[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Heimdal 1.1

To: Love Hörnquist Åstrand <lha@kth.se>
Subject: Re: Heimdal 1.1
From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
Date: Fri, 25 Jan 2008 09:16:30 -0800
Cc: heimdal-discuss@sics.se
In-Reply-To: <A7F318E4-3322-4976-BF36-332A309937FF@kth.se>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
References: <001D4C4F-3C4F-4149-BF35-57112EB75E2C@kth.se> <B13AB78E-7BC0-4E51-B888-626864FE6309@jpl.nasa.gov> <A7F318E4-3322-4976-BF36-332A309937FF@kth.se>
Reply-To: heimdal-discuss@sics.se, "Henry B. Hotz" <hotz@jpl.nasa.gov>


On Jan 24, 2008, at 1:24 PM, Love Hörnquist Åstrand wrote:

>>> * Read-only PKCS11 provider built-in to hx509.
>>
>>> * Mac OS X 10.5 support for native credential cache.
>>
>> I don't suppose we can combine these to provide pkcs11 support for  
>> pam_pkcs11 on MacOS?  Contrary to my expectations, there doesn't  
>> seem to be any pkcs11 support (in that direction) on Leopard.
>
> The hx509 pkcs11 provider doesn't provide encryption (only  
> signing), and if I rememeber correctly pam_pkcs11 used to encrypt  
> and then decrypt it to verify the pin unlocked the key. If it uses  
> signing/verify it should work.

That's a better answer than I expected.  Thanks.

> However it seems like go over the river to get water, having a PAM  
> module that talked to CSSM/keychain directly would make more sense....
>
> Love

I'd rather write an authorization services plug-in that calls a PAM  
chain than rewrite pam_pkcs11.  Then you could support smart card/ 
pkinit on MacOS the same way you do on Linux with the same open  
source pam modules.

------------------------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu

References:
- Heimdal 1.1
  - From: Love Hörnquist Åstrand <lha@kth.se>
- Re: Heimdal 1.1
  - From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
- Re: Heimdal 1.1
  - From: Love Hörnquist Åstrand <lha@kth.se>

Prev by Date: Re: Heimdal 1.1 telnetd broken under Solaris 10
Next by Date: [PATCH] Enforce EKU requirements for client tokens during PKINIT
Prev by thread: Re: Heimdal 1.1
Next by thread: Re: Heimdal 1.1
Index(es):
- Date
- Thread