other device to store configuration!

John Dennis jdennis at redhat.com
Thu Apr 2 23:48:31 CEST 2009


new conf wrote:
> Effectively John.. to be able to access the smartcard, I use PCSC lite 
> tool... but the language to communicate is "low level"
> I'll see about PKCS11 + OpenSSL
pscs-lite uses PKCS11 to access the smartcard. I don't think you 
understand the relationship between all the components yet. Start with:

1) why am I using a smart card?
2) how does a smartcard protect key data?
3) where do cryptographic operations occur?
4) where is my key data located?
5) what key data does the freeradius server need access to and at what time?
6) how will the freeradius server get access to the key data when it 
needs it?

If you can answer these questions your search for the solution will be 
much more directed.

and here's a good one you can't forget to ask:

7) what is the physical security of my freeradius server with the smart 
card inserted?

also don't forget to consider:

8) Will you pin protect the key data on the card and where will you 
locate the pin? Can you tolerate rouge processes utilizing the key data 
on the card if the card is not pin protected or the pin is stored on 
disk? If the card is pin protected and you don't store the pin on disk 
can you tolerate the need for an administrator being physically present 
to unlock the card upon restart?

-- 
John Dennis <jdennis at redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/




More information about the Freeradius-Users mailing list