On Sun, 27 Feb 2005 23:21:33 -0500 (EST), AragonX <aragonx@xxxxxxxxxx> wrote: > <quote who="Brian Fahrlander"> > > Sounds like a good start; given that it's a "keyboard wedge" how > > would I approach such a system, via PAM? I'm not a programmer, but I > > understand the environment, mostly... > Ideally > I'm considering implementing a similar system where I work. I want to use > a USB key. It would be nice if the machine did not even present a logon > prompt until after a USB card has been connected and the information > verified. Then the user would get the standard Linux logon prompt. The > major deviation is the user name would have to match the user on the > keycard. > > Idealy, they certificate on the USB key would change each time the user > logs on. > > Since we have three locations and central key management doesn't seem like > a good idea, I'm thinking I would have to have some sort of machine name + > certificate scheme. > > After a quick search, I came up with this site: > > http://pam-x509.sourceforge.net/ > > Brian, this seems to do exactly what you want. As a matter of fact, I may > be able to modify it to do what I want also. > > I'm wondering, would a fingerprint device give me any additional security > or would it just be a waste of money? > Consider the larger number of prints used the higher the number of false positives. Which is why law enforcement agencies use computers to narrow the search to a number that humans can process. The best bet is to have the print matched against the print on the USB key. I believe they also increase the number of points used for a match when this is done (increasing accuracy). -- Leonard Isham, CISSP Ostendo non ostento.
