Security :: Web Client Authentication Through PKI And CACs?
Jul 9, 2010
I'm working on a work project related to Web (Client) authentication and DOD Common Access Cards. But I'm having difficult getting the details about what happens on the CAC side of things.
I familiar with the PKI system as it applies to e-mail. (Correct me if I err, of course.) If you want to sign an e-mail (i.e., so it can be authenticated by the receiver) you use your private key to add a digital signature to the message. Then, the receiver uses your published public key to determine if the digital signature is valid, i.e., was created using your private key (even though the receiver never actually has access to your private key).
So... my questions:
1) When a person with a DOD CAC visits a CAC-enabled web site, and the server grants access after the CAC is inserted, is the authentication process fundamentally the same as what happened with the e-mail authentication?
2) If the private key is used in this process (it would have to be, correct?) is the signature created on the CA Card electronics (i.e., the private key remains on the CAC)? Or is the private key copied onto the computer, which uses it to create the signature?
View 1 Replies
ADVERTISEMENT
Jan 10, 2010
I want to configure SSH key-based authentication and SSH password Authentication in same machine for different user .
View 1 Replies
View Related
Jan 17, 2011
I need to make a choice on what authentication protocol I want to use for Authentication and Authorization. I was looking at Radius and then literature suggested that Diameter was a better protocol. Keep in mind I need this on a hetrogeneous setup ( linux & windows together). Diameter seemed like a good fit until I discovered that the open source code no longer seems to be maintained ( C/C++).
I was also looking at Kerberos as an option though there is alot overhead with the server. SSL/TLS or EAP? I am looking for simple but secure and am new at the security protocols.
View 2 Replies
View Related
May 21, 2010
I have been used NX client on windows 7 connected to ubuntu with NX client/node/server with no issues. The matter started when I have formatted Ubuntu and reinstalled NX, from that NX connects but shows a key error as follows:
NX> 203 NXSSH running with pid: 4328
NX> 285 Enabling check on switch command
NX> 285 Enabling skip of SSH config files
[code]....
View 7 Replies
View Related
Aug 6, 2011
I am running a ubuntu server and want to host a web application (php/mysql based) however I dont want to use usernames and passwords for authentication. I'd like to use a client certificate. The military uses similar technology using the CAC card to provide the certificate for authentication.
not sure if this would be done using the apache modules or if php would be a better place to play with this
View 3 Replies
View Related
Feb 2, 2011
What security mechanisms are used by recent versions of the Linux operating system during user authentication?
View 3 Replies
View Related
Mar 2, 2011
Server: Fedora 14
Client: Fedora 14
LDAP server: 389-ds
I have set up the 389 server using the default configuration. Adding user and http/pam authentication works fine. The problem I have is the client authentication. On the client machine, using "authconfig-tui" to turn on LDAP authentication it turns on sssd and use 'sss' in etc/nsswitch.conf after 'files'. I couldn't get sss working. In the end, I disabled sssd and manually changed 'sss' to 'ldap' for all configuration files including:
modify /etc/nsswitch.conf
modify /etc/pam.d/password-auth, change all sss to ldap
modify /etc/pam.d/system-auth
change /etc/sysconfig/authconfig
FORCELEGACY=yes
After these, client authentication works. I can log in to the client machine using user/password set on the LDAP server. I thought this is done but everyday the LDAP service stop functioning once or twice. I can't log in to the client machine using LDAP username/password. After restart the dirsrv on ldap server, things back to normal. I can't find any reasons from /var/log/dirsrv/ldap-xxx error file and don't know how to debug the problem.
View 3 Replies
View Related
Aug 18, 2010
I was trying to setup SSL Client authentication on only one virtual host. Here is a brief excerpt sample of my conf file for the virtual host:
<VirtualHost xx.xx.xx.xx:443>
SSLRequire %{SSL_CLIENT_S_DN_O} eq "something"
SSLVerifyClient require
SSLVerifyDepth 2
</VirtualHost>
But when I try to check for syntax errors tells me SSLRequire not allowed here I do not want to add SSLRequire on the main httpd.conf because I only want it for one virtual host. The rest of the virtual hosts do not need it.
View 2 Replies
View Related
Sep 2, 2011
I have a openldap server running on one machine (fedora10) and pam_ldap.so and nss_ldap.so running on the other machine.
I have added a new user to the LDAP server database, this user is not created on client machine.
1. Can i login to the client machine using this new user?
2. Now if i try logging with this new user I am getting error messages, the error messages are as follows at client side
Sep 2 10:34:36 localhost sshd[8484]: Invalid user kim from 10.254.194.148
Sep 2 10:34:36 localhost sshd[8485]: input_userauth_request: invalid user kim
Sep 2 10:35:16 localhost sshd[8484]: pam_ldap: error trying to bind as user "cn=min soo,ou=people,dc=samsung,dc=com" (Invalid credentials)
[Code]....
View 4 Replies
View Related
Jun 11, 2011
Just an FYI for anyone who may be having this particular problem. A short while back, I was trying to attach a picture to a Twitter post, and dropped my network connection. No big deal...connection came back, and things went on. Next time I launched Choqok, it popped up a message saying "Server Error: This method requires authentication". It was puzzling, and didn't appear to impact my use...until I went to send a direct message, and it would give that error and crash. After quitting Choqok, the file (/tmp/ksocket-user/klauncherXXXXXX.slave-socket file) was still present. Deleting that file manually cleared the error up. I've seen this mentioned in a couple of other forums, but none with a solution posted.
If anyone else has that error, and this method resolves it, please let us know. I'm using openSUSE 11.4, but it should apply to any version/distro of Linux using Choqok.
View 5 Replies
View Related
Jan 18, 2010
how to make a new Ubuntu 9.10 box use our LDAP/Samba server for user authentication. Our Red Hat and Windows machines all use it just fine. I've been trying to use the auth-client-config and libnss-ldap packages for this purpose, but I must be missing something. I'm pretty green with LDAP, so this is my first time diving in... Is there a good How-To or step-by-step read on this? All of my searches lead me to setting up Ubuntu as the server, and that isn't what I want. I've also tried the steps listed in [URL] for the LDAP Authentication section.
View 1 Replies
View Related
Jun 28, 2011
My client is on Ubuntu Lucid 10.04, I installed ipsec-tools and racoon from the repositories. The gateway is installed on a CentOS machine. I've configured everything to get a working roadwarrior configuration with authentication_method hybrid_rsa client and server. It's working in aggressive mode, but in main mode I can't get it working. I delivered new CA and certificates several times but I'm still stuck.
It seems that it comes from my client not supporting the certificate sent by the server. The client contains a copy of the CA, whereas server has a private key and a certificate signed by the CA.
[Code]...
View 3 Replies
View Related
Feb 8, 2010
I have a program to start called "pace_old".
In the command line I type it's name and get this:
What should I do ?
Distro is SuSe 11.1. Btw: I do not get this message on Suse 9.0. Pace_old runs properly there.
View 1 Replies
View Related
Mar 19, 2010
I was trying to configure user authentication in SSH using certificate method.As u all know the usual way of authentication is using the ssh-keygen method. But i want the another method where we create a certificate key and send it to the CA, which signs it and send back etc etc.I cannot find any unique procedure in the net to configure this method.
View 3 Replies
View Related
Oct 25, 2010
I have squid proxy authenticating Internet users with LDAP. It's working well. But I have problem when I authenticate to squid proxy to login to Yahoo Messenger. Each time, I login to YM application, the squid proxy popups many authentication windows. These confuse users when they you YM. I checked in squid access log and see that: when users use YM application, the application requests the following links:
[code]...
With each link, squid requires one authentication window. Do you have any ways to squid require only one authentication window when users use YM?
View 2 Replies
View Related
Aug 17, 2010
My server is connected to the Internet for ssh on port 22 with root logon disabled, a single non-dictionary word user name allowed, and pki authentication only (about as secure as I can make it). I've previously run fc5 and 9 servers using the same sshd config since 2006 and had no security troubles, so I'm happy, but.. After the fc13 install and configuration, logins from a host on a remote network are taking about 1m 30s to complete! A (partial) console output for ssh -vv appears below. The lines marked with "**" were the lines after which significant pauses happen. This is fully repeatable.
Code:
debug1: Next authentication method: publickey
debug1: Offering public key:
debug2: we sent a publickey packet, wait for reply
[code]....
View 3 Replies
View Related
Jan 7, 2010
How can I remove authentication completely from my pc?
How can I edit the files present in the patrician filesystem?
View 8 Replies
View Related
Apr 3, 2011
having a slow internet connection, I bought the all maverick repository on DVDs, copied the files on a usb drive and modified the apt sources file to consider the local repository only:
Code:
# deb file:/var/www/ubuntu_local/ ./
deb file:/var/www/maverick/dvd1/ maverick main universe restricted multiverse
deb file:/var/www/maverick/dvd2/ maverick main universe restricted multiverse
deb file:/var/www/maverick/dvd3/ maverick main universe restricted multiverse
[code]....
Even though I am reasonably sure it is safe, this local repository is not authenticated and I can only install package through the command line or synaptic, the Ubuntu Software Centre giving an error message "Requires installation of untrusted packages"...I thus would like to disable the apt authentication check for this local repository.
View 2 Replies
View Related
Jun 25, 2011
Does anyone know if/how its possible to integrate HOTP authentication into GDM login manager? Basically what I want to do is have it ask for the password of the account, then another prompt come up asking for the code for the account.
I know how to set it up, but I'm know if modifying the PAM module for requiring OATH/HOTP authentication will make this happen or if it will just break the system...and this is one thing I don't want to have to fix.
View 1 Replies
View Related
Mar 3, 2010
I want to use AD sys accounts to logon to linux servers. What is the best and most secure way to do this. This because we want to ensure it is tracable when a server administrator makes changes to a linux server. Now we use root to make changes to the servers.
View 13 Replies
View Related
Mar 9, 2010
I have installed CentOS 5.2. I want to login automatically for an user without authentication.
View 2 Replies
View Related
Jun 23, 2010
Im using CenOs 5 and have install a mail system(postfix+dovecot),when I trying to enable selinux for enforcing mode and i'm have some issue, the user authentication failed. How can i to fix this problem?
View 2 Replies
View Related
Jan 26, 2011
I have intalled RADIUS server on one machine which has fedora 10. I have installed freeradius-server-2.1.10 on it(server machine IP 10.150.110.42).
I have one more machine with redhat linux on which i have installed pam_radius-1.3.17(client machine IP 10.150.113.4).
I have done the follwoing configuration at both sides
SERVER SIDE.
users file
"vijay" Auth-Type := Local, Cleartext-Password == "123qwe", NAS-IP-Address == "10.150.113.4"
Reply-Message = "Hello, %u"
[Code]....
Above mentioned is my configuration. when i try to connect client with SSH it is not sending a request for authenticating user to RADIUS server. what else configuration i have to do, or if there are any mistakes in my configuration
View 2 Replies
View Related
Mar 7, 2011
I'm using Ubuntu Lucid Lynx and every time I search for updates it ask for authentication. I'd like to search and apply updates without confirmation. Is it possible in some manner?
View 5 Replies
View Related
Aug 6, 2010
As part of the project I'm working on, I need to set up a server with IPSec authentication only connections to a large number of low bandwidth clients. I'm making use of the PF_KEY interface to populate the keys on the server and while prototyping things I've found that the initial setup is taking longer than I had expected. At the start of my test, entries are being added to the database at a rate of around 30/second, but as time goes on this is dropping significantly. I ran a test up to around 100k entries and by then the rate had dropped to 10/second. It's key to me that if I reboot my server that the Security Associations can be repopulated in a very short period, so I do genuinely need this to be much faster.
Two questions:
1) Does anyone have any experience of running with a large number of SAs set up, and if so what sort of setup rate did you get?
2) Are there things I can do to speed up the provisioning of these SAs? I'd really like to see a rate in the thousands per second.
We've been doing the prototyping on the 2.6 kernel.
View 1 Replies
View Related
Feb 10, 2011
I'm new in UNIX & trying to access the server using SSH but I encounter this error PAM Authentication Error. I use edit /etc/ssh/sshd_login & set the PermitRootLogin to yes. But didn't work. I used this command ps -ef | grep sshd & saying Process environment requires procfs(5). I don't know what to do now. What I want is access it by SSH but I got Access Denied. [MOD]Pruned from [URL]. create your own thread instead of resurrecting a five year old one.[/MOD]
View 1 Replies
View Related
Jan 11, 2011
I have a strange behaviour on a Slackware 13.1 box:
Code:
user@host$ su
su: Authentication failure
[code]...
View 5 Replies
View Related
Mar 1, 2010
I would like to have a web site pop-up on the persons laptop that connects to my wifi network. The page will let them know this is my network and give a list of shares on the network. Then click ok to get wireless authentication. Something like you get when you connect to a wireless connection in a hotel. software i can install on my Ubuntu 9.10 server to do this.
View 1 Replies
View Related
Apr 5, 2010
i have successful secure ldap replication but i could not make ldap client to direct its authentication to slave ldap
here is my config file on ldap client (i am not sure if it is the right place though)
ip : 192.168.1.183 is master ldap
ip : 192.168.1.185 is slave ldap
pico /etc/ldap/ldap.conf
#
# LDAP Defaults
code....
View 11 Replies
View Related
Aug 19, 2009
while tampering with the settings for my wireless connection by right-clicking on the icon on the top menu i was originally asked for my password for authentication. i selected the option to remember the password for future sessions unintentionally.
how do i get it back to the original setting so that it asks for a password before allowing me into the editing screen? i tried preferences > system > authorisations > network-manager-settings, but it didnt work.
View 2 Replies
View Related
