[SmartcardServices-Users] CAC Login and pkinit
David Bruno (Civ ARL/CISD) <dbruno>
david.bruno at us.army.mil
Wed Feb 23 10:26:39 PST 2011
Hello,
I have two questions.
1.
Based on reading posts from this list and in other places, we have pieced
together a cac login solution using the pubkeyhash method. We do not
currently have a directory service implemented. However, I¹m curious if
there is a way to utilize attribute matching with the local directory
service on a MAC OS 10.6.6 client? The pubkeyhash cac login option is
working great, however we would like to implement a solution where the
AuthenticationAuthority field does not need to be updated every time a user
is given a new smartcard.
2.
I read a few posts about pkinit being available in 10.6.2 and later, and
specifically a security vulnerability with pkinit which was fixed in 10.6.6.
I just want to verify that the security vulnerability has been patched.
Also I have not been able to successfully implement the method described in
this post:
http://lists.macosforge.org/pipermail/smartcardservices-users/2010-July/0001
17.html by Shawn Geddis
-
I¹ve been using the command:
/System/Library/PrivateFrameworks/Heimdal.frameworks/Helpers/kinit C
KEYCHAIN: -D: KEYCHAIN: --pk-enterprise
for testing as described in the post above, however when I use
‹-pk-enterprise option it connects to our KDC requesting a ticket for the
PersonIdentifier\@mil instead of asking for my username like username at realm.
When I use the -‹enterprise option instead of pk-enterprise it correctly
asks our KDC for a ticket for username at realm. However I keep getting
PREAUTH_FAILED errors. Also if we do get the test command working with the
‹enterprise instead of ‹pk-enterprise, is that still a valid test for
getting a kerberos ticket at login with a smartcard? As a side note just
running kinit works fine with no issues.
Our linux machines have pkinit working with a subject mapping to the common
name on the card to their linux username. Is there a way to do a subject
mapping like this in OS 10.6.6?
Please excuse any terms I messed up I¹m another person who has been getting
a crash course in smart cards.
Any help would be greatly appreciated.
Thank you
_______________________
David Bruno
Security +, RHCT, CCNA, CCA
ARL/CISD
410-278-8929
david.bruno at us.army.mil
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20110223/33dab99b/attachment.html>
More information about the SmartcardServices-Users
mailing list