On Sat, 2003-11-29 at 08:44, Philip Edelbrock wrote: > I've played a little bit with smart cards and tokens. They are a bit > messy to implement. I didn't like the idea of special software/hardware > installed on the client to get such a system in place. There are some > other ways to do the same thing, though, that may solve a lot of the > issues you may be confronted with. > > For example, you may want to take a look at the RSA-SecurID tokens. [1] I > haven't set up a system with them, but I like how they work. Instead of > being connected by hardware to the client computer, they simply have a > small LCD display of numbers that constantly change every minute. You use > that set of numbers along with a personal code (PIN) as your password to > authenticate with the server. On the server, the authenticator is a PAM > module, so in theory it can be used with Samba, SSH, Apache, whatever can > use PAM!
The problem is, Samba cannot use PAM, not for domain logons, and not in without client modifications even for file sharing. You could write an authentication module for Samba that accepted NTLM logins from the clients, and looked up the appropriate one-time-password (much as we currently lookup the long-term password), however MS clients assume that the password does not change, and will transparently reconnect with the old password. If you are lucky, they might pop up a 'wrong password' box, but particularly RPC services don't handle this kind of fault well (printing is a good example). Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net
signature.asc
Description: This is a digitally signed message part
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
