Shawn, to be clear this should work with PIV as well correct ? John,
As I just noted to Bram, you need to just do the following for SSO with CAC at Login (PKINIT).
Mac OS X 10.6.3 has PKINIT support built in, but you need to make some very minor config changes to fully enable for Login. I will attempt to get draft instructions up very soon.
Add PKINIT information to /etc/authorization file
Please make sure to make a backup of the /etc/authorization file before you make any changes as a misconfigured version of this file may prevent the system from booting. A backup of the authorization file could be done with the following command:
cp /etc/authorization /etc/authorization_original_`date +%M-%H-%m-%d-%y`
Edit the /etc/authorization file to add <string>PKINITMechanism:auth,privileged</string> below <string>MCXMechanism:login</string> as in the example below. This could be done with a defaults command or plistbuddy.
<key>system.login.console</key> <dict> <key>class</key> <string>evaluate-mechanisms</string> <key>comment</key> <string>Login mechanism based rule. Not for general use, yet.</string> <key>mechanisms</key> <array>
<string>builtin:smartcard-sniffer,privileged</string> <string>loginwindow:login</string> <string>builtin:reset-password,privileged</string> <string>builtin:auto-login,privileged</string> <string>builtin:authenticate,privileged</string> <string>loginwindow:success</string> <string>HomeDirMechanism:login,privileged</string> <string>HomeDirMechanism:status</string> <string>MCXMechanism:login</string> <string>PKINITMechanism:auth,privileged</string> <string>loginwindow:done</string> </array> </dict>
Test to verify PKINIT is working
First, insert your smart card into the reader. Run the following command to verify that PKINIT is working:
/System/Library/PrivateFrameworks/Heimdal.framework/Helpers/kinit -C KEYCHAIN: -D KEYCHAIN: --windows --pk-enterprise
If the command works, you should be prompted for a PIN. You can verify that you have a kerberos ticket by opening Keychain Access and going to Ticket Viewer or by going to Terminal and typing klist.
-Shawn
Mike, Correct. There is no difference between supported cards in use. The cards are abstracted, so all layers above that are working with the necessary information (ie. NTPrincipalName) for the follow on steps. -Shawn On Jul 22, 2010, at 10:07 AM, Mike Hjorleifsson wrote:
Shawn, to be clear this should work with PIV as well correct ?
John,
As I just noted to Bram, you need to just do the following for SSO with CAC at Login (PKINIT).
Mac OS X 10.6.3 has PKINIT support built in, but you need to make some very minor config changes to fully enable for Login. I will attempt to get draft instructions up very soon.
Add PKINIT information to /etc/authorization file
Please make sure to make a backup of the /etc/authorization file before you make any changes as a misconfigured version of this file may prevent the system from booting. A backup of the authorization file could be done with the following command:
cp /etc/authorization /etc/authorization_original_`date +%M-%H-%m-%d-%y`
Edit the /etc/authorization file to add <string>PKINITMechanism:auth,privileged</string> below <string>MCXMechanism:login</string> as in the example below. This could be done with a defaults command or plistbuddy.
<key>system.login.console</key> <dict> <key>class</key> <string>evaluate-mechanisms</string> <key>comment</key> <string>Login mechanism based rule. Not for general use, yet.</string> <key>mechanisms</key> <array> <string>builtin:smartcard-sniffer,privileged</string> <string>loginwindow:login</string> <string>builtin:reset-password,privileged</string> <string>builtin:auto-login,privileged</string> <string>builtin:authenticate,privileged</string> <string>loginwindow:success</string> <string>HomeDirMechanism:login,privileged</string> <string>HomeDirMechanism:status</string> <string>MCXMechanism:login</string> <string>PKINITMechanism:auth,privileged</string> <string>loginwindow:done</string> </array> </dict>
Test to verify PKINIT is working
First, insert your smart card into the reader. Run the following command to verify that PKINIT is working:
/System/Library/PrivateFrameworks/Heimdal.framework/Helpers/kinit -C KEYCHAIN: -D KEYCHAIN: --windows --pk-enterprise
If the command works, you should be prompted for a PIN. You can verify that you have a kerberos ticket by opening Keychain Access and going to Ticket Viewer or by going to Terminal and typing klist.
-Shawn
_______________________________________________ SmartcardServices-Users mailing list SmartcardServices-Users@lists.macosforge.org http://lists.macosforge.org/mailman/listinfo.cgi/smartcardservices-users
Shawn-- What's the prospect of supporting PKINIT without the UPN in the SAN? This is supported in Windows KDCs from Server 2008 and later, and will soon be used within the DoD for certain use cases where alternative tokens are currently employed. The Heimdal framework should handle this just fine, but does the OS X UI allow for input of the principal name? -- Tim
-----Original Message----- From: smartcardservices-users-bounces@lists.macosforge.org [mailto:smartcardservices-users-bounces@lists.macosforge.org] On Behalf Of Shawn A. Geddis Sent: Thursday, July 22, 2010 10:24 AM To: Mike Hjorleifsson Cc: smartcardservices-users@lists.macosforge.org Subject: Re: [SmartcardServices-Users] OpenDirectory and CAC
Mike,
Correct.
There is no difference between supported cards in use. The cards are abstracted, so all layers above that are working with the necessary information (ie. NTPrincipalName) for the follow on steps.
-Shawn
On Jul 22, 2010, at 10:07 AM, Mike Hjorleifsson wrote:
Shawn, to be clear this should work with PIV as well correct ?
John,
As I just noted to Bram, you need to just do the following for SSO with CAC at Login (PKINIT).
Mac OS X 10.6.3 has PKINIT support built in, but you need to make some very minor config changes to fully enable for Login. I will attempt to get draft instructions up very soon.
Add PKINIT information to /etc/authorization file
Please make sure to make a backup of the /etc/authorization file before you make any changes as a misconfigured version of this file may prevent the system from booting. A backup of the authorization file could be done with the following command:
cp /etc/authorization /etc/authorization_original_`date +%M- %H-%m-%d-%y`
Edit the /etc/authorization file to add <string>PKINITMechanism:auth,privileged</string> below <string>MCXMechanism:login</string> as in the example below. This could be done with a defaults command or plistbuddy.
<key>system.login.console</key> <dict> <key>class</key> <string>evaluate-mechanisms</string> <key>comment</key> <string>Login mechanism based rule. Not for general use, yet.</string> <key>mechanisms</key> <array> <string>builtin:smartcard- sniffer,privileged</string> <string>loginwindow:login</string> <string>builtin:reset- password,privileged</string> <string>builtin:auto- login,privileged</string>
<string>builtin:authenticate,privileged</string> <string>loginwindow:success</string>
<string>HomeDirMechanism:login,privileged</string>
<string>HomeDirMechanism:status</string> <string>MCXMechanism:login</string>
<string>PKINITMechanism:auth,privileged</string> <string>loginwindow:done</string> </array> </dict>
Test to verify PKINIT is working
First, insert your smart card into the reader. Run the following command to verify that PKINIT is working:
/System/Library/PrivateFrameworks/Heimdal.framework/Helpers/kinit -C KEYCHAIN: -D KEYCHAIN: --windows --pk-enterprise
If the command works, you should be prompted for a PIN. You can verify that you have a kerberos ticket by opening Keychain Access and going to Ticket Viewer or by going to Terminal and typing klist.
-Shawn
_______________________________________________ SmartcardServices-Users mailing list SmartcardServices-Users@lists.macosforge.org http://lists.macosforge.org/mailman/listinfo.cgi/smartcardservices -users
participants (3)
-
Mike Hjorleifsson
-
Miller, Timothy J.
-
Shawn A. Geddis