PAM with Credit Cards
Leonard Isham
leonard.isham at gmail.com
Mon Feb 28 05:44:50 UTC 2005
On Sun, 27 Feb 2005 23:21:33 -0500 (EST), AragonX <aragonx at dcsnow.com> wrote:
> <quote who="Brian Fahrlander">
> > Sounds like a good start; given that it's a "keyboard wedge" how
> > would I approach such a system, via PAM? I'm not a programmer, but I
> > understand the environment, mostly...
> Ideally
> I'm considering implementing a similar system where I work. I want to use
> a USB key. It would be nice if the machine did not even present a logon
> prompt until after a USB card has been connected and the information
> verified. Then the user would get the standard Linux logon prompt. The
> major deviation is the user name would have to match the user on the
> keycard.
>
> Idealy, they certificate on the USB key would change each time the user
> logs on.
>
> Since we have three locations and central key management doesn't seem like
> a good idea, I'm thinking I would have to have some sort of machine name +
> certificate scheme.
>
> After a quick search, I came up with this site:
>
> http://pam-x509.sourceforge.net/
>
> Brian, this seems to do exactly what you want. As a matter of fact, I may
> be able to modify it to do what I want also.
>
> I'm wondering, would a fingerprint device give me any additional security
> or would it just be a waste of money?
>
Consider the larger number of prints used the higher the number of
false positives. Which is why law enforcement agencies use computers
to narrow the search to a number that humans can process.
The best bet is to have the print matched against the print on the USB
key. I believe they also increase the number of points used for a
match when this is done (increasing accuracy).
--
Leonard Isham, CISSP
Ostendo non ostento.
More information about the fedora-list
mailing list