On Feb 4, 2008, at 8:02 AM, Todd Denniston wrote:
You are using CAC with kerberos then?mind sharing a recipe, or a pointer to one, for hooking CAC/PKCS11 into kerberos?
You need MIT Kerberos 1.6.3 or later, or Heimdal 1.x + some patches (which I'm still working out on the heimdal-discuss mailing list).
You'll also need the most recent pam_krb5 and (obviously) a working PKCS11 module.
That's about it. Once you have Kerberos working with a password against AD, swapping over to PKINIT is pretty simple (assuming PKINIT is working in AD to start). The only real gotcha is in selecting the email signing cert from the CAC (which is the only one AD will accept); MIT makes this relatively easy, but Heimdal needed a fix (which I wrote, but I had to alter an internal API which the primary heimdal developer wasn't keen on doing, so I'm reworking it).
I'm also working on a MITRE technical report that will cover all this in detail (with configurations) to be delivered to my sponsor, after which it should be easy to get it into other DoD hands.
-- Tim
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Coolkey-devel mailing list Coolkey-devel@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/coolkey-devel
