[Samba] Samba and the use of smart cards for authentication

Andrew Bartlett abartlet at samba.org
Sat Nov 29 03:04:28 GMT 2003 

On Sat, 2003-11-29 at 08:44, Philip Edelbrock wrote:
> I've played a little bit with smart cards and tokens.  They are a bit
> messy to implement.  I didn't like the idea of special software/hardware
> installed on the client to get such a system in place.  There are some
> other ways to do the same thing, though, that may solve a lot of the
> issues you may be confronted with. 
> 
> For example, you may want to take a look at the RSA-SecurID tokens. [1] I
> haven't set up a system with them, but I like how they work.  Instead of
> being connected by hardware to the client computer, they simply have a
> small LCD display of numbers that constantly change every minute.  You use
> that set of numbers along with a personal code (PIN) as your password to
> authenticate with the server.  On the server, the authenticator is a PAM
> module, so in theory it can be used with Samba, SSH, Apache, whatever can
> use PAM! 

The problem is, Samba cannot use PAM, not for domain logons, and not in
without client modifications even for file sharing.

You could write an authentication module for Samba that accepted NTLM
logins from the clients, and looked up the appropriate one-time-password
(much as we currently lookup the long-term password), however MS clients
assume that the password does not change, and will transparently
reconnect with the old password.  If you are lucky, they might pop up a
'wrong password' box, but particularly RPC services don't handle this
kind of fault well (printing is a good example).  

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20031129/f80dc558/attachment.bin

More information about the samba mailing list