge.com
Fri Nov 28 21:44:04 GMT 2003
I've played a little bit with smart cards and tokens. They are a bit
messy to implement. I didn't like the idea of special software/hardware
installed on the client to get such a system in place. There are some
other ways to do the same thing, though, that may solve a lot of the
issues you may be confronted with.
For example, you may want to take a look at the RSA-SecurID tokens. [1] I
haven't set up a system with them, but I like how they work. Instead of
being connected by hardware to the client computer, they simply have a
small LCD display of numbers that constantly change every minute. You use
that set of numbers along with a personal code (PIN) as your password to
authenticate with the server. On the server, the authenticator is a PAM
module, so in theory it can be used with Samba, SSH, Apache, whatever can
use PAM! The key fob version costs about $55 each (probably around as
much as you paid for your card readers?). [3]
Back to smart cards, I've played a little bit with the Cryptoflex tokens
by Shlumberger (now Axalto) [4]. The e-gate version allows you to use
them in a USB token so you don't need a dedicated reader to use it. The
end result is the same, though: you need a PIN and a physical item
(card/token) to authenticate. The difference being that the
smartcard/usb-token may make it a little easier for the end user provided
that all the software on the client box is set up right. With something
like the SecurID the end user will need to take the extra step to copy a
number from the display on the token into the password box on the
computer, but it allows the token to work from any client (and OS) making
it much easier for the administrator to deploy.
Good luck!
Phil
[1] http://www.rsasecurity.com/products/securid/hardware_token.html
[2] http://www.rsasecurity.com/download/
[3] http://www.streetprices.com/x/search.cgi?query=securid
[4] http://www.axalto.com/infosec/cryptoflex_win.html
On Fri, 28 Nov 2003, Simon Posnjak wrote:
> Hi,
>
> We have a windows based network. Now we would like to secure all the computers
> with the use of smart cards (so that people can log on with a smart card).
> For testing purposes we bought some card readers and now we are trying to set
> up a testing lab. First problem we ran in to is that we would need W2K Server
> for Active Directory and the MS CA. Until now we used Samba for print and
> file server, so we thought that we would use Samba also for authentication. I
> read a lot of documentation but I didn't find any information about how to
> use smart cards for authentication with Samba. Can this be done? Any
> information would be deeply appreciated? Thank you.
>
> Regards Simon
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: http://lists.samba.org/mailman/listinfo/samba
>
More information about the samba
mailing list