Comments (8)
It would go in here!
There have definitely been questions from across agencies and public on configurations. Any easy walk through guides are welcome and appreciated.
I would suggest it as a page under User Guides; maybe even just a Mac section. Nothing is set in stone and you can draft up any notes, submit a pull, and we'll merge them into staging and help iterate.
I've been "holding" on the additional content until .gov launch via Federalist...days or even hours away (clock ticking down)!
from piv-guides.
4/25 workshop discussion and plays to be shared:
- Sierra OSX 10.12.3 and 10.12.4
- Native support / configurations needed for linking credentials to the local accounts
- Use of Enterprise Connect; NoMad (https://gitlab.com/Mactroll/NoMAD); and other options for network / kerb
from piv-guides.
#17
from piv-guides.
Hey,
Here is the document in draft for Mac/Linux SSH. We have tested both. It was combined because we were thinking this option. Please review in technical aspects, we are still making editorial and structural change.
Enable PIV for Secure Shell (SSH) to a UNIX-like system from a Linux or a Mac OS X computer
These procedures are intended for network and system administrators, or other IT professionals, who are responsible for the day-to-day network operations of Federal Government agencies. As part of their roles, these professionals will be authorized by their agencies to use secure methods to remotely access other computer hosts.
Your PIV authentication key pair and public cert is exactly like using a self-signed cert and key pair to SSH
The key pair and certificate are on hardware PIV card
Ensure your workstation or jump server can recognize the credential and enabling the correct drivers on the client are included
Hardware Requirements
A Smart Card reader
A PIV card
A Linux or a Mac OS X computer correctly configured to use a PIV card for login, e.g. configure opensc.
Procedures
Obtain and Save Public Key from PIV card
Insert your PIV card into your computer's card reader.
Use the following command to save the user's public SSH key to a file and submit the file to Jump server administrator. Linux:
ssh-keygen -D /usr/lib64/opensc-pkcs11.so > mykey.pub
Max OS X:
ssh-keygen -D /Library/OpenSC/lib/pkcs11/opensc-pkcs11.so > mykey.pub
Configure Linux/Unix Jump Server (SSHD)
Change the configuration in the /etc/ssh/sshd_config file. Then restart the sshd.
AuthorizedKeysFile /etc/sshd/authorized_keys/%u
PasswordAuthentication No
Create the directory: /etc/sshd/authorized_keys.
mkdir /etc/sshd/authorized_keys
To allow one user to have such access, place the user's PIV card's SSH public key in the following directory, according to the user's name: /etc/sshd/authorized_keys/[login ID]. (Note: To ensure that access requirements are enforced, only a root user may modify this directory and its files.)
Disable any alternative means of access (i.e., via passwords), as needed.
Log in via SSH
Insert your PIV card into your computer's card reader.
Use the following command to log into the remote machine. Linux:
ssh -I /usr/lib64/opensc-pkcs11.so <remote-host>
Mac OS X:
ssh -I /Library/OpenSC/lib/pkcs11/opensc-pkcs11.so <remote-host>
At the PIV card password prompt, enter your PIN. You should see remote-host shell prompt.
Note: The card reader may flash. Do not remove the PIV card until the login process has been completed.
from piv-guides.
philipashlock,
I'd like to give this a shot. I've sent a request to view the notes you made in Google Doc.
Larry
from piv-guides.
This has become substantially easier in High Sierra since support is now built-in and you no longer need OpenSC:
https://support.apple.com/en-us/HT208372
Basically now it's just two steps:
ssh-keygen -D /usr/lib/ssh-keychain.dylib
to extract the public key in the right format- Add
PKCS11Provider=/usr/lib/ssh-keychain.dylib
to~/.ssh/config
to offer keys from the smartcard
from piv-guides.
Migrating issue to update playbooks repository. Some instructions are available for loading a security device (PIV for firefox), but not mention of updating a MACos keystore.
Might want MAC instructions on
https://piv.idmanagement.gov/networkconfig/trustedroots/
from piv-guides.
closing due to relation to issue #17
from piv-guides.
Related Issues (20)
- Redcloth vulnerability HOT 1
- Steps for Digital Signing in MS Word HOT 7
- Firefox page missing certificate installation HOT 2
- Add Search Box To PIV Guides HOT 2
- tree -accept
- Update network retrieval and timeout settings for Microsoft domains HOT 1
- uilt -repairstore HOT 1
- Need script for AD to update EDIPI UPN field with PIV UPN HOT 1
- PIV credential graphic HOT 2
- PIV code signing support HOT 1
- How to configure Windows web server to only accept PIV certificate HOT 1
- update jQuery
- How to configure authentication to office 365/Azure AD with on-prem AD using PIV (UPN identifier) HOT 3
- Remove EOL versions (Windows 7 and 2008R2) HOT 1
- Remove issuance of domain controller certs
- Add reference to FPKI-Guides PIV CAs and Agencies List
- Digitital Signatures During pandemic. HOT 3
- Common Policy Root CA - new root, updates to PIV guides HOT 1
- 1st attempt HOT 1
- Broken link in PIV Usage Guides page HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from piv-guides.