On Fri, Oct 27, 2023 at 02:01:05PM -0400, Ken Hornstein via Kerberos wrote: > >Aren't you supposed to use CAC or PIV cards? > > Well, I hate to use the "Air Bud" loophole, but the rules as I > understand them don't ACTUALLY say that for ssh, and in some contexts > they explictly say that plaintext passwords are fine as long as you're > doing something like using a RADIUS server to verify the password. Yes, > the RADIUS protocol is terrible and has MD5 baked into the protocol and > no one has ever explained to me why the STIGS say FIPS mode is manditory > but RADIUS is fine.
Uh... If someone was able to swing that then you should be able to swing use of MD5 for non-cryptographic purposes where a 20 year old RFC requires it. But, I know, I know, never mind. > >You can definitely use openssh clients with PIV cards and avoid > >kerberos altogether. > > I have done that! But that is actually TERRIBLE IMHO from a security > perspective unless you write a whole pile of infrastructure code; maybe > some sites actually do that but the people I've seen with that setup do > not and then get surprised when they get a new CAC and that breaks. If > you funnel all that through PKINIT then things are much nicer. IDEA: Patch ssh to support use of x.509 certificates. After all, you can't use OpenSSH certs because... that's not "the DoD PKI", and you can't use GSS-KEYEX because of the foregoing MD5 non-issue, so might as well do the one thing you are allowed to do: use the DoD PKI! And you're using Heimdal, right? Well, Heimdal has a very frickin' nice ASN.1 compiler that already has everything you need to be able to decode x.509 certificates. It even has a fantastic libhx509, though the only thing it doesn't have is support for x25519/x448 (I've a branch with that stuff I need to finish). Though you'll want to update to the as-yet unreleased master branch for this because it's more awesome there. Nico -- ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos