[HN Gopher] NIST: Personal Identity Verification (PIV) of Federa...
___________________________________________________________________
NIST: Personal Identity Verification (PIV) of Federal Employees and
Contractors
Author : stefankuehnel
Score : 61 points
Date : 2024-03-23 14:04 UTC (8 hours ago)
(HTM) web link (nvlpubs.nist.gov)
(TXT) w3m dump (nvlpubs.nist.gov)
| acidburnNSA wrote:
| I'm glad they explain how to write names on the card for even
| very long names, like: "Dingo Pontooroomooloo Vaasa Silvaan
| Beenelong Wooloomooloo Warrandyte Warwarnambool"
| deepsun wrote:
| How?
| bee_rider wrote:
| Table 4-1 on page 44, I think.
| rkeene2 wrote:
| PIV and CAC (DOD, but is now a PIV with CAC-NG) has been around
| for a very long time. Passwords haven't been permitted in the US
| Government since a short time after the signing of HSPD-12 in
| 2004.
| joesnark727 wrote:
| Lol
| joesnark727 wrote:
| https://www.crn.com/news/security/2024/ivanti-discloses-
| fift...
| codeslave13 wrote:
| Thats blatantly false. I just left an agency with passwords on
| all thier unix boxed. With zero rotation policies. Its a
| shitshow
| Abekkus wrote:
| You both can be right, US Gov will write well-intentioned
| policy that none of their live teams can keep up with, even
| after 20 years, _and_ I haven 't yet seen a practical
| enterprise authentication architecture that doesn't fall back
| on passwords somewhere.
| rkeene2 wrote:
| Within the DOD the most common solutions are SSH keys using
| the CAC, Kerberos with PKINIT, or using some type of
| intermediate systems to handle the auth like CA PAM.
|
| There can still be a root password for emergencies, but it
| wouldn't be available for remote access -- ILOM or some
| other BMC (or even a serial port concentrator) would be
| configured for HSPD-12-compliant auth for remote console
| access, then you would use the root password for system
| access (though you could also just reboot into a separate
| operating system, since disk encryption isn't required
| except for mobile devices).
|
| I'm not sure what the above poster's command or
| organization was doing to comply with HSPD-12, but they
| were most likely doing something. The compliant reports are
| generally public, also.
| imwillofficial wrote:
| Having long a storied history in DoD contracting, this is
| not the case.
|
| CAC login is for web only in most cases.
| evanjrowley wrote:
| PuTTY-CAC was an interesting, although imperfect solution
| to using PIV/CAC cards together with SSH. I remember
| piloting it from 2013-2014 at an agency. Back then, it
| was maintained by Dan Risacher[0]. Nowadays it is
| maintained on GitHub[1] and adopted some interesting
| features like FIDO.
|
| [0] https://risacher.org/putty-cac/
|
| [1] https://github.com/NoMoreFood/putty-cac
| rkeene2 wrote:
| I started out as a federal civil servant in the late 90s
| working for the Navy and switched to contracting shortly
| thereafter, working at mostly US DOD customers (Navy,
| Army, USSOCOMHQ), but also DHS (HQ and all components
| minus SS and CG).
|
| In my experience, at every place we had a different
| approach but all satisfied HSPD-12 and did not use
| passwords shortly after the various directives were
| promulgated through the various channels, except on
| classified systems since there wasn't a procedure at the
| time to declassify the CAC/PIV after periods processing
| -- though there were plans for changing that, and it may
| be resolved by now.
| ptcrash wrote:
| Yes but PIV/CAC identity is not related to break-glass
| passwords. They both serve different purposes and it's
| safe to assume that the typical government worker will
| only ever need to use their smart card to authenticate
| into systems.
| jhbadger wrote:
| But could you get into the network to access the UNIX boxes
| without a PIV card? That's how the NIH works -- the UNIX
| boxes do have passwords, but unless you are on campus you
| have to connect to the VPN with your PIV card first.
| rsfern wrote:
| NIST has a similar setup. There's an exemption for e.g.
| summer students who are issued temporary non-PIV badges,
| but they're issued a yubikey that's required to access the
| network from off campus
| p_l wrote:
| Recentish Yubikeys have PIV functionality too (I have
| used that to login to work macbook in place of passwords)
| torstenvl wrote:
| It depends. There are IL2-exposed sites that permit password
| login, and interface with IL4 backends (milConnect and DEERS,
| MOL and MCTFS, etc.). I'm not sure what the ATO process looks
| like for those systems though. But you're not getting direct
| IL4+ access without a CAC somewhere.
| jki275 wrote:
| LOL.
|
| Nice theory, but has no actual connection to the real world.
| tiffanyh wrote:
| (2022)
| wolverine876 wrote:
| (PDF)
___________________________________________________________________
(page generated 2024-03-23 23:00 UTC)