other device to store configuration!

John Dennis jdennis at redhat.com
Thu Apr 2 22:25:00 CEST 2009


new conf wrote:
> *thank you Stefan, *
>
> /Use that path as
> option to --with-sysconf-dir=/
>
> that means, when compiling the radius at installation?
>
> *to Ivan Kalik:*
> /
> Best advice - don't do that!!! Certificates are *much* safer on a server
> than on a USB device - what are you going to do if someone walks off
> with it?/
>
> :) yesss I'm with your advice, but if the usb device is a smartcard, 
> it becoms other thing.. the problem is that I must understand what are 
> the inpout/output of this device to reach it and extract the information..
> ouuf, lonng road!! :(
>
You can't just mount a smartcard as a mass storage device and access key 
data, that would defeat the entire purpose of a smartcard. Managing keys 
on a smartcard is one of the problems PKCS11 was developed to address (I 
believe you'll also need a driver specific to the smartcard that PKCS11 
will load, your smartcard vendor can provide this for you). OpenSSL has 
some type of support for PKCS11, exactly what I'm not sure, but that's 
the direction you want to head, learn how to configure OpenSSL for 
PKCS11. Armed with that information you'll be able to ascertain if the 
current OpenSSL support in FreeRADIUS is sufficient to pass that 
configuration information down to OpenSSL when it initializes (this 
might very well require a code change).

-- 
John Dennis <jdennis at redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090402/ea7e7d55/attachment.html>


More information about the Freeradius-Users mailing list