[SmartcardServices-Users] [EXTERNAL] Re: Pkinit working on MacOSX 10.9.5 or 10.10?

Glenn Machin gmachin at sandia.gov
Mon Aug 31 06:17:47 PDT 2015 

Shame Apple won't enable the use of :

         pkinit_identities = PKCS11:Path_of_pkcs11_lib

for their Heimdahl Kerberos implementation.

If they did the then the pam_krb5 module could be added to 
/etc/pam.d/sudo.   I believe Heimdahl Kerberos supports it. I know the 
MIT Kerberos does.

Thanks for the information.


Glenn


On 8/31/15 6:53 AM, Carib Mendez wrote:
> .
>> We are also going to get the non-express version of Centrify to see if that enables pkinit with PIV for login and screenlock, I will let this email list know what I find.
>>
> We use the full centrify in our environment. I can attest to it's ability for full CAC login, PKINIT and screenlock. It also include a pkcs11 module for apps that don't use regular system keychain calls (Firefox primarily). THe only thing it does not include is the ability to use your CAC at the command line with sudo. I believe thursby has a special sudo that will authenticate with the CAC, but centrify unfortunately does not. Their solution is to add admin groups to the sudoers file so they don't have to enter a password for sudo.
>
>
>> Thanks for the response,
>>
>>
>>
>> Glenn
>>
>>
>>
>>
>> On 8/31/15 2:04 AM, Yoann Gini wrote:
>>>> Le 29 août 2015 à 23:30, Glenn Machin <gmachin at sandia.gov> a écrit :
>>>>
>>>> The only way I can see a Kerberos AS_REQ using PKINIT is using the command line "kinit -C KEYCHAIN: ».
>>> Same behaviors here. I’m not able to use standard system in PKINIT system.
>>>
>>>> Has anyone got PKINIT working via OpenDirectory  during login or via pam modules (pam_opendirectory or pam_krb5)?
>>>>
>>>> Shame I don't see Apple publishing documents describing how to enable pkinit given federal government requirements for use of smartcards.
>>>> Seems like its the users helping users, while Apple keeps quiet.
>>> The only advice I can tell is to use Centrify Express. It’s free, it works, and it will be quick for you.
>>>
>>> Best regards,
>>> Yoann Gini
>>>
>> _______________________________________________
>> SmartcardServices-Users mailing list
>> SmartcardServices-Users at lists.macosforge.org
>> https://lists.macosforge.org/mailman/listinfo/smartcardservices-users

More information about the SmartcardServices-Users mailing list