I walk up to my RH desktop machine, and touch my Java iButton to the blue spot
reader. The PAM login uses the iButton key to identify me using list of known
ssh public keys. If it matches, a key is stored in ssh-agent (or used for any
other auth scheme, e.g. to get a Kerberos ticket) uses the key to derive
tickets, and I am logged in as if a valid password had been entered for the
corresponding username.
We have something like this working with Cyberflex Access. There are a few
issues you might want to think about. One is that you don't want any
secrets to leak from the card (or button). So just reading the private key
off the card and storing it in the ssh-agent is not acceptable. Instead,
the crypto must be done on the card.
Another problem is that you really don't want (or at least I don't want) the
card to be present in the reader during the entire session. I want to
insert the card, have it log me in, then remove the card. Now I stay logged
in until I log out, either explicitly or by timeout. That means the card
must be able to generate some kind of session key that can be used for a
limited time by the host. This can be done with kerberos, but not ssh.
***************************************************************
Linux Smart Card Developers - M.U.S.C.L.E.
(Movement for the Use of Smart Cards in a Linux Environment)
http://www.linuxnet.com/smartcard/index.html
***************************************************************
