Re: IKE code for PAM

Jeff Mandel wrote:
> Does anyone know of a pam module using IKE - Internet Key Exchange?
> Before starting to gin up our own pam module for I-Key/I-Button support,
> I thought I would ask the list.
> At it's most basic, I would like to use certificates for authentication
> from win to samba server, and thought that a successful IKE would
> provide sufficient authentication. If anyone has worked on something
> similar, or has any pointers on where to go to get some IKE code to
> incorporate, I would be very appreciative.
> I remember a post a while back from someone at Boeing? working on
> certificate authentication. I would like to find out what happened with
> your project there.

That might have been me.  I've been tinkering with Luke Howard's LDAP
code.  I have successfully hacked pam_ldap to do a SSL connection to the
directory server with password authentication happening on the server.
I have extended this to use a certificate stored in the user's Netscape
cert7.db file, with presentation of the password to the key database
as proof of identity.  This works, but doesn't currently check the
CRL.  All I've done is pretty-much straight-forward modifications
of Luke's code based on the Netscape Directory Server documentation.
My team decided to tear down and re-build the CA and Directory servers
about a month ago.  With vacations and various other absences, it's
still in parts on the floor.  :-)

Note that whatever I've done has to stay inside Boeing unless I can
figure out how to donate it to the GNU project.  There is an official
policy on this, but I'm not aware of anyone who has exercised it.

I see SSH Comminications is selling an IKE toolkit.  Is that what you
were planning to use?  Roll your own?  Some other commercial product?

Paul Allen
Paul L. Allen           | voice: (425) 865-3297  fax: (425) 865-2964
Unix Technical Support  | paul.l.allen@boeing.com
Boeing AR&T Site Operations, POB 3707 M/S 7L-68, Seattle, WA 98124-2207

