PAM with Credit Cards
David Hoffman
dhoffman2004 at gmail.com
Sun Feb 27 13:51:41 UTC 2005
On Sun, 27 Feb 2005 07:37:25 -0600, Brian Fahrlander
<brian at fahrlander.net> wrote:
>
> I'm looking into something...maybe some long-term plans. Let's say I
> handed out a bunch of magnetic cards for students to use, each with a
> name on it an/or PIN, and wanted them to walk up to a PC with a reader
> and use that card (probably authorized by LDAP somehow) to 'be' their
> login/password.
>
> How tough would it be to write that kinda PAM module? Has anyone
> here done it?
>
Considering that most MagStripe readers will send input through the
keyboard port (although there are some that are a direct serial
connection) you may not have to do much other than be sure that the
information in the stripe is encoded properly. What I mean is that it
would be the same as walking up to a machine with a login prompt and
typing the username, a carriage return, a password, and another
carriage return.
However, I would be more concerned about security. If someone loses a
card, then anyone else who finds it is in the system.
Any type of physical security device should always be backed up by
something that the user knows. Even SecureID cards only contain enough
information to authenticate that the user should be granted access,
but they are only good if the second piece of the puzzle is there, and
that would have to be the users's login name or some other
information. For a better example, you can't just go to your bank with
someone else's ATM card and get money... you have to know the PIN as
well. So my suggestion is that while you may use the card for entering
a user name, it would not be secure to use it for the user name AND
password.
More information about the fedora-list
mailing list