Hello,
I have two questions.
1.
Based on reading posts from this list and in other places, we have pieced together a cac login solution using the pubkeyhash method. We do not currently have a directory service implemented. However, I’m curious if there is a way to utilize attribute matching with the local directory service on a MAC OS 10.6.6 client? The pubkeyhash cac login option is working great, however we would like to implement a solution where the AuthenticationAuthority field does not need to be updated every time a user is given a new smartcard.
2.
I read a few posts about pkinit being available in 10.6.2 and later, and specifically a security vulnerability with pkinit which was fixed in 10.6.6. I just want to verify that the security vulnerability has been patched. Also I have not been able to successfully implement the method described in this post:
http://lists.macosforge.org/pipermail/smartcardservices-users/2010-July/000117.html by Shawn Geddis
-
I’ve been using the command:
/System/Library/PrivateFrameworks/Heimdal.frameworks/Helpers/kinit –C KEYCHAIN: -D: KEYCHAIN: --pk-enterprise
for testing as described in the post above, however when I use —-pk-enterprise option it connects to our KDC requesting a ticket for the PersonIdentifier\@mil instead of asking for my username like username@realm. When I use the -—enterprise option instead of pk-enterprise it correctly asks our KDC for a ticket for username@realm. However I keep getting PREAUTH_FAILED errors. Also if we do get the test command working with the —enterprise instead of —pk-enterprise, is that still a valid test for getting a kerberos ticket at login with a smartcard? As a side note just running kinit works fine with no issues.
Our linux machines have pkinit working with a subject mapping to the common name on the card to their linux username. Is there a way to do a subject mapping like this in OS 10.6.6?
Please excuse any terms I messed up I’m another person who has been getting a crash course in smart cards.
Any help would be greatly appreciated.
Thank you
_______________________
David Bruno
Security +, RHCT, CCNA, CCA
ARL/CISD
410-278-8929
david.bruno@us.army.mil