On Fri, Dec 01, 2006 at 10:50:25AM -0800, Iain MacDonnell wrote: > Nicolas Williams wrote on 12/ 1/06 09:15 AM: > > > > From a practical perspective, an untrusted client probably isn't going > to have the right "middleware" that's needed to make your particular > type of smart card usable, if it even does have a card reader.
I was alluding to that with my supposition that smartcards are not a desired requirement here. > [snip] > >Adding support for a distributed OTP shouldn't be hard (unless we're > >talking about full RADIUS or DIAMETER support). > > I think there'd be value in a supported pam_radius in Solaris, because > that would enable use of existing "AAA" providers. The FreeRADIUS > project has an implementation that works on Solaris: > > http://www.freeradius.org/pam_radius_auth/ Point. > 'course if you want a complete solution, you'd need the server-side of > RADIUS too (with your chosen OTP "engine" behind it)... but maybe > FreeRADIUS could help with that too... Well, yes, FreeRADIUS is a RADIUS server... There seem to be a number of open source RADIUS and DIAMETER server implementations. I think Bart wants a local-only solution, which makes sense for some things, but generally I'd prefer a PAM module that supports AAA, not just local-only OTP. Perhaps we should work to include some open source AAA in the Solaris Companion CD? Or even integrate some into Solaris? > What ever happed to OPIE anyway? :) What of it? Nico --
