Nicolas Williams wrote on 12/ 1/06 09:15 AM: > On Fri, Dec 01, 2006 at 04:49:53PM +0100, Bart Blanquart wrote: >> === INTRODUCTION === >> -------------------- >> >> When logging in remotely it is possible to use certificates or keys >> to establish the user's identity, but this is only possible if the >> host from which the login is initiated is under control of the user >> (so that the keys or certificates can be stored securely). > > Note that smartcards are one way for users to deal with untrusted client > hosts. I suppose you want to avoid making smartcards a requirement; say > so :)
From a security perspective, that may be true, although you still risk exposure of the PIN used to unlock the card (one of your two factors). From a practical perspective, an untrusted client probably isn't going to have the right "middleware" that's needed to make your particular type of smart card usable, if it even does have a card reader. [snip] > Adding support for a distributed OTP shouldn't be hard (unless we're > talking about full RADIUS or DIAMETER support). I think there'd be value in a supported pam_radius in Solaris, because that would enable use of existing "AAA" providers. The FreeRADIUS project has an implementation that works on Solaris: http://www.freeradius.org/pam_radius_auth/ 'course if you want a complete solution, you'd need the server-side of RADIUS too (with your chosen OTP "engine" behind it)... but maybe FreeRADIUS could help with that too... What ever happed to OPIE anyway? :) ~Iain -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 6143 bytes Desc: S/MIME Cryptographic Signature URL: <http://mail.opensolaris.org/pipermail/security-discuss/attachments/20061201/cf4ea7c7/attachment.bin>
