Re: [SmartcardServices-Users] [Fed-Talk] Re: Require smart card login
Shawn, Ron and Paul are absolutely correct. Restricting to smartcard only cannot be done at the user level in the AD. It HAS to be done at the client side, or else many other things will break. What we are trying to do is protect a computer that contains sensitive data. Requirements state that this has to be done with card/pin. There are many other apps we have at the NIH that authenticate against the AD, some are name/password only, some are either name/password OR card/pin, and some (eventually anyway) will be card/pin ONLY. Now, whether the management on the client side is done via AD computer management or an MCX record or a modified /etc/authorization file or a bit of specialized code in a login script, it absolutely does not matter. The point is to protect a particular asset, a computer that contains sensitive data. -Souheil On Oct 13, 2010, at 4:21 PM, Ron Colvin wrote:
On 10/13/10 3:59 PM, Shawn A. Geddis wrote:
Organizations apply policy such as requiring smart cards by managing their AD. This is not something that they would do at the client side. What is managed on the client side would be any necessary mods to support the required authentication methods (ie. manage or install client side middleware such your ADmitMac for CAC).
The Mac would be bound to AD (for Authentication and Authorization) hence if AD requires ONLY Smart Cards then the Mac User would only be able to authenticate via smart cards. Whether the client system is OS X or Windows the end result is the same --- management of forced authentication methods is at the Directory Service.
Shawn I could definitely see a use case for smartcard only at console to require two-factor authentication for a client box. I see a different use case for requiring only a smartcard ever for that account. I could certainly see a different use depending on what type of data the client processes and whether it is a mobile workstation or a smartphone. On or off for the user account only is not sufficient.
--
*************************************************************** Ron Colvin CISSP, CEH Enterprise Integration Engineer, Security Analyst Code 700 DCSE Code 100& 110 NASA - Goddard Space Flight Center <ron.colvin@nasa.gov> Direct phone 301-286-2451 NASA Jabber (rdcolvin@im.nasa.gov) AIM rcolvin13 NASA LCS (ronald.d.colvin@nasa.gov) ****************************************************************
On Oct 13, 2010, at 4:17 PM, Paul Nelson wrote:
If the original poster wanted to prevent users from logging into the Mac unless they had a smart card, they could do this the way you suggest below. However, that may prevent them from using a password with their account for other reasons (run as for example).
While you can set an AD account to "require smartcard login", that prevents a password from being used for ANY purpose. Microsoft clients also look for a group policy item "ScForceOption" that means a user must use a smartcard for interactive logon.
Paul
On Oct 13, 2010, at 2:59 PM, Shawn A. Geddis wrote:
Paul,
Organizations apply policy such as requiring smart cards by managing their AD. This is not something that they would do at the client side. What is managed on the client side would be any necessary mods to support the required authentication methods (ie. manage or install client side middleware such your ADmitMac for CAC).
The Mac would be bound to AD (for Authentication and Authorization) hence if AD requires ONLY Smart Cards then the Mac User would only be able to authenticate via smart cards. Whether the client system is OS X or Windows the end result is the same --- management of forced authentication methods is at the Directory Service.
- Shawn _____________________________________________________ Shawn Geddis - Security Consulting Engineer - Apple Enterprise
On Oct 13, 2010, at 3:24 PM, Paul Nelson wrote:
Shawn,
How does one apply organizational policies such as "smart card required" to the Apple 10.6.3+ PKINIT solution?
Paul
On Oct 13, 2010, at 2:01 PM, Shawn A. Geddis wrote:
Before everyone claims what is and isn't the issue, we need to understand the actual setup that Souheil is using.
Souheil,
There are multiple methods supported for using Smart Cards for Authentication & SSO on Mac OS X 10.6.
What method are you using today ?
Old methods still supported: - PubKeyHash - This is a simple Hash matching between card and account - The user is then presented with a PIN Challenge which wraps/unwraps/verifies challenge - uses Private key on Card to prove ownership of card - uses sc_auth to update the DS with appropriate ";pubkeyhash;" and <hash> entries - Attribute Matching - This allows for selective attributes from Smart Card Login Certificate (ie. NT Principal Name) to be used for mapping to a single DS attribute (ie. UserPrincipalName) - uses /etc/cacloginconfig.plist mapping to define lookup in DS
Mac OS X 10.6.3+ - PKINIT (initialization of Kerberos Session [TGT] with Auth from X.509 Cert) - SSO to Directory Service of choice (ie. AD) simplified explanation of process - System Bound to DS (ie. AD) - Utilizes NT Principal Name along with the Cert with EKU of Smart Card Login ( 1 3 6 1 4 1 311 20 2 2 ) --relies on /etc/cacloginconfig.plist to reference the NTPrincipalName - Request for Auth to KDC - acquires a TGT - uses PKINITMechanism configured in /etc/authorization/ for Login and ScreenSaver - Success: Access to HomeDir and subsequent Service Tickets - ... life continues ...
Also, copying SmartCardServices-Users Mailing List where this discussion should be taking place
- Shawn _____________________________________________________ Shawn Geddis - Security Consulting Engineer - Apple Enterprise
On Oct 13, 2010, at 2:00 PM, Paul Nelson wrote:
You probably are not configured to verify the user's smart card credentials with AD. The Mac only matches the user account, and checks the certs to see if they are trusted.
If you want true AD login with single sign-on, you could check out Thursby's ADmitMac PKI. This software obtains Kerberos credentials using a PIV card, and will configure itself using group policy so that you can enforce smart card logon that way. It also configures your system keychain with necessary certificates from Active Directory and group policy.
Paul Nelson Thursby Software Systems, Inc.
On Oct 13, 2010, at 12:14 PM, Inati, Souheil (NIH/NIMH) [E] wrote:
These machines are bound to the NIH active directory and I only care about domain users for now. I haven't had to use sc_auth, the AD lookup based on the card credentials has been working fine.
On Oct 13, 2010, at 12:51 PM, Qureshi, Usman wrote:
> Have you tried using the sc_auth command? Is the user a domain user or a > local user? > > -----Original Message----- > From: fed-talk-bounces+usman.qureshi=unisys.com@lists.apple.com > [mailto:fed-talk-bounces+usman.qureshi=unisys.com@lists.apple.com] On Behalf > Of Inati, Souheil (NIH/NIMH) [E] > Sent: Wednesday, October 13, 2010 12:15 PM > To: fed-talk@lists.apple.com > Subject: [Fed-Talk] Require smart card login > > Hi all, > > Does anyone know the right way to set up /etc/authorization so that users > are REQUIRED to use a smart card? > A Snow Leopard 10.6 only solution is sufficient. > > Thanks, > Souheil
If it is the data you are looking to protect you can put it in a filevault and protect the filevault with your smartcard. This is very easy to do. I have yet to find a way to lock access to the machine to smartcard only. Then as long as the vault is not left open when the machine in unattended you will be fine. On 10/13/2010 05:21 PM, Inati, Souheil (NIH/NIMH) [E] wrote:
Shawn,
Ron and Paul are absolutely correct. Restricting to smartcard only cannot be done at the user level in the AD. It HAS to be done at the client side, or else many other things will break.
What we are trying to do is protect a computer that contains sensitive data. Requirements state that this has to be done with card/pin. There are many other apps we have at the NIH that authenticate against the AD, some are name/password only, some are either name/password OR card/pin, and some (eventually anyway) will be card/pin ONLY.
Now, whether the management on the client side is done via AD computer management or an MCX record or a modified /etc/authorization file or a bit of specialized code in a login script, it absolutely does not matter. The point is to protect a particular asset, a computer that contains sensitive data.
-Souheil
On Oct 13, 2010, at 4:21 PM, Ron Colvin wrote:
On 10/13/10 3:59 PM, Shawn A. Geddis wrote:
Organizations apply policy such as requiring smart cards by managing their AD. This is not something that they would do at the client side. What is managed on the client side would be any necessary mods to support the required authentication methods (ie. manage or install client side middleware such your ADmitMac for CAC).
The Mac would be bound to AD (for Authentication and Authorization) hence if AD requires ONLY Smart Cards then the Mac User would only be able to authenticate via smart cards. Whether the client system is OS X or Windows the end result is the same --- management of forced authentication methods is at the Directory Service.
Shawn I could definitely see a use case for smartcard only at console to require two-factor authentication for a client box. I see a different use case for requiring only a smartcard ever for that account. I could certainly see a different use depending on what type of data the client processes and whether it is a mobile workstation or a smartphone. On or off for the user account only is not sufficient.
--
*************************************************************** Ron Colvin CISSP, CEH Enterprise Integration Engineer, Security Analyst Code 700 DCSE Code 100& 110 NASA - Goddard Space Flight Center <ron.colvin@nasa.gov> Direct phone 301-286-2451 NASA Jabber (rdcolvin@im.nasa.gov) AIM rcolvin13 NASA LCS (ronald.d.colvin@nasa.gov) ****************************************************************
On Oct 13, 2010, at 4:17 PM, Paul Nelson wrote:
If the original poster wanted to prevent users from logging into the Mac unless they had a smart card, they could do this the way you suggest below. However, that may prevent them from using a password with their account for other reasons (run as for example).
While you can set an AD account to "require smartcard login", that prevents a password from being used for ANY purpose. Microsoft clients also look for a group policy item "ScForceOption" that means a user must use a smartcard for interactive logon.
Paul
On Oct 13, 2010, at 2:59 PM, Shawn A. Geddis wrote:
Paul,
Organizations apply policy such as requiring smart cards by managing their AD. This is not something that they would do at the client side. What is managed on the client side would be any necessary mods to support the required authentication methods (ie. manage or install client side middleware such your ADmitMac for CAC).
The Mac would be bound to AD (for Authentication and Authorization) hence if AD requires ONLY Smart Cards then the Mac User would only be able to authenticate via smart cards. Whether the client system is OS X or Windows the end result is the same --- management of forced authentication methods is at the Directory Service.
- Shawn _____________________________________________________ Shawn Geddis - Security Consulting Engineer - Apple Enterprise
On Oct 13, 2010, at 3:24 PM, Paul Nelson wrote:
Shawn,
How does one apply organizational policies such as "smart card required" to the Apple 10.6.3+ PKINIT solution?
Paul
On Oct 13, 2010, at 2:01 PM, Shawn A. Geddis wrote:
Before everyone claims what is and isn't the issue, we need to understand the actual setup that Souheil is using.
Souheil,
There are multiple methods supported for using Smart Cards for Authentication& SSO on Mac OS X 10.6.
What method are you using today ?
Old methods still supported: - PubKeyHash - This is a simple Hash matching between card and account - The user is then presented with a PIN Challenge which wraps/unwraps/verifies challenge - uses Private key on Card to prove ownership of card - uses sc_auth to update the DS with appropriate ";pubkeyhash;" and<hash> entries - Attribute Matching - This allows for selective attributes from Smart Card Login Certificate (ie. NT Principal Name) to be used for mapping to a single DS attribute (ie. UserPrincipalName) - uses /etc/cacloginconfig.plist mapping to define lookup in DS
Mac OS X 10.6.3+ - PKINIT (initialization of Kerberos Session [TGT] with Auth from X.509 Cert) - SSO to Directory Service of choice (ie. AD) simplified explanation of process - System Bound to DS (ie. AD) - Utilizes NT Principal Name along with the Cert with EKU of Smart Card Login ( 1 3 6 1 4 1 311 20 2 2 ) --relies on /etc/cacloginconfig.plist to reference the NTPrincipalName - Request for Auth to KDC - acquires a TGT - uses PKINITMechanism configured in /etc/authorization/ for Login and ScreenSaver - Success: Access to HomeDir and subsequent Service Tickets - ... life continues ...
Also, copying SmartCardServices-Users Mailing List where this discussion should be taking place
- Shawn _____________________________________________________ Shawn Geddis - Security Consulting Engineer - Apple Enterprise
On Oct 13, 2010, at 2:00 PM, Paul Nelson wrote:
You probably are not configured to verify the user's smart card credentials with AD. The Mac only matches the user account, and checks the certs to see if they are trusted.
If you want true AD login with single sign-on, you could check out Thursby's ADmitMac PKI. This software obtains Kerberos credentials using a PIV card, and will configure itself using group policy so that you can enforce smart card logon that way. It also configures your system keychain with necessary certificates from Active Directory and group policy.
Paul Nelson Thursby Software Systems, Inc.
On Oct 13, 2010, at 12:14 PM, Inati, Souheil (NIH/NIMH) [E] wrote:
> These machines are bound to the NIH active directory and I only care about domain users for now. I haven't had to use sc_auth, the AD lookup based on the card credentials has been working fine. > > > On Oct 13, 2010, at 12:51 PM, Qureshi, Usman wrote: > >> Have you tried using the sc_auth command? Is the user a domain user or a >> local user? >> >> -----Original Message----- >> From: fed-talk-bounces+usman.qureshi=unisys.com@lists.apple.com >> [mailto:fed-talk-bounces+usman.qureshi=unisys.com@lists.apple.com] On Behalf >> Of Inati, Souheil (NIH/NIMH) [E] >> Sent: Wednesday, October 13, 2010 12:15 PM >> To: fed-talk@lists.apple.com >> Subject: [Fed-Talk] Require smart card login >> >> Hi all, >> >> Does anyone know the right way to set up /etc/authorization so that users >> are REQUIRED to use a smart card? >> A Snow Leopard 10.6 only solution is sufficient. >> >> Thanks, >> Souheil
SmartcardServices-Users mailing list SmartcardServices-Users@lists.macosforge.org http://lists.macosforge.org/mailman/listinfo.cgi/smartcardservices-users
-- Bram Cymet Software Developer Canadian Bank Note Co. Ltd. Cell: 613-608-9752
Sorry, not an option. We have terabytes of data on disks in a heterogeneous environment. On Oct 13, 2010, at 5:37 PM, Bram Cymet wrote:
If it is the data you are looking to protect you can put it in a filevault and protect the filevault with your smartcard. This is very easy to do. I have yet to find a way to lock access to the machine to smartcard only. Then as long as the vault is not left open when the machine in unattended you will be fine.
Is OS X a requirement? This can very easily be done on Linux. On 10/13/2010 05:42 PM, Inati, Souheil (NIH/NIMH) [E] wrote:
Sorry, not an option. We have terabytes of data on disks in a heterogeneous environment.
On Oct 13, 2010, at 5:37 PM, Bram Cymet wrote:
If it is the data you are looking to protect you can put it in a filevault and protect the filevault with your smartcard. This is very easy to do. I have yet to find a way to lock access to the machine to smartcard only. Then as long as the vault is not left open when the machine in unattended you will be fine.
-- Bram Cymet Software Developer Canadian Bank Note Co. Ltd. Cell: 613-608-9752
Hi Bram, In our group, the workstations are split about 60/40 OS X/Linux based on user preference. Nearly all the laptops are macs. None of the scientists use windows unless they have to for specialized data acquisition systems. Like I said, heterogeneous :-) BTW, we'll have to burn the Linux bridge too, could you point me to how you would require PIV login on the Linux machines? -Souheil On Oct 13, 2010, at 5:57 PM, Bram Cymet wrote:
Is OS X a requirement? This can very easily be done on Linux.
On 10/13/2010 05:42 PM, Inati, Souheil (NIH/NIMH) [E] wrote:
Sorry, not an option. We have terabytes of data on disks in a heterogeneous environment.
On Oct 13, 2010, at 5:37 PM, Bram Cymet wrote:
If it is the data you are looking to protect you can put it in a filevault and protect the filevault with your smartcard. This is very easy to do. I have yet to find a way to lock access to the machine to smartcard only. Then as long as the vault is not left open when the machine in unattended you will be fine.
-- Bram Cymet Software Developer Canadian Bank Note Co. Ltd. Cell: 613-608-9752
For local logon, use pam-pkcs11 from the OpenSC project: http://www.opensc-project.org/pam_pkcs11/ Plus the OpenSC PKCS#11 module: http://www.opensc-project.org/opensc/wiki/PKCS11 Plus, of course, OpenSC itself for the PIV support. This will work with most PAM-enabled applications, including sudo. gksu/gksudo (which are basically GUI wrappers around sudo) had a bug where they wouldn't recognize the changed 'password' prompt, but this may be fixed in current releases. If you're looking for PKINIT with Linux, use Russ Allbery's pam_krb5 module with a recent Heimdal or MIT Kerberos library. Configuration details depend on the version of Windows Server you're using, but are all online. -- Tim ________________________________________ From: smartcardservices-users-bounces@lists.macosforge.org [smartcardservices-users-bounces@lists.macosforge.org] On Behalf Of Inati, Souheil (NIH/NIMH) [E] [souheil.inati@nih.gov] Sent: Wednesday, October 13, 2010 5:26 PM To: Bram Cymet Cc: Shawn A. Geddis; Fed Talk; Inati, Souheil (NIH/NIMH) [E]; Smart Card Services-Users Subject: Re: [SmartcardServices-Users] [Fed-Talk] Re: Require smart card login Hi Bram, In our group, the workstations are split about 60/40 OS X/Linux based on user preference. Nearly all the laptops are macs. None of the scientists use windows unless they have to for specialized data acquisition systems. Like I said, heterogeneous :-) BTW, we'll have to burn the Linux bridge too, could you point me to how you would require PIV login on the Linux machines? -Souheil On Oct 13, 2010, at 5:57 PM, Bram Cymet wrote:
Is OS X a requirement? This can very easily be done on Linux.
On 10/13/2010 05:42 PM, Inati, Souheil (NIH/NIMH) [E] wrote:
Sorry, not an option. We have terabytes of data on disks in a heterogeneous environment.
On Oct 13, 2010, at 5:37 PM, Bram Cymet wrote:
If it is the data you are looking to protect you can put it in a filevault and protect the filevault with your smartcard. This is very easy to do. I have yet to find a way to lock access to the machine to smartcard only. Then as long as the vault is not left open when the machine in unattended you will be fine.
-- Bram Cymet Software Developer Canadian Bank Note Co. Ltd. Cell: 613-608-9752
_______________________________________________ SmartcardServices-Users mailing list SmartcardServices-Users@lists.macosforge.org http://lists.macosforge.org/mailman/listinfo.cgi/smartcardservices-users
participants (3)
-
Bram Cymet
-
Inati, Souheil (NIH/NIMH) [E]
-
Miller, Timothy J.