Re: Cool-Key on Solaris

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On Feb 4, 2008, at 8:02 AM, Todd Denniston wrote:

You are using CAC with kerberos then?
mind sharing a recipe, or a pointer to one, for hooking CAC/PKCS11 into kerberos?

You need MIT Kerberos 1.6.3 or later, or Heimdal 1.x + some patches (which I'm still working out on the heimdal-discuss mailing list).

You'll also need the most recent pam_krb5 and (obviously) a working PKCS11 module.

That's about it. Once you have Kerberos working with a password against AD, swapping over to PKINIT is pretty simple (assuming PKINIT is working in AD to start). The only real gotcha is in selecting the email signing cert from the CAC (which is the only one AD will accept); MIT makes this relatively easy, but Heimdal needed a fix (which I wrote, but I had to alter an internal API which the primary heimdal developer wasn't keen on doing, so I'm reworking it).

I'm also working on a MITRE technical report that will cover all this in detail (with configurations) to be delivered to my sponsor, after which it should be easy to get it into other DoD hands.

-- Tim

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Coolkey-devel mailing list

[Index of Archives]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Women]

  Powered by Linux