On Fri, 20 Oct 2006, Greg Hennessy wrote:
Jesse I Pollard - CONTRACTOR wrote:
You also likely don't want to do that anyway.
It seems my options are find a way to have ssh work with a CAC, or disable
ssh. I think I prefer the former.
I was only pointing out that that is what you may end up with. It may
work for the first hop, but cannot work from then on. This will disable
ssh from remote server to remote server (scp in particular).
You should be able to get the patches for the ssl library that can access
the smart card. When ssh is rebuilt to use those libraries the smartcard
should work.
However, I don't think the remote sshd can determine the difference
between a certificate from a smartcard and a file based certificate
(possibly a derived certificate).
There are also some limitations (if I remember correctly) on the patches.
They only made it possible to use the reader for certificates on the
client (ssh only, not sshd).
As to whether they prevent use of derived certificates I don't know. Your
description indicates that derived CERTS are not allowed, since their use
doesn't need a smartcard.
_______________________________________________
Muscle mailing list
[email protected]
http://lists.drizzle.com/mailman/listinfo/muscle
-------------------------------------------------------------------------
Jesse I Pollard, II
Email: [EMAIL PROTECTED]
Any opinions expressed are solely my own.
_______________________________________________
Muscle mailing list
[email protected]
http://lists.drizzle.com/mailman/listinfo/muscle
