OpenSSH PKCS#11merge
Douglas E. Engert
deengert at anl.gov
Fri Sep 28 01:05:52 EST 2007
Alon Bar-Lev wrote:
> Hello,
>
> On 9/25/07, Douglas E. Engert <deengert at anl.gov> wrote:
>> Another way to do this especially with HSPD-12 PIV cards is via Kerberos.
>> Over the last few years, I have been working on the combination of
>> kinit or pam_krb5 with Heimdal or MIT Kerberos using PKINIT to authenticate
>> to a KDC: Heimdal, MIT or AD. The Kerberos client would use the OpenSC
>> PKCS#11. OpenSC has support for the PIV cards.
>
> Kerberos is a single point of failure in term of availability and security.
> Even if Kerberos is a good solution for one domain network, how can
> you access foreign networks?
> And even if you Kerberos the whole world... How can you securely
> access the Kerberos KDC when the KDC is down?
>
> Just like OpenSSH can access file based keys it should be able to use
> smarcard based keys and PKCS#11 is the common interface to access
> smartcards.
I was responding to the poster who said he was interested in using PIV cards.
Based on the name of his organization, I know that they are looking at using
the PIV cards with Kerberos and Active Directory, so I offered an alternative
way to use OpenSSH with Kerberos.
This is not to say that its the only way. Adding your mods would be another.
>
> Best Regards,
> Alon Bar-Lev.
>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the openssh-unix-dev
mailing list