other device to store configuration!
John Dennis
jdennis at redhat.com
Thu Apr 2 23:48:31 CEST 2009
new conf wrote:
> Effectively John.. to be able to access the smartcard, I use PCSC lite
> tool... but the language to communicate is "low level"
> I'll see about PKCS11 + OpenSSL
pscs-lite uses PKCS11 to access the smartcard. I don't think you
understand the relationship between all the components yet. Start with:
1) why am I using a smart card?
2) how does a smartcard protect key data?
3) where do cryptographic operations occur?
4) where is my key data located?
5) what key data does the freeradius server need access to and at what time?
6) how will the freeradius server get access to the key data when it
needs it?
If you can answer these questions your search for the solution will be
much more directed.
and here's a good one you can't forget to ask:
7) what is the physical security of my freeradius server with the smart
card inserted?
also don't forget to consider:
8) Will you pin protect the key data on the card and where will you
locate the pin? Can you tolerate rouge processes utilizing the key data
on the card if the card is not pin protected or the pin is stored on
disk? If the card is pin protected and you don't store the pin on disk
can you tolerate the need for an administrator being physically present
to unlock the card upon restart?
--
John Dennis <jdennis at redhat.com>
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeradius-Users
mailing list