On 8/11/14, 6:43 AM, Trevor Vaughan wrote:
Hmm....for a public guide, shouldn't the solution be public as well?
It's public to anyone who has a subscription to the operating system for which the guide is written ;)
Your point is well taken though. Reading a doc that sends you to another doc is beyond a slight annoyance. When authoring the patch, there were really two reasons I had for sending to access.redhat.com:
1) As any underlying components and processes change, that URL will stay constant, and big RHT will maintain currency. I'm not sure if anyone within SSG will be monitoring CAC enablement that closely which is why my own initial reaction was to post to a known authoritative and known current document;
2) I rarely hear of CAC enablement going as straightforward as the docs say, and SSG shouldn't be a helpdesk for those seeking CAC configurations. I'd rather have big RHT handle that, and by giving the URL to access.redhat.com, users are put into a help forum where they can post comments, tell big RHT that CAC is broke, etc.
Shawn
On Thu, Aug 7, 2014 at 12:44 AM, Shawn Wells <[email protected] <mailto:[email protected]>> wrote:Updated XCCDF to reflect location of vendor docs on integrating SSH+CAC cards Signed-off-by: Shawn Wells <[email protected] <mailto:[email protected]>> --- RHEL/6/input/system/accounts/physical.xml | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) diff --git a/RHEL/6/input/system/accounts/physical.xml b/RHEL/6/input/system/accounts/physical.xml index c9d1958..db5fb66 100644 --- a/RHEL/6/input/system/accounts/physical.xml +++ b/RHEL/6/input/system/accounts/physical.xml @@ -403,6 +403,10 @@ To enable smart card authentication, consult the documentation at: <ul> <li>https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/enabling-smart-card-login.html</li> </ul> +For guidance on enabling SSH to authenticate against CAC cards, consult documentation at: +<ul> +<li>https://access.redhat.com/solutions/82273</li> +</ul> </description> <ocil clause="non-exempt accounts are not using CAC authentication"> Interview the SA to determine if all accounts not exempted by policy are -- 1.7.1 -- SCAP Security Guide mailing list [email protected] <mailto:[email protected]> https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
-- SCAP Security Guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
