Fedora directory users - Sep 2006 - cryptocard and FDS

Hi all,

I''m looking for a way forwards to get cryptocard
(http://www.cryptocard.com/)
authentication working for a client who uses FDS.  There are a number of
possibilities that I''m thinking of, but here are the basics:

* Cryptocard has its own authentication server, but provides a PAM
module for Linux.  Therefore it should be possible to use the PAM passthru
FDS module mentioned here a while back:
http://cvs.fedora.redhat.com/viewcvs/ldapserver/ldap/servers/plugins/pam_passthru/?root=dirsec

* Cryptocard apparently supports a RADIUS style authentication.
Perhaps use SASL in some way that back ends on to RADIUS?

Has anyone any other ideas or can suggest a best way of doing this?

-- 
Del
Babel Com Australia
http://www.babel.com.au/
ph: 02 9368 0728
fax: 02 9368 0758

On 9/20/06, Del <del@babel.com.au> wrote:
>
> Hi all,
>
> I''m looking for a way forwards to get cryptocard
(http://www.cryptocard.com/)
> authentication working for a client who uses FDS.  There are a number of
> possibilities that I''m thinking of, but here are the basics:
>
I do not have any FDS experience at this moment, but some cryptocard
experience. In most cases you will want the cryptocard server to be
''frontended'' by other servers to keep it from getting
overwhelmed in a
large environment (or dealing with security concerns).

                        |-RADIUS Server ----|
[CRYPTOCARD-SERVER] ----|                   |---client1
                        |-Kerberos Server---|
                        |                   |---client2
                        |-LDAP-Servers------|

[Hope the ascii art works out]

-- 
Stephen J Smoogen. -- CSIRT/Linux System Administrator
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"

> * Cryptocard has its own authentication server, but provides a PAM
> module for Linux.  Therefore it should be possible to use the PAM 
> passthru
> FDS module mentioned here a while back:
>
http://cvs.fedora.redhat.com/viewcvs/ldapserver/ldap/servers/plugins/pam_passthru/?root=dirsec
>
>
> * Cryptocard apparently supports a RADIUS style authentication.
> Perhaps use SASL in some way that back ends on to RADIUS?
>
> Has anyone any other ideas or can suggest a best way of doing this?
Does this help ? :
http://www.cryptocard.com/index.cfm?pid=493&pagename=LDAP%20Authentication%20Example

If you want to have LDAP client binds use cryptocard authentication then
you would need a SASL plugin (or possibly PAM, if the exchange is one-way as
in SecurID). Cryptocard folks don''t seem to have considered this need
in their literature (which seems strange since it would give them much wider
application support without much work).