Simon Posnjak
2003-Nov-28 18:14 UTC
[Samba] Samba and the use of smart cards for authentication
Hi, We have a windows based network. Now we would like to secure all the computers with the use of smart cards (so that people can log on with a smart card). For testing purposes we bought some card readers and now we are trying to set up a testing lab. First problem we ran in to is that we would need W2K Server for Active Directory and the MS CA. Until now we used Samba for print and file server, so we thought that we would use Samba also for authentication. I read a lot of documentation but I didn't find any information about how to use smart cards for authentication with Samba. Can this be done? Any information would be deeply appreciated? Thank you. Regards Simon
Philip Edelbrock
2003-Nov-28 21:44 UTC
[Samba] Samba and the use of smart cards for authentication
I've played a little bit with smart cards and tokens. They are a bit messy to implement. I didn't like the idea of special software/hardware installed on the client to get such a system in place. There are some other ways to do the same thing, though, that may solve a lot of the issues you may be confronted with. For example, you may want to take a look at the RSA-SecurID tokens. [1] I haven't set up a system with them, but I like how they work. Instead of being connected by hardware to the client computer, they simply have a small LCD display of numbers that constantly change every minute. You use that set of numbers along with a personal code (PIN) as your password to authenticate with the server. On the server, the authenticator is a PAM module, so in theory it can be used with Samba, SSH, Apache, whatever can use PAM! The key fob version costs about $55 each (probably around as much as you paid for your card readers?). [3] Back to smart cards, I've played a little bit with the Cryptoflex tokens by Shlumberger (now Axalto) [4]. The e-gate version allows you to use them in a USB token so you don't need a dedicated reader to use it. The end result is the same, though: you need a PIN and a physical item (card/token) to authenticate. The difference being that the smartcard/usb-token may make it a little easier for the end user provided that all the software on the client box is set up right. With something like the SecurID the end user will need to take the extra step to copy a number from the display on the token into the password box on the computer, but it allows the token to work from any client (and OS) making it much easier for the administrator to deploy. Good luck! Phil [1] http://www.rsasecurity.com/products/securid/hardware_token.html [2] http://www.rsasecurity.com/download/ [3] http://www.streetprices.com/x/search.cgi?query=securid [4] http://www.axalto.com/infosec/cryptoflex_win.html On Fri, 28 Nov 2003, Simon Posnjak wrote:> Hi, > > We have a windows based network. Now we would like to secure all the computers > with the use of smart cards (so that people can log on with a smart card). > For testing purposes we bought some card readers and now we are trying to set > up a testing lab. First problem we ran in to is that we would need W2K Server > for Active Directory and the MS CA. Until now we used Samba for print and > file server, so we thought that we would use Samba also for authentication. I > read a lot of documentation but I didn't find any information about how to > use smart cards for authentication with Samba. Can this be done? Any > information would be deeply appreciated? Thank you. > > Regards Simon > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba >