Shawn, to be clear this should work with PIV as well correct ? John,
As I just noted to Bram, you need to just do the following for SSO with CAC at Login (PKINIT).
Mac OS X 10.6.3 has PKINIT support built in, but you need to make some very minor config changes to fully enable for Login. I will attempt to get draft instructions up very soon.
Add PKINIT information to /etc/authorization file
Please make sure to make a backup of the /etc/authorization file before you make any changes as a misconfigured version of this file may prevent the system from booting. A backup of the authorization file could be done with the following command:
cp /etc/authorization /etc/authorization_original_`date +%M-%H-%m-%d-%y`
Edit the /etc/authorization file to add <string>PKINITMechanism:auth,privileged</string> below <string>MCXMechanism:login</string> as in the example below. This could be done with a defaults command or plistbuddy.
<key>system.login.console</key> <dict> <key>class</key> <string>evaluate-mechanisms</string> <key>comment</key> <string>Login mechanism based rule. Not for general use, yet.</string> <key>mechanisms</key> <array>
<string>builtin:smartcard-sniffer,privileged</string> <string>loginwindow:login</string> <string>builtin:reset-password,privileged</string> <string>builtin:auto-login,privileged</string> <string>builtin:authenticate,privileged</string> <string>loginwindow:success</string> <string>HomeDirMechanism:login,privileged</string> <string>HomeDirMechanism:status</string> <string>MCXMechanism:login</string> <string>PKINITMechanism:auth,privileged</string> <string>loginwindow:done</string> </array> </dict>
Test to verify PKINIT is working
First, insert your smart card into the reader. Run the following command to verify that PKINIT is working:
/System/Library/PrivateFrameworks/Heimdal.framework/Helpers/kinit -C KEYCHAIN: -D KEYCHAIN: --windows --pk-enterprise
If the command works, you should be prompted for a PIN. You can verify that you have a kerberos ticket by opening Keychain Access and going to Ticket Viewer or by going to Terminal and typing klist.
-Shawn