Bruce Barnett wrote:
Would there
be a problem to give the object a unique name like PAM<number> and the
corresponding key would be <number>?
Sounds good, but where are you going to specify the number?
There is only one unique PAM object. The number after the string PAM is
indicating the number for the corresponding key. So there would not be a
use for a configuration file in the user directory. The solution with
the configuration has the disadvantage, that the configuration file must
be there. And the configuration file has to be edited by the user. Not
all user would like to do this administration task. If a root cert is
used it is also possible, that the user has to create this configuration
file on each machine. The goal is to disburden the user and to have self
administrating systems. (E.g. I hate to disperse my public keys in SSH
for public key authentication. My login in the network is everywhere the
same, but I have a separate home directory.) And if a configuration file
is really needed it should be stored on the smart card. Smart card have
to be portable, the ideal is that on each machine where I have never
logged on before everything works fine.
What brings up an idea of a module, which stores all important
configuration settings for a user. E.g. the .bashrc and .profile is
loaded from the smart card ..
Another idea: It would be possible to think of a system, where all
information is stored on a card, certified by a in-house root CA, and if
a user logs in the first time, his home directory is created,
configuration files ... Would be a great future.
Bye, Karsten
You really want the user to specify the number themselves without modifying the
> /etc/musclepam/pam-muscle.conf file
That is, instead of
CertNumber = 1 # Certificate number to use
CertName = user.cert # User Certificate in DER format
Use
CertNumber = 1 # Default Certificate number to use
CertName = user.cert # User Certificate in DER format
CertNameFile = user.keynumber # filename with contains a number to
override the default falue
So if the file $HOME/.muscle/user.keynumber exists, then read that
file and use the number in there instead of key #1
Note that if UserPath is defined, then this overrides the location. Instead of
being
$HOME/,muscle/user.keynumber
it would be
$UseraPath/$USERNAME/.muscle/user.keynumber (I think that's the value)
This would allow the administrator to specify a directory that the user cannot
modify.
A better solution is to have a file that can have several values in in.
Perhaps user.cert can have keywords in it, like:
--------------------------cut here-----------
#keywords
KEY=1
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDOmX3yqFgwMORu9WVu1+Adayro
Jvav74yAO1GHH1XEkRP76pXKlGisA4v2QTkJXK9iaZnWJfScMDRfatrtWmuYzb0A
xSfARZWbGOKAQdRqJNqHNIkif1qRl4oGijqGlL/QvPAsTMLP8HUE0b43I67Rm2Km
6/hnGZKXn7rmt2Tu3QIDAQAB
-----END PUBLIC KEY-----
-------------------------end here--------------
We'd have to test if this would work. But then you only need one file instead
of 2 (or more)...
_______________________________________________
Muscle mailing list
[email protected]
http://lists.drizzle.com/mailman/listinfo/muscle
_______________________________________________
Muscle mailing list
[email protected]
http://lists.drizzle.com/mailman/listinfo/muscle
