[AKosygin]

Quote:

Originally Posted by sross

Seems interesting but I don't know much about the benefits of such a system. Is this a method to say, prevent trolls from abusing your forums? Is it not easy for someone to own several bogus smart card id's to use as they please? What does this do in real world examples? Are there problems with international users obtaining the smart card key? Where do they get it from, etc? Thanks!

There are two ways to use this modification:
1.) Require SmartCard (or Client SSL Certificates) IN ADDITION to Interactive (Password) login.
OR
2.) Allow SmartCard (or Client SSL Certificates) to REPLACE Interactive login.

Currently the modification is set to option 2, where you can use a SmartCard or Client SSL Certificates bound to your browser to login instead of entering a username and password.

As for several bogus smart card IDs, SmartCard relies on a Public Key Infrastructure, and the Certificate that certifies that the user that is saying who they are must be signed by a Certification Authority that you trust. So, if you setup the Apache mod_ssl correctly, Apache should refuse (or tell you of) any trust failures; meaning that if the Certificate Authority is not the one you trust that is certifying the client certificate, it will refuse it or tell you it failed to verify. Therefore it is important to setup mod_ssl correctly.

If the Certificate Authority that you trust is handing out certificates just to anyone that says that they are you without verifying this, then you probably need to find another CA that is more trustworthy.

This is especially useful in protecting the adminCP and modCP to rather paranoia levels, requireing two factor authentication if you use it IN ADDITION to the regular login. If you use it in addition to the regular login, the user must present the correct username and password AND the correct certificate. So what you know (username/password) and what you have (certificate/SmartCard).

I will be including the modifications for the "IN ADDITION" part a bit later, but it definitely needs clean-up. The mod definitely relies heavily on mod_ssl to work correctly, but that is the technical limitation.

As for international users, they could use it in the sense that they install the certificate to their browsers as an added security that the would be intruder would also need to steal that file also instead of just guessing at the username/password. But otherwise, you can easily get SmartCards and its accompanying reader from eBay. Older IBM SecureWay SmartCards are cheap, about $1 or so each (1024 bit keys), less security than more recent industry standards (2048 bit keys), but affordable. The readers range in price, from $9 to $50 each. But as I said, you can just install the certificate to the browser to create an extra layer or make login more simple when you are at home.

EDIT: You can use openssl with opensc (or just openssl), or Microsoft's Certification Authority function on Windows Server OSes, or you can use a real CA like Verisign. Just make sure that the certificate issued has "Client Authentication" it is Application Usage. In theory, you can set the trust to trust Verisign CA, then get an email certificate from Verisign and you can use that to login (or if you bound it to your SmartCard, use the SmartCard to login).