SmartCards, BSD and Linux?

Gilles Cherix asks: "I just come back from an IT Expo where Sun demonstrated their brand new SunRay appliances. These are cool and cute little boxes with a smart card reader ... the card is used for autentication and everything is executed from a Sparc server. I'm wondering if my favorite Open Source operating systems can do something similar: that is, if there is support for smartcard reader/writers in *BSD or Linux. The rest is a question of some coding but that would be an interesting alternative for me since I have to manage new accounts everyday and I don't want to spend very much money for Sun hardware."

the real question...

[bolind]

All right, I don't know very much about authentication under linux, but:

At my university we have a shitload of Sunray2's terminals. The have a smartcard reader, which is, as the person asks, used for authentication. This is the way it works: instead of logging in and out, you just throw in your smartcard. This is not the cool part, the cool part is, that, when you insert your card, your desktop comes up exactly like you left it. Programs and files open, window positions, the works.

So, getting the authentication part should be possible, but getting the "desktop popping up the ay you left it" is the tricky part, at least if you ask me.



or else I'm just drunk and babbling about stuff I don't get...?

Desktop state

[Cato]

Have a look at VNC - it's open source, from http://www.uk.research.att.com, and works pretty well to remotely access your desktop. It's completely stateless, so it would work fine in this scenario. The only hassle is its bandwidth usage but that could be improved with better compression.

Not on any existing Linux...

[TBone]

You should have paid attention to the tech specs, or asked more questions....

That's not Ethernet running out of there. Well, it's Ethernet hardware, but it's a proprietary transport. The abstraction necessary to get such a setup working is not anywhere close to being implemented. The entire Sound and Vidoe format is rewritten to be abstracted from the actual display/audio hardware. It works something like this, though I'm not sure of the "real" details....

X Framebuffer/Sound buffer --> Abstraction layer --> Session Manager --> Transport driver --> SunRay --> Abstraction realizer --> Display Hardware

We probably have the working of the display and sound abstractors (Virtual Framebuffers and the architecture of ESound), but the rest will all have to be implemented. The speed form the thing comes from the fact that all of the abstraction/encoding/decoding is done in hardware. Software abstraction and realization will be VERY slow and prohibitive of just running cheap standalone Linux systems.

In addition, the packages to make the server a SunRay server change the session management of the processes run by a user, in that it needs to be able to intelligently stop and start (not kill and restart) processes as displays attach and reattach, and handle extended swapping and reallocating of resources. The fact that it's a smartcard controlling it is trivial compared to the engineering needed to get the process working. For tha tmatter, you can just encode a small PAM module that lives on the client to authenticate by fingerprints, voice, or whatever

If you get it figured out, more power to you :)

M.U.S.C.L.E.

[eomir]

Check out MUSCLE...I think that is what you are looking for. The site for it is here. IIRC, this project was started/is maintained by someone attending the grandest university of them all

Re:the real question... security hazard

[Vspirit]

I find that dangerous.
This means with only the smartcard, which can be replicated or used without your knowledge by other party, others than you can access your data.

It is much easier to get hold of other persons smartcard than their login/pass.

From a security perspective the smartcard isn't bad. and in combination with login/pass it even enhances security.

Humm, will the smartcard be replaced by fingerprints and eyeprints in the future?

NAS + VNC + MUSCLE + a bit of glue?

[Erik+Bolsoe]

Heh. To get something like that running is not all that hard - all the _needed_ pieces exist already. Combine VNC for the display, NAS for the sound, and a smartcard authenticating thingie that automatically attaches your VNC session on the server when you inserts the smart card, and 99% of a SunRay is in place.

Re:NAS + VNC + MUSCLE + a bit of glue?

[OpenWiZ]

That seems a clever alternative ! but if I go with using cheap PCs as that kind of terminal, why use VNC ? Wouldn't it be faster to just run the apps on the PC ? Session management is the only dark point but I assume it would be possible to fetch the session infos from a server (something like NFS mounting the home dir and using GNOME for session management)

Re:NAS + VNC + MUSCLE + a bit of glue?

[TBone]

The point isn't using the server to run apps, the cool part of this is this:

I work in one physical location. Work work work work oops, problem at our data center. Start problem analyzer, leave running. Yank smart card from terminal, all logged out. Drive to data center. Plug smart card back in. *poof* There's my screen again, with all the stuff I was running when I left my office. In the meantime, someone comes to my office area to visit. Needs computer access. Pull out hte guest SmartCard, pop it into the terminal on my desk, and *poof* again, new login session.

This kinda stuff is very idea for extremely-thin client stuff, and for your typical sysadmin who really doesn't _need_ a PC cause all the work is done on the remote servers anyway...all he really needs is an X display.

As far as using cheap PC's...the list price for these things, IIRC, is about $500, monitor not included. I dunno if you can put a respectable workstation together for $500 anymore (Celeron's notwithstanding, I hate lobotomized processors).

ChipDrive linuxpack

[John+Harrison]

I have, sitting in my hands, a smart card reader from Towitoko that comes with linux drivers.

The box indicates that there are developer tools at linuxnet.