1) I cleaned installed and updated OS X Lion on a unused disk. 2) I installed the SmartCardServices Installer v2.0.b2 for Lion 3) I used sc_auth hash and selected the first hash for use with sc_auth accept -u useraccount -h ... 4) I confirmed the hash entry with dscl . -read /Users/useraccount 5) I added builtin:smartcard-sniffer,privileged to both the system.login.console and authenticate sections of /etc/authorization Confirmed that my Gemalto CAC card works with OS X Mail and Safari, log out and insert card, no effect, reboot, insert card, no effect. What step did I miss? I was never inserting a reader / card on a vanilla install of OS X Lion. Are there newer instructions on the precise location for the smartcard-sniffer entries? What log files do I look at, secure.log seems related but I can't tell if anything in there was an error.
There are three methods for associating a Smart Card to a given user account in either the local or remote DS. PubKey Hash - Default method used by OS X and requires sc_auth Attribute Matching - requires /etc/cacloginconfig.plist PKINIT - requires /etc/cacloginconfig.plist and Mac bound to a KDC All methods require that the smartcard-sniffer line be present in /etc/authorization for catching the Smart Card and gathering the PIN for the associated Challenge Response with the card for use of the Private Key on the card. Tokend modules no longer ship with OS X (as of OS X Lion), but are freely available for 10.7, 10.8 from Apple's SmartCardServices project at MacOSForge. This is why nothing happens when you insert a reader / card on a vanilla install of OS X Lion or higher. ALL other components of SmartCard Services are present and have even been updated in released versions of OS X since OS X Lion v10.7.0. Project Site: http://smartcardservices.macosforge.org/
Installers: http://smartcardservices.macosforge.org/trac/wiki/installers
There are also third-party commercially supported solutions from, for example, Centrify, charismathics and Thursby.
I identified a problem with SystemCACertificates & Keychain, it refuses to stick in my login keychain (unless I "Add keychain), I'm certain the proper way is for SmartCardServices put it in the System list as shared, but it disappears after a reboot, and when I try to add it myself to the System List it refuses to stay, and if it ever does, it rapidly disappears. This should be why I see the following error in secure.log Feb 21 10:49:43 mskpro authorizationhost[998]: validate chain started Feb 21 10:49:43 mskpro authorizationhost[998]: Certificate could not be verified: 5 Feb 21 10:49:43 mskpro authorizationhost[998]: validate chain completed with: 5 repeated 3 more times. I haven't retried with a clean system as the steps I outlined below failed on a clean system and until I known for certain that these are the exact steps there is not much point. On Feb 20, 2013, at 4:04 PM, Michael Kluskens wrote:
1) I cleaned installed and updated OS X Lion on a unused disk. 2) I installed the SmartCardServices Installer v2.0.b2 for Lion 3) I used sc_auth hash and selected the first hash for use with sc_auth accept -u useraccount -h ... 4) I confirmed the hash entry with dscl . -read /Users/useraccount 5) I added builtin:smartcard-sniffer,privileged to both the system.login.console and authenticate sections of /etc/authorization
Confirmed that my Gemalto CAC card works with OS X Mail and Safari, log out and insert card, no effect, reboot, insert card, no effect.
What step did I miss? I was never inserting a reader / card on a vanilla install of OS X Lion.
Are there newer instructions on the precise location for the smartcard-sniffer entries? What log files do I look at, secure.log seems related but I can't tell if anything in there was an error.
There are three methods for associating a Smart Card to a given user account in either the local or remote DS. PubKey Hash - Default method used by OS X and requires sc_auth Attribute Matching - requires /etc/cacloginconfig.plist PKINIT - requires /etc/cacloginconfig.plist and Mac bound to a KDC All methods require that the smartcard-sniffer line be present in /etc/authorization for catching the Smart Card and gathering the PIN for the associated Challenge Response with the card for use of the Private Key on the card. Tokend modules no longer ship with OS X (as of OS X Lion), but are freely available for 10.7, 10.8 from Apple's SmartCardServices project at MacOSForge. This is why nothing happens when you insert a reader / card on a vanilla install of OS X Lion or higher. ALL other components of SmartCard Services are present and have even been updated in released versions of OS X since OS X Lion v10.7.0. Project Site: http://smartcardservices.macosforge.org/
Installers: http://smartcardservices.macosforge.org/trac/wiki/installers
There are also third-party commercially supported solutions from, for example, Centrify, charismathics and Thursby.
Assuming there was an issue with my system I moved all the files I wanted to keep to /Users/Shared and deleted everything else on my disk (using Terminal). I reinstalled Lion and added 6 Apple Developer certificates to my keychain. As before SystemCACertificates refuse to stay in the System keychain list (Keychain Access->Keychain List->add...) I installed the Apple Developer Certificates so the package would be trusted but when I try to install SmartCard Services Update 2.0b2 I get "The installation failed. The Installer encountered an error that caused the installation to fail. Contact the software manufacturer for assistance." The installer logs say "Feb 21 16:07:33 ... installd[921]: PackageKit: Install Failed: Error Domain=PKInstallErrorDomain Code=102 "The package “Smart Card Services Update 2.0b2-Lion-signed” is untrusted." UserInfo=0x7fc441e080e0 {NSLocalizedDescription=The package “Smart Card Services Update 2.0b2-Lion-signed” is untrusted., NSURL=file://localhost/Users/.../Downloads/Smart%20Card%20Services%20Update%202.0b2-Lion-signed.pkg#cac.pkg, PKInstallPackageIdentifier=org.macosforge.SmartCardServices.cac.pkg, NSUnderlyingError=0x7fc441e06610 "The operation couldn’t be completed. CSSMERR_TP_NOT_TRUSTED"} { NSLocalizedDescription = "The package \U201cSmart Card Services Update 2.0b2-Lion-signed\U201d is untrusted."; NSURL = "file://localhost/Users/.../Downloads/Smart%20Card%20Services%20Update%202.0b2-Lion-signed.pkg#cac.pkg"; NSUnderlyingError = "Error Domain=NSOSStatusErrorDomain Code=-2147409622 \"The operation couldn\U2019t be completed. CSSMERR_TP_NOT_TRUSTED\" UserInfo=0x7fc441e05660 {SecTrustResult=5, PKTrustLevel=PKTrustLevelNotTrusted, NSLocalizedFailureReason=CSSMERR_TP_NOT_TRUSTED}"; PKInstallPackageIdentifier = "org.macosforge.SmartCardServices.cac.pkg"; } It's going to take a long time for me to move all my files off this disk so I can reformat and I'm betting I'll see the same error. Files sitting in /Users/Shared should have no effect on the installation of OS X.
participants (1)
-
Michael Kluskens