Greetings, Hope this is a correct place for these questions. I'm trying to utilize a smart token for various purposes, ultimately I'd like to have a single token for login, encrypting data either with FileVault or specific disk image, and VPN connection. FWIW, I'm using Charismathics CSSI, their tokend and plug'n crypt tokens. We are utilizing Open Directory, but having a lot of mobile users for which I'd like to use portable account (no synchronization). I have run into various problems with these aims and I'm hoping that someone could help with these. 1) I can use sc_auth to bind a token for login to an account. After that, I can also set screen to lock with token removal. However, after screen is locked I cannot use token's PIN anymore for login, only password is accepted even if I plug the token back. 2) tokenadmin create-fv-user fails for creating FileVaulted new account. sudo tokenadmin -v create-fv-user -u tokenuser -l "Token User" gives output: create-fv-user "-u" "tokenuser" "-l" "Token User" Authorizing right system.preferences.accounts Connecting to writeconfig... Connected Validating full name: Token User Validating short name: tokenuser 2010-09-07 13:00:17.908 tokenadmin[42782:e07] failed to convert string tokenadmin: Creating user "Token User" (tokenuser) Creating new user account: tokenuser 2010-09-07 13:00:18.354 tokenadmin[42782:e07] *** Terminating app due to uncaught exception 'NSInvalidArgumentException', reason: '*** -[NSPlaceholderString initWithString:]: nil argument' *** Call stack at first throw: ( 0 CoreFoundation 0x00007fff85e95cc4 __exceptionPreprocess + 180 1 libobjc.A.dylib 0x00007fff85aa90f3 objc_exception_throw + 45 2 CoreFoundation 0x00007fff85e95ae7 +[NSException raise:format:arguments:] + 103 3 CoreFoundation 0x00007fff85e95a74 +[NSException raise:format:] + 148 4 Foundation 0x00007fff81819aaa -[NSPlaceholderString initWithString:] + 102 5 Foundation 0x00007fff81835e01 +[NSString stringWithString:] + 45 6 Admin 0x00007fff865d8274 -[User setPassword:] + 79 7 tokenadmin 0x0000000100001774 0x0 + 4294973300 8 tokenadmin 0x0000000100001085 0x0 + 4294971525 9 tokenadmin 0x0000000100000c8c 0x0 + 4294970508 ) terminate called after throwing an instance of 'NSException' Abort trap bash-3.2$ 2010-09-07 13:00:20.419 writeconfig[42783:903] writeconfig quitting because of exception:connection went invalid while waiting for a reply If I add -p, for optional password, a different error, this time account is created but creating sparsebundle fails: create-fv-user "-u" "tokenuser" "-l" "Token User" "-p" "tokenuser" Authorizing right system.preferences.accounts Connecting to writeconfig... Connected Validating full name: Token User Validating short name: tokenuser tokenadmin: Creating user "Token User" (tokenuser) Creating new user account: tokenuser Creating home directory... 2010-09-07 13:02:35.890 writeconfig[42815:903] DIHLFVMount failed with 80 tokenadmin: Failed to create home directory New user account created and configured 2) I could do without FileVault if I could create an encrypted image bound to token certificate. However, I haven't found an option to do this. hdiutil can create an encrypted container with path to a certificate as an argument. However, it doesn't understand a reference to a keychain that is a token. Any suggestions to overcome this? Thank you in advance for any replies, Juha Ratilainen
On Sep 7, 2010, at 6:11 AM, Juha Ratilainen wrote:
I'm trying to utilize a smart token for various purposes, ultimately I'd like to have a single token for login, encrypting data either with FileVault or specific disk image, and VPN connection.
FWIW, I'm using Charismathics CSSI, their tokend and plug'n crypt tokens. We are utilizing Open Directory, but having a lot of mobile users for which I'd like to use portable account (no synchronization).
I have run into various problems with these aims and I'm hoping that someone could help with these.
1) I can use sc_auth to bind a token for login to an account. After that, I can also set screen to lock with token removal. However, after screen is locked I cannot use token's PIN anymore for login, only password is accepted even if I plug the token back.
There is a noticeable delay for the token/card to be recognized upon insertion for Screen Saver. There are also cases when some readers (not sure what token/reader you are using) are not properly recognized upon removal and reinsertion (sometimes limited to same port). If your system has multiple USB ports, you might want to try and insert into a different USB port and see if your reader suffers from that issue.
2) tokenadmin create-fv-user fails for creating FileVaulted new account.
sudo tokenadmin -v create-fv-user -u tokenuser -l "Token User"
There was a regression in Mac OS X 10.6 that caused this failure for tokenadmin. It is an issue outside the Smart Card Services project control, so we are unable to fix it here. It is noted and identified in Apple's Bug Tracking System. You can take two avenues to report this issue to Apple. a) You can submit a ticket here at the SmartCardServices Project and I will submit a corresponding ticket internal b) You can submit directly to Apple at http://bugreport.apple.com/ and emphasize the need for a 10.6.x fix. (please notify me if you submit this, so that I can track and add to internal diagnostics)
2) I could do without FileVault if I could create an encrypted image bound to token certificate. However, I haven't found an option to do this. hdiutil can create an encrypted container with path to a certificate as an argument. However, it doesn't understand a reference to a keychain that is a token. Any suggestions to overcome this?
Using hdituil's option " -pubkey PK1,PK2,...,PKn" would help you here.... -pubkey PK1,PK2,...,PKn specify a list of public keys, identified by their hexadeci- mal hashes, to be used to protect the encrypted image being created. __________________________________________________ Shawn Geddis geddis@mac.com Security Consulting Engineer geddis@apple.com MacOSForge Project Lead: Smart Card Services Web: http://smartcardservices.macosforge.org/ Lists: http://lists.macosforge.org/mailman/listinfo __________________________________________________
Thank you for answers. As always, these raise more questions... 1) I can use sc_auth to bind a token for login to an account. After that, I can also set screen to lock with token removal. However, after screen is locked I cannot use token's PIN anymore for login, only password is accepted even if I plug the token back. There is a noticeable delay for the token/card to be recognized upon insertion for Screen Saver. There are also cases when some readers (not sure what token/reader you are using) are not properly recognized upon removal and reinsertion (sometimes limited to same port). If your system has multiple USB ports, you might want to try and insert into a different USB port and see if your reader suffers from that issue. I had this working with aladdin eToken, in 10.5, however they have not updated their client software for 10.6 AFAIK. Problematic token is plug'n crypt from charismathics, which is also provider of tokend. I guess the question is, if this does not work, is it propably bug in tokend implementation? Should I report this to Charismathics? Token is recognized in login window, with window changing for PIN entry, likewise locking screen with token removal works. Only re-plugging it does not work? You can take two avenues to report this issue to Apple. a) You can submit a ticket here at the SmartCardServices Project and I will submit a corresponding ticket internal b) You can submit directly to Apple at http://bugreport.apple.com/ and emphasize the need for a 10.6.x fix. (please notify me if you submit this, so that I can track and add to internal diagnostics) Thanks for clarification. I can submit this directly. 2) I could do without FileVault if I could create an encrypted image bound to token certificate. However, I haven't found an option to do this. hdiutil can create an encrypted container with path to a certificate as an argument. However, it doesn't understand a reference to a keychain that is a token. Any suggestions to overcome this? Using hdituil's option " -pubkey PK1,PK2,...,PKn" would help you here.... D'uh. There it was under my nose... However, I'm still missing something. If I create a test certificate with Keychain Access, export it and try to create an image with it, it works: hdiutil create -size 20m -encryption -fs HFS+J -certificate test.cer enc.dmg However, trying to create the same image with -pubkey, with the certificate in login keychain of local admin: hdiutil create -size 20m -fs=HFS+J -pubkey 2A09D74BC583A3ECAE066441552076FF659778C2 enc.dmg only gives generic help message: Usage: hdiutil create <sizespec> [options] <imagepath> hdiutil create -help Any pointers for this? Thanks, Juha Ratilainen
participants (2)
-
Juha Ratilainen
-
Shawn A. Geddis