Hacker News new | ask | show | jobs
by Abekkus 825 days ago
You both can be right, US Gov will write well-intentioned policy that none of their live teams can keep up with, even after 20 years, and I haven't yet seen a practical enterprise authentication architecture that doesn't fall back on passwords somewhere.
1 comments
rkeene2 825 days ago
Within the DOD the most common solutions are SSH keys using the CAC, Kerberos with PKINIT, or using some type of intermediate systems to handle the auth like CA PAM.

There can still be a root password for emergencies, but it wouldn't be available for remote access -- ILOM or some other BMC (or even a serial port concentrator) would be configured for HSPD-12-compliant auth for remote console access, then you would use the root password for system access (though you could also just reboot into a separate operating system, since disk encryption isn't required except for mobile devices).

I'm not sure what the above poster's command or organization was doing to comply with HSPD-12, but they were most likely doing something. The compliant reports are generally public, also.

link
ptcrash 825 days ago
Yes but PIV/CAC identity is not related to break-glass passwords. They both serve different purposes and it's safe to assume that the typical government worker will only ever need to use their smart card to authenticate into systems.
link
imwillofficial 825 days ago
Having long a storied history in DoD contracting, this is not the case.

CAC login is for web only in most cases.

link
rkeene2 825 days ago
I started out as a federal civil servant in the late 90s working for the Navy and switched to contracting shortly thereafter, working at mostly US DOD customers (Navy, Army, USSOCOMHQ), but also DHS (HQ and all components minus SS and CG).

In my experience, at every place we had a different approach but all satisfied HSPD-12 and did not use passwords shortly after the various directives were promulgated through the various channels, except on classified systems since there wasn't a procedure at the time to declassify the CAC/PIV after periods processing -- though there were plans for changing that, and it may be resolved by now.

link
imwillofficial 825 days ago
I won’t go into detail, but my experience was not the same, not even close.
link
evanjrowley 825 days ago
PuTTY-CAC was an interesting, although imperfect solution to using PIV/CAC cards together with SSH. I remember piloting it from 2013-2014 at an agency. Back then, it was maintained by Dan Risacher[0]. Nowadays it is maintained on GitHub[1] and adopted some interesting features like FIDO.

[0] https://risacher.org/putty-cac/

[1] https://github.com/NoMoreFood/putty-cac

link