Michael, All Smart Card related questions should be communicated on Apple's SmartCardServices Project Lists over at MacOSForge.org. A brief debunking of misinformation previously shared on this thread... There are three methods for associating a Smart Card to a given user account in either the local or remote DS. PubKey Hash - Default method used by OS X and requires sc_auth Attribute Matching - requires /etc/cacloginconfig.plist PKINIT - requires /etc/cacloginconfig.plist and Mac bound to a KDC All methods require that the smartcard-sniffer line be present in /etc/authorization for catching the Smart Card and gathering the PIN for the associated Challenge Response with the card for use of the Private Key on the card. Tokend modules no longer ship with OS X (as of OS X Lion), but are freely available for 10.7, 10.8 from Apple's SmartCardServices project at MacOSForge. This is why nothing happens when you insert a reader / card on a vanilla install of OS X Lion or higher. ALL other components of SmartCard Services are present and have even been updated in released versions of OS X since OS X Lion v10.7.0. Project Site: http://smartcardservices.macosforge.org/ Installers: http://smartcardservices.macosforge.org/trac/wiki/installers There are also third-party commercially supported solutions from, for example, Centrify, charismathics and Thursby. ".....Comparing against 10.4 references these seem to indicate that smart card login is already enabled, besides the name change from smartcard-sniffer to PKINITMechanism...." No, "smartcard-sniffer" is NOT a name change for PKINITMechanism. "smartcard-sniffer" performs a swap of the login window (dynamically) and captures PIN "PKINITMechanism" performs the Apple provided PKINIT services for Login Authentication. "...Unfortunately Apple dropped support and now it is a requirement in many places, all places that supply Windows-software for this but if you use OS X you have to find your own solution..." You have the SAME functionality still offered via my installers from Apple's MacOSForge Project You have multiple commercial solutions as well as noted above: Centrify, charismathics and Thursby. Please register and redirect ALL Smart Card related questions to one of the appropriate Mailing list on MacOSForge. http://lists.macosforge.org/mailman/listinfo Smart Card Users: https://lists.macosforge.org/mailman/listinfo/smartcardservices-users Smart Card Developers: https://lists.macosforge.org/mailman/listinfo/smartcardservices-dev - Shawn ______________________________________________________ Shawn Geddis geddis@me.com Enterprise Security Consulting Engineer, Apple geddis@apple.com MacOSForge: Smart Card Services Project Lead: Web: http://smartcardservices.macosforge.org/ Lists: http://lists.macosforge.org/mailman/listinfo ______________________________________________________ On Feb 19, 2013, at 1:40 PM, Michael Kluskens <mklus@ieee.org> wrote:
I'm well aware of the sc_auth command and on previous versions of OS X I had CAC login enabled. However, in testing an OS X Lion and an OS X Mt. Lion system, inserting the CAC card has no effect. Both systems otherwise have full CAC functionality and I used the Identity Private Key.
I have not yet tried this on a clean system with no security configuration (disabling suid's binaries, etc.) so it is possible that both systems have been broken with regards to CAC login.
I was hoping someone could actually confirm what setup works on OS X 10.7 & 10.8 because at present the discussed information has not worked for me.
Looking at /etc/authorization under system.login I see:
builtin:policy-banner loginwindow:login builtin:reset-password,privileged builtin:forward-login,privileged builtin:auto-login,privileged builtin:authenticate,privileged PKINITMechanism:auth,privileged loginwindow:success HomeDirMechanism:login,privileged HomeDirMechanism:status MCXMechanism:login loginwindow:done
and under authenticate I see:
builtin:authenticate builtin:reset-password,privileged builtin:authenticate,privileged PKINITMechanism:auth,privileged
Comparing against 10.4 references these seem to indicate that smart card login is already enabled, besides the name change from smartcard-sniffer to PKINITMechanism.
Michael
From: "Danberry, Michael J Mr ARMY GUEST USA" <michael.danberry@us.army.mil> The specific location for this information is at: http://militarycac.com/errors2.htm#OTHER_QUESTIONS. Question 2
From: "Bomar, Matt W ERDC-RDE-ITL-MS Contractor" <Matthew.W.Bomar@erdc.dren.mil>
Have you looked at the "sc_auth" command? It should allow you to associate a certificate with a local user account for CAC login. It's still present in 10.8.
On 2/14/13 4:30 PM, "Michael Kluskens" <mklus@ieee.org> wrote:
What are the choices for CAC enabled login on OS X 10.7 & 10.8.
I'm looking at OS X systems which may not have access to a MS Domain Server, i.e. isolated network. Some would have access and some would not have access all the time.
I thought maybe some changes to /etc/authorization might reenable CAC-login but I haven't started an attempt yet.
Unfortunately Apple dropped support and now it is a requirement in many places, all places that supply Windows-software for this but if you use OS X you have to find your own solution.