Re: Cool-Key on Solaris

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I did all my work on Ubuntu 7.10 (Gutsy) and FC8. I backported a bunch of stuff from Hardy to Gutsy to make everything work, and then poked at FC8. I didn't backport MIT Kerb 1.6.3 to FC8, however; I'm content with showing how it works on one system and then documenting the config differences.
I don't have a RHN id to pull current RHEL images. I have an old beta of RHEL5, but that was a long time ago.
I'd be more than happy to contribute to OSSG; feel free to add this address to the mailing list. 

-- Tim

On Feb 4, 2008, at 1:59 PM, Aaron Lippold wrote:


Hi,

That sounds great. I'd love to get that on the DISA OSSG page as well
when you get some details worked out.

I assuming you are working primarily with the RHCS and RHEL5 / Fedora
6+/8 spins?

If you can, checkout http://ossg.disa.mil

I have been hoping to get Mitre more connected to my work at DISA.

Aaron

On Feb 4, 2008 9:56 AM, Timothy J Miller <tmiller@xxxxxxxxx> wrote:

On Feb 4, 2008, at 8:02 AM, Todd Denniston wrote:


You are using CAC with kerberos then?
mind sharing a recipe, or a pointer to one, for hooking CAC/PKCS11
into kerberos?


You need MIT Kerberos 1.6.3 or later, or Heimdal 1.x + some patches
(which I'm still working out on the heimdal-discuss mailing list).

You'll also need the most recent pam_krb5 and (obviously) a working
PKCS11 module.

That's about it.  Once you have Kerberos working with a password
against AD, swapping over to PKINIT is pretty simple (assuming PKINIT
is working in AD to start).  The only real gotcha is in selecting the
email signing cert from the CAC (which is the only one AD will
accept); MIT makes this relatively easy, but Heimdal needed a fix
(which I wrote, but I had to alter an internal API which the primary
heimdal developer wasn't keen on doing, so I'm reworking it).

I'm also working on a MITRE technical report that will cover all this
in detail (with configurations) to be delivered to my sponsor, after
which it should be easy to get it into other DoD hands.

-- Tim


_______________________________________________
Coolkey-devel mailing list
Coolkey-devel@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/coolkey-devel

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
Coolkey-devel mailing list
Coolkey-devel@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/coolkey-devel
[Index of Archives]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Women]

  Powered by Linux