>> Right, part of the problem there is that people want to "use Kerberos >> with ssh", and they don't understand the difference between gssapi- >> with-mic >> and gss-keyex. > >Aren't you supposed to use CAC or PIV cards?
Well, I hate to use the "Air Bud" loophole, but the rules as I understand them don't ACTUALLY say that for ssh, and in some contexts they explictly say that plaintext passwords are fine as long as you're doing something like using a RADIUS server to verify the password. Yes, the RADIUS protocol is terrible and has MD5 baked into the protocol and no one has ever explained to me why the STIGS say FIPS mode is manditory but RADIUS is fine. >You can definitely use openssh clients with PIV cards and avoid >kerberos altogether. I have done that! But that is actually TERRIBLE IMHO from a security perspective unless you write a whole pile of infrastructure code; maybe some sites actually do that but the people I've seen with that setup do not and then get surprised when they get a new CAC and that breaks. If you funnel all that through PKINIT then things are much nicer. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
