1) I cleaned installed and updated OS X Lion on a unused disk. 2) I installed the SmartCardServices Installer v2.0.b2 for Lion 3) I used sc_auth hash and selected the first hash for use with sc_auth accept -u useraccount -h ... 4) I confirmed the hash entry with dscl . -read /Users/useraccount 5) I added builtin:smartcard-sniffer,privileged to both the system.login.console and authenticate sections of /etc/authorization Confirmed that my Gemalto CAC card works with OS X Mail and Safari, log out and insert card, no effect, reboot, insert card, no effect. What step did I miss? I was never inserting a reader / card on a vanilla install of OS X Lion. Are there newer instructions on the precise location for the smartcard-sniffer entries? What log files do I look at, secure.log seems related but I can't tell if anything in there was an error.
There are three methods for associating a Smart Card to a given user account in either the local or remote DS. PubKey Hash - Default method used by OS X and requires sc_auth Attribute Matching - requires /etc/cacloginconfig.plist PKINIT - requires /etc/cacloginconfig.plist and Mac bound to a KDC All methods require that the smartcard-sniffer line be present in /etc/authorization for catching the Smart Card and gathering the PIN for the associated Challenge Response with the card for use of the Private Key on the card. Tokend modules no longer ship with OS X (as of OS X Lion), but are freely available for 10.7, 10.8 from Apple's SmartCardServices project at MacOSForge. This is why nothing happens when you insert a reader / card on a vanilla install of OS X Lion or higher. ALL other components of SmartCard Services are present and have even been updated in released versions of OS X since OS X Lion v10.7.0. Project Site: http://smartcardservices.macosforge.org/
Installers: http://smartcardservices.macosforge.org/trac/wiki/installers
There are also third-party commercially supported solutions from, for example, Centrify, charismathics and Thursby.