[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Heimdal 1.1

On Jan 24, 2008, at 1:24 PM, Love Hörnquist Åstrand wrote:

>>> * Read-only PKCS11 provider built-in to hx509.
>>> * Mac OS X 10.5 support for native credential cache.
>> I don't suppose we can combine these to provide pkcs11 support for  
>> pam_pkcs11 on MacOS?  Contrary to my expectations, there doesn't  
>> seem to be any pkcs11 support (in that direction) on Leopard.
> The hx509 pkcs11 provider doesn't provide encryption (only  
> signing), and if I rememeber correctly pam_pkcs11 used to encrypt  
> and then decrypt it to verify the pin unlocked the key. If it uses  
> signing/verify it should work.

That's a better answer than I expected.  Thanks.

> However it seems like go over the river to get water, having a PAM  
> module that talked to CSSM/keychain directly would make more sense....
> Love

I'd rather write an authorization services plug-in that calls a PAM  
chain than rewrite pam_pkcs11.  Then you could support smart card/ 
pkinit on MacOS the same way you do on Linux with the same open  
source pam modules.

The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu