Hi, That sounds great. I'd love to get that on the DISA OSSG page as well when you get some details worked out. I assuming you are working primarily with the RHCS and RHEL5 / Fedora 6+/8 spins? If you can, checkout http://ossg.disa.mil I have been hoping to get Mitre more connected to my work at DISA. Aaron On Feb 4, 2008 9:56 AM, Timothy J Miller <tmiller@xxxxxxxxx> wrote: > On Feb 4, 2008, at 8:02 AM, Todd Denniston wrote: > > > You are using CAC with kerberos then? > > mind sharing a recipe, or a pointer to one, for hooking CAC/PKCS11 > > into kerberos? > > You need MIT Kerberos 1.6.3 or later, or Heimdal 1.x + some patches > (which I'm still working out on the heimdal-discuss mailing list). > > You'll also need the most recent pam_krb5 and (obviously) a working > PKCS11 module. > > That's about it. Once you have Kerberos working with a password > against AD, swapping over to PKINIT is pretty simple (assuming PKINIT > is working in AD to start). The only real gotcha is in selecting the > email signing cert from the CAC (which is the only one AD will > accept); MIT makes this relatively easy, but Heimdal needed a fix > (which I wrote, but I had to alter an internal API which the primary > heimdal developer wasn't keen on doing, so I'm reworking it). > > I'm also working on a MITRE technical report that will cover all this > in detail (with configurations) to be delivered to my sponsor, after > which it should be easy to get it into other DoD hands. > > -- Tim > > > _______________________________________________ > Coolkey-devel mailing list > Coolkey-devel@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/coolkey-devel > > _______________________________________________ Coolkey-devel mailing list Coolkey-devel@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/coolkey-devel
