On Thu, 2023-10-26 at 17:57 -0400, Ken Hornstein via Kerberos wrote: > > > Unfortunately, ANOTHER one of the "fun" rules I live under is, > > > "Thou > > > shall have no other PKI than the DoD PKI". And as much as I can > > > legitimately argue for many of the unusual things that I do, I > > > can't get > > > away with that one; [...] > > > > A CA that issues short-lived certificates (for keys that might be > > software keys) is morally equivalent to a Kerberos KDC. You ought > > to be > > able to deploy such online CAs that issue only short-lived certs. > > You know that. I know that. But remember: "if you're explaining, > you're losing". When asked I can honestly say, "Kerberos is not > a PKI" and that's good enough, but I can't say with a straight > face, "This X.509 CA over here is not a PKI". > > > Presumably OpenSSH CAs are a different story because they're not > > x.509? :) > > Strangely enough, I am not aware of anyone in the DoD that uses > OpenSSH > CAs (there probably are, I just don't know them). I could see it > being > argued both ways. The people I know who use OpenSSH are (a) using > gssapi-with-mic like us, (b) just using passwords, or (c) using their > client smartcart key as a key for RSA authentication and they call > that > "DOD PKI authentication". Again, you know and I know that isn't > really > using PKI certificates, but the people up the chain aren't really > smart > enough to understand the distinction; they see that you're using the > smartcard and that's good enough for them. > > > > We _do_ do PKINIT with the DoD PKI today; that is relatively > > > straightforward with the exception of dealing with certificate > > > revocation (last time I checked the total size of the DOD CRL > > > package > > > was approximately 8 million serial numbers, sigh). > > > > Don't you have OCSP responders? > > We _do_, it's just a pain to find an OCSP responder that can handle > that > many. If the official ones go offline that breaks our KDC so we run > our > own locally. > > > One of the problems I'm finding is that SSHv2 client > > implementations are > > proliferating, and IDEs nowadays tend to come with one, and not one > > of > > them supports GSS-KEYEX, though most of them support gssapi-with- > > mic, so > > it makes you want to give up on GSS-KEYEX. > > Right, part of the problem there is that people want to "use Kerberos > with ssh", and they don't understand the difference between gssapi- > with-mic > and gss-keyex.
Aren't you supposed to use CAC or PIV cards? You can definitely use openssh clients with PIV cards and avoid kerberos altogether. Simo. -- Simo Sorce, DE @ RHEL Crypto Team, Red Hat, Inc ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos