• There are three methods for associating a Smart Card to a given user account in either the local or remote DS.
• PubKey Hash - Default method used by OS X and requires sc_auth
• Attribute Matching - requires /etc/cacloginconfig.plist
• PKINIT - requires /etc/cacloginconfig.plist and Mac bound to a KDC
• All methods require that the smartcard-sniffer line be present in /etc/authorization for catching the Smart Card and gathering the PIN for the associated Challenge Response with the card for use of the Private Key on the card.
• Tokend modules no longer ship with OS X (as of OS X Lion), but are freely available for 10.7, 10.8 from Apple's SmartCardServices project at MacOSForge.  This is why nothing happens when you insert a reader / card on a vanilla install of OS X Lion or higher.  ALL other components of SmartCard Services are present and have even been updated in released versions of OS X since OS X Lion v10.7.0.  
• Project Site: http://smartcardservices.macosforge.org/
• Installers: http://smartcardservices.macosforge.org/trac/wiki/installers
• There are also third-party commercially supported solutions from, for example, Centrify, charismathics and Thursby.
• ".....Comparing against 10.4 references these seem to indicate that smart card login is already enabled, besides the name change from smartcard-sniffer to PKINITMechanism...."
• No, "smartcard-sniffer" is NOT a name change for PKINITMechanism.  
• "smartcard-sniffer" performs a swap of the login window (dynamically) and captures PIN
• "PKINITMechanism" performs the Apple provided PKINIT services for Login Authentication.
• "...Unfortunately Apple dropped support and now it is a requirement in many places, all places that supply Windows-software for this but if you use OS X you have to find your own solution..."
• You have the SAME functionality still offered via my installers from Apple's MacOSForge Project
• You have multiple commercial solutions as well as noted above:  Centrify, charismathics and Thursby.

http://lists.macosforge.org/mailman/listinfo

I'm well aware of the sc_auth command and on previous versions of OS X I had CAC login enabled.  However, in testing an OS X Lion and an OS X Mt. Lion system, inserting the CAC card has no effect.  Both systems otherwise have full CAC functionality and I used the Identity Private Key.

I have not yet tried this on a clean system with no security configuration (disabling suid's binaries, etc.) so it is possible that both systems have been broken with regards to CAC login.

I was hoping someone could actually confirm what setup works on OS X 10.7 & 10.8 because at present the discussed information has not worked for me.

Looking at /etc/authorization under system.login I see:

                               builtin:policy-banner
                               loginwindow:login
                               builtin:reset-password,privileged
                               builtin:forward-login,privileged
                               builtin:auto-login,privileged
                               builtin:authenticate,privileged
                               PKINITMechanism:auth,privileged
                               loginwindow:success
                               HomeDirMechanism:login,privileged
                               HomeDirMechanism:status
                               MCXMechanism:login
                               loginwindow:done

and under authenticate I see:

                               builtin:authenticate
                               builtin:reset-password,privileged
                               builtin:authenticate,privileged
                               PKINITMechanism:auth,privileged

Comparing against 10.4 references these seem to indicate that smart card login is already enabled, besides the name change from smartcard-sniffer to PKINITMechanism.

Michael

From: "Danberry, Michael J Mr ARMY GUEST USA" <michael.danberry@us.army.mil>
The specific location for this information is at:  http://militarycac.com/errors2.htm#OTHER_QUESTIONS. Question 2

From: "Bomar, Matt W ERDC-RDE-ITL-MS Contractor" <Matthew.W.Bomar@erdc.dren.mil>

Have you looked at the "sc_auth" command? It should allow you to associate
a certificate with a local user account for CAC login. It's still present
in 10.8.

On 2/14/13 4:30 PM, "Michael Kluskens" <mklus@ieee.org> wrote:

What are the choices for CAC enabled login on OS X 10.7 & 10.8.

I'm looking at OS X systems which may not have access to a MS Domain
Server, i.e. isolated network.  Some would have access and some would not
have access all the time.

I thought maybe some changes to /etc/authorization might reenable
CAC-login but I haven't started an attempt yet.

Unfortunately Apple dropped support and now it is a requirement in many
places, all places that supply Windows-software for this but if you use
OS X you have to find your own solution.