Re: [SmartcardServices-Users] [Tokend-Dev] PIV Auth with CRL Checks
On Jul 21, 2010, at 2:54 PM, Bram Cymet wrote:
Hi,
I hope this is the right list to send this to and if it is not please let me know where the right place would be.
I have successfully got PIV cards working for login and screensaver access under Snow Leopard. The problem I am having is that it seems to ignore the fact that Keychain Access sees the certs on the cards as being revoked.
Is it possible with the current Tokend/Smartcardservices to make it so that if a cert has been revoked that a person using that card is no longer able to log into the system? Or will I have to make some modifications to get this functionality working?
Thanks,
-- Bram Cymet Software Developer Canadian Bank Note Co. Ltd. Cell: 613-608-9752
Bram, This list is specifically for Tokend Development and your question is a User Question in the use of Smart Cards on a Mac OS X System. I will cc the User's list in my response, but keep in mind that this particular list is for those "developing" a Tokend. You will need to explain which method you are using for Client Authentication: • PubKeyHash - Does not require that the Certificate itself has not been revoked • Attribute Matching - Leveraging attribute(s) from the cert on the card to determine which DS Account to Authenticate against • PKINIT (SSO to DS) - Validates the cert / cert chain locally as well as authenticates to Kerberos KDC with that Certificate. Which method are you using ? -Shawn __________________________________________________ Shawn Geddis geddis@mac.com Security Consulting Engineer geddis@apple.com MacOSForge Project Lead: Smart Card Services Web: http://smartcardservices.macosforge.org/ Lists: http://lists.macosforge.org/mailman/listinfo __________________________________________________
On 07/21/2010 03:09 PM, Shawn A. Geddis wrote:
On Jul 21, 2010, at 2:54 PM, Bram Cymet wrote:
Hi,
I hope this is the right list to send this to and if it is not please let me know where the right place would be.
I have successfully got PIV cards working for login and screensaver access under Snow Leopard. The problem I am having is that it seems to ignore the fact that Keychain Access sees the certs on the cards as being revoked.
Is it possible with the current Tokend/Smartcardservices to make it so that if a cert has been revoked that a person using that card is no longer able to log into the system? Or will I have to make some modifications to get this functionality working?
Thanks,
-- Bram Cymet Software Developer Canadian Bank Note Co. Ltd. Cell: 613-608-9752
Bram,
This list is specifically for Tokend Development and your question is a User Question in the use of Smart Cards on a Mac OS X System. I will cc the User's list in my response, but keep in mind that this particular list is for those "developing" a Tokend.
You will need to explain which method you are using for Client Authentication: • PubKeyHash - Does not require that the Certificate itself has not been revoked • Attribute Matching - Leveraging attribute(s) from the cert on the card to determine which DS Account to Authenticate against • PKINIT (SSO to DS) - Validates the cert / cert chain locally as well as authenticates to Kerberos KDC with that Certificate.
Which method are you using ?
-Shawn __________________________________________________ Shawn Geddis geddis@mac.com Security Consulting Engineer geddis@apple.com
MacOSForge Project Lead: Smart Card Services Web: http://smartcardservices.macosforge.org/ Lists: http://lists.macosforge.org/mailman/listinfo __________________________________________________
Hi Shawn, Thanks for the response. I am using PubKeyHash at the moment. Which based on what you have written above I guess it is working the way it should be. So is PKINIT or Attribute Matching or either the Client Authentication method I should be using? Or can I make it work with PubKeyHash as well? Thanks, -- Bram Cymet Software Developer Canadian Bank Note Co. Ltd. Cell: 613-608-9752
On Jul 21, 2010, at 3:14 PM, Bram Cymet wrote:
Hi Shawn,
Thanks for the response. I am using PubKeyHash at the moment. Which based on what you have written above I guess it is working the way it should be. So is PKINIT or Attribute Matching or either the Client Authentication method I should be using? Or can I make it work with PubKeyHash as well?
Thanks,
-- Bram Cymet Software Developer Canadian Bank Note Co. Ltd. Cell: 613-608-9752
Bram, PKINIT method is what you want. PKINIT is what provides full SSO to your Directory Service by Initializing your Kerberos Session (Obtaining your TGT) after authenticating to the KDC with the appropriate X.509 Certificate. Mac OS X 10.6.3 has PKINIT support built in, but you need to make some very minor config changes to fully enable for Login. I will attempt to get draft instructions up very soon. Add PKINIT information to /etc/authorization file Please make sure to make a backup of the /etc/authorization file before you make any changes as a misconfigured version of this file may prevent the system from booting. A backup of the authorization file could be done with the following command: cp /etc/authorization /etc/authorization_original_`date +%M-%H-%m-%d-%y` Edit the /etc/authorization file to add <string>PKINITMechanism:auth,privileged</string> below <string>MCXMechanism:login</string> as in the example below. This could be done with a defaults command or plistbuddy. <key>system.login.console</key> <dict> <key>class</key> <string>evaluate-mechanisms</string> <key>comment</key> <string>Login mechanism based rule. Not for general use, yet.</string> <key>mechanisms</key> <array> <string>builtin:smartcard-sniffer,privileged</string> <string>loginwindow:login</string> <string>builtin:reset-password,privileged</string> <string>builtin:auto-login,privileged</string> <string>builtin:authenticate,privileged</string> <string>loginwindow:success</string> <string>HomeDirMechanism:login,privileged</string> <string>HomeDirMechanism:status</string> <string>MCXMechanism:login</string> <string>PKINITMechanism:auth,privileged</string> <string>loginwindow:done</string> </array> </dict> Test to verify PKINIT is working First, insert your smart card into the reader. Run the following command to verify that PKINIT is working: /System/Library/PrivateFrameworks/Heimdal.framework/Helpers/kinit -C KEYCHAIN: -D KEYCHAIN: --windows --pk-enterprise If the command works, you should be prompted for a PIN. You can verify that you have a kerberos ticket by opening Keychain Access and going to Ticket Viewer or by going to Terminal and typing klist. -Shawn __________________________________________________ Shawn Geddis geddis@mac.com Security Consulting Engineer geddis@apple.com MacOSForge Project Lead: Smart Card Services Web: http://smartcardservices.macosforge.org/ Lists: http://lists.macosforge.org/mailman/listinfo __________________________________________________
participants (2)
-
Bram Cymet
-
Shawn A. Geddis