<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
Uri,
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>I’ve got it on my to do list to look at the OpenSC stuff again. If it does a good job supporting PIV, it might be something we could use.</div>
<div class="">As for why someone would use the .Net cards, I can answer that pretty easily. They work with Microsoft’s Forefront Identity Manager, and are already in use in some places.</div>
<div class="">We haven’t had any luck getting FIM to provision PIV cards. I don’t know that its not possible… but Microsoft has been less than helpful on providing the needed details, and it certainly seems like its simply not supported.</div>
<div class="">We’ve been using the .Net cards for years, they are tied into our identity provisioning workflow, and so with mandates looming, it made sense to take what we already had working and adapt it for the new need.</div>
<div class="">Were we starting from scratch, looking to support smart cards across three platforms, I don’t think we would go down that route.</div>
<div class=""><br class="">
</div>
<div class="">—DH</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
<div>
<blockquote type="cite" class="">
<div class="">On Apr 8, 2016, at 11:17 AM, Uri Blumenthal <<a href="mailto:uri@mit.edu" class="">uri@mit.edu</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
<div class="">I know PIV is served well by OpenSC.tokend. If it would work with .Net cards (and I’ve no clue what those are, or why one would bother, when PIV and OpenPGP tokens are both available and reliable), going OpenSC route could be a good direct solution
that doesn’t require contortions to get various .tokend compiled (as you know, I tried to use PKCS11.tokend, and failed).</div>
<div class=""><br class="">
</div>
<div class="">P.S. This email is signed by a PIV token in Gemalto Proxy-DU reader, using OpenSC.tokend.</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
On Apr 8, 2016, at 14:07 , Hoit, Daniel S. <<a href="mailto:hoit2@llnl.gov" class="">hoit2@llnl.gov</a>> wrote:
<div class="">
<blockquote type="cite" class="">
<div class="">
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
Glenn,
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>We are using both at LLNL, although we are looking into replacing the .Net cards since it causes issues switching libraries on the linux boxes.</div>
<div class="">The .Net cards use the PKCS11.tokend module that Ludovic Rousseau wrote, along with a Framework and some libraries to provide the pkcs11 support.</div>
<div class="">Unfortunately, the version that Gemalto is currently providing will only look in /usr/lib/pkcs11, and since that location is restricted on SIP enabled systems, it breaks.</div>
<div class="">Luckily, the source for PKCS11.tokend is on the smartcard services web site, and Ludovic has an updated version there that will look in /usr/local/lib/pkcs11.</div>
<div class="">Hopefully Gemalto updates their installer to use that version in the future, but in the meantime I simply pulled down the newer tokend code, built it, and packaged it with the existing libraries set to be put in SIP compliant locations.</div>
<div class="">They do use different pkcs11 modules, so if thats part of your deployment, you may have issues.</div>
<div class="">I can use the tokendpkcs11.so for generating a key off the .Net cards, but trying to use it with SSH it relays a signing error, and fails. Considering its doing the gemalto PKCS11 -> PKCS11.tokend -> tokendPKCS11.so, its not really surprising
that its flakey. Most tools allow you to point to a separate library at the command line though, so you could always have an aliased SSH for the .NET card that uses -I /usr/local/lib/pkcs11/<whichever gemalto pkcs11.so you are using></div>
<div class="">The biggest issue with using a “civ” card along side the PIV is user mapping. Once we solved that, everything else has been pretty straight forward.</div>
<div class="">I’d be happy to discuss the details of our implementation if you’d like. You know how to get ahold of me. :)</div>
<div class=""><br class="">
</div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>—DH</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
<div class="">
<blockquote type="cite" class="">
<div class="">On Apr 8, 2016, at 10:32 AM, Machin, Glenn D <<a href="mailto:GMachin@sandia.gov" class="">GMachin@sandia.gov</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; font-size: 14px; font-family: Calibri, sans-serif;" class="">
<div class=""><br class="">
</div>
<div class="">We have a situation where will have users using a PIV (Oberthur ID-One PIV (type A)) and the ID Prime .Net from Gemalto.</div>
<div class=""><br class="">
</div>
<div class="">We want to make sure MacOSX can support both cards. Out of the box on MacOSX ID Prime .Net from Gemalto does not work and we want to make sure we don’t break the PIV to get the .Net card to work.</div>
<div class=""><br class="">
</div>
<div class="">We have found that on Linux (red hat) only one pkcs11 module will work at a time for either pam_pkcs11 or pam_krb5, and each card needs its own pkcs11 module, therefore only one card can be configured at a time. We don’t want to fall into the
same trap with MacOSX.</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class="">Appreciate any help.</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class="">Glenn</div>
<div class=""><br class="">
</div>
</div>
_______________________________________________<br class="">
SmartcardServices-Users mailing list<br class="">
<a href="mailto:SmartcardServices-Users@lists.macosforge.org" class="">SmartcardServices-Users@lists.macosforge.org</a><br class="">
<a href="https://lists.macosforge.org/mailman/listinfo/smartcardservices-users" class="">https://lists.macosforge.org/mailman/listinfo/smartcardservices-users</a><br class="">
</div>
</blockquote>
</div>
<br class="">
<div apple-content-edited="true" class=""><span class="Apple-style-span" style="border-collapse: separate; font-family: Helvetica; border-spacing: 0px;"><span class="Apple-style-span" style="border-collapse: separate; font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; border-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-stroke-width: 0px;">
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; " class="">
<div class="">Daniel Hoit</div>
<div class=""><a href="mailto:hoit2@llnl.gov" class="">hoit2@llnl.gov</a></div>
<div class="">925.424.5256</div>
<div class=""><br class="">
</div>
</div>
</span><br class="Apple-interchange-newline">
</span><br class="Apple-interchange-newline">
</div>
<br class="">
</div>
</div>
_______________________________________________<br class="">
SmartcardServices-Users mailing list<br class="">
<a href="mailto:SmartcardServices-Users@lists.macosforge.org" class="">SmartcardServices-Users@lists.macosforge.org</a><br class="">
<a href="https://lists.macosforge.org/mailman/listinfo/smartcardservices-users" class="">https://lists.macosforge.org/mailman/listinfo/smartcardservices-users</a><br class="">
</div>
</blockquote>
</div>
<br class="">
<div apple-content-edited="true" class="">
<div style="letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
<div class="">--</div>
<div class="">Uri the Great</div>
<div class=""><a href="mailto:uri@mit.edu" class="">uri@mit.edu</a></div>
<div class=""><br class="">
</div>
</div>
<br class="Apple-interchange-newline">
<br class="Apple-interchange-newline">
</div>
<br class="">
</div>
</div>
</blockquote>
</div>
<br class="">
<div apple-content-edited="true" class=""><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; ">
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; " class="">
<div class="">Daniel Hoit</div>
<div class=""><a href="mailto:hoit2@llnl.gov" class="">hoit2@llnl.gov</a></div>
<div class="">925.424.5256</div>
<div class=""><br class="">
</div>
</div>
</span><br class="Apple-interchange-newline">
</span><br class="Apple-interchange-newline">
</div>
<br class="">
</div>
</body>
</html>