[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: IKE code for PAM



Thanks for the run-down on your project. I'm using luke's stuff too pam module
and ypldapd.

I'm wanting to store certificates on a token/smart card device, instead of a
local certdb file. On the windows side, there will have to be some program
that handles the login to the token, and a service which would listen to port
500. Then when connecting to samba, the pam module attempt a key exchange with
the service running on windows. If the IKE is successful, then they would
clear samba authentication.

I know of the SSH IKE/IPSec toolkit, but haven't yet really checked it out
yet. I don't know of any commercial implementations on the windows side that
would read a token and provide an IKE service.

I was thinking of rolling my own module with some publicly available IKE code,
if I can find some. That same code would be used to make the service on
windows as well.

On the pam side, the key exchange service module would talk with the key
exchange module on windows (or any other IKE service for that matter); it
would retrieve the user's key for challenge from the ldap server. (This is not
encrypting the session, just managing the authentication. Running the whole
thing over SSL is beyond the scope of this exercise.)

Any advice or pointers for IKE would be appreciated.

Jeff

Paul Allen wrote:

> Jeff Mandel wrote:
> >
> > Does anyone know of a pam module using IKE - Internet Key Exchange?
> >
> > Before starting to gin up our own pam module for I-Key/I-Button support,
> > I thought I would ask the list.
> >
> > At it's most basic, I would like to use certificates for authentication
> > from win to samba server, and thought that a successful IKE would
> > provide sufficient authentication. If anyone has worked on something
> > similar, or has any pointers on where to go to get some IKE code to
> > incorporate, I would be very appreciative.
> >
> > I remember a post a while back from someone at Boeing? working on
> > certificate authentication. I would like to find out what happened with
> > your project there.
>
> That might have been me.  I've been tinkering with Luke Howard's LDAP
> code.  I have successfully hacked pam_ldap to do a SSL connection to the
> directory server with password authentication happening on the server.
> I have extended this to use a certificate stored in the user's Netscape
> cert7.db file, with presentation of the password to the key database
> as proof of identity.  This works, but doesn't currently check the
> CRL.  All I've done is pretty-much straight-forward modifications
> of Luke's code based on the Netscape Directory Server documentation.
> My team decided to tear down and re-build the CA and Directory servers
> about a month ago.  With vacations and various other absences, it's
> still in parts on the floor.  :-)
>
> Note that whatever I've done has to stay inside Boeing unless I can
> figure out how to donate it to the GNU project.  There is an official
> policy on this, but I'm not aware of anyone who has exercised it.
>
> I see SSH Comminications is selling an IKE toolkit.  Is that what you
> were planning to use?  Roll your own?  Some other commercial product?
>
> Paul Allen
> --
> Paul L. Allen           | voice: (425) 865-3297  fax: (425) 865-2964
> Unix Technical Support  | paul.l.allen@boeing.com
> Boeing AR&T Site Operations, POB 3707 M/S 7L-68, Seattle, WA 98124-2207
>
> --
> To unsubscribe: mail -s unsubscribe pam-list-request@redhat.com < /dev/null



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []