Hi I have purchased a license of Pragma fortress 5.0 with which I will use to test my development(not yet done) to support  two factor authentication with x509 on my server device. I have the following queries about 2 factor authentication with x509 digital certificate.

1) Is CAC Smart card reader mandatory for 2FA ? I understand that CAC smart card reader is physically connected via USB to the system where Pragma client is installed and Pragma fortress​​ prompts for the PIN when CAC reader is physically reset. Can't I use the PIN from a google authenticator OTP ? If yes there should be a way to provide the google OTP to Pragma fortress without a smart card reader.

2) If Google authenticator cannot be used, then what generates the PIN?  Does the CAC reader have the software to generate the random PIN? I understand it just allows insertion and detection of the smart card.

3) Does the x509 certificate have any field that is used as password to which the PIN is appended when sending authentication request to ​​the AAA server, or should the SSH server prefix it's own password to the PIN to send to the AAA server ?

4) Is it mandatory to have the x509 certificate on the smart card inserted into the CAC reader?​​ ​​

Thanks
Sreedhar​​​
​​

The Pragma Fortress SSH Server is a native windows implementation and windows doesn’t really have a native version of PAM. There is GINA which is PAM like, but more focused on interactive graphical logons. There are a couple of third party GINA plugins that support OTP but we haven’t tried them. That said, we use standard windows calls (LogonUser) to get a logon token when using password authentication, so, assuming they integrate with windows on that level, I don’t see why it wouldn’t work, but I can’t really provide any guidance on that front.

As to the second question. Two factor authentication typically means something you have and something you know. For a smartcard logon, you have the card and know the PIN. For password+OTP you know the password and have an authenticator. Smart card pins don’t need to get synchronized with the server. The pin just allows the card to perform the signing operation required by the authentication. It isn’t actually passed to the server. So long as the server has the public key, they can verify the signature.



Pragma Systems Technical Support
13809 Research Blvd, #675
Austin, TX 78750
http://www.pragmasys.com