Hi, I looked into using a Smart Card for authentication purposes in my SOHO, but came away disappointed by its interaction with Keychain Access. Specifically, because it took the top position in the Keychain list, it assumed the Login keychain's duties; but because I was unable to store passwords directly on the Smart Card (eg. wifi passwords) I found myself having to authenticate a second time, to the Login keychain. In the meantime, there was no automatic authentication of login services such as connecting to wifi or mounting of secure disk images. So, my question is: how does one go about using a Smart Card to store Keychain Access-specific data, so that the Smart Card "dynamic keychain" can more fully perform the functions required on login? At the moment, I'm not concerned with any particular Smart Card or software solution, I'm more interested in knowing whether it's actually possible. Regards.
I'm thinking there must be something peculiar about the tokend or card you're using, because I've been using smart cards through CDSA for years without this particular problem arising. Unless you're using a stored-value card, you're not going to be able to update data on a smart card. That's usually reserved for the token manager, since mucking with card data is inherently a security critical operation. Stored-value cards aren't the best idea for the same reason. -- T On Feb 18, 2012, at 1:05 PM, SB Tech wrote:
Hi,
I looked into using a Smart Card for authentication purposes in my SOHO, but came away disappointed by its interaction with Keychain Access. Specifically, because it took the top position in the Keychain list, it assumed the Login keychain's duties; but because I was unable to store passwords directly on the Smart Card (eg. wifi passwords) I found myself having to authenticate a second time, to the Login keychain. In the meantime, there was no automatic authentication of login services such as connecting to wifi or mounting of secure disk images.
So, my question is: how does one go about using a Smart Card to store Keychain Access-specific data, so that the Smart Card "dynamic keychain" can more fully perform the functions required on login?
At the moment, I'm not concerned with any particular Smart Card or software solution, I'm more interested in knowing whether it's actually possible.
Regards. _______________________________________________ SmartcardServices-Users mailing list SmartcardServices-Users@lists.macosforge.org http://lists.macosforge.org/mailman/listinfo.cgi/smartcardservices-users
If you don't mind, I'm going to quote from Apple's "Mac OS X Security Configuration For Mac OS X Version 10.6 Snow Leopard" document: "Snow Leopard integrates support for hardware-based smart cards as dynamic keychains where any application using keychains can access that smart card. A smart card can be thought of as a portable protected keychain. Smart cards are seen by the operating system as dynamic keychains and are added to the top of the Keychain Access list. They are the first searched in the list. They can be treated as other keychains on the user’s computer, with the limitation that users can’t add other secure objects. When you attach a supported smart card to your computer, it appears in Keychain Access. If multiple smart cards are attached to your computer, they appear at the top of the keychain list alphabetically as separate keychains." (p.136) This encouraged me to believe that the behaviour I was seeing, regarding my Smart Card displacing my Login keychain, was both normal and expected behaviour. So, how exactly does your Smart Card interact with Keychain Access? Does it appear at all in the list of Keychains? If not, perhaps there's a low-level setting I can toggle to prevent it appearing. S. On 29 February 2012 13:24, Miller, Timothy J. <tmiller@mitre.org> wrote:
I'm thinking there must be something peculiar about the tokend or card you're using, because I've been using smart cards through CDSA for years without this particular problem arising.
Unless you're using a stored-value card, you're not going to be able to update data on a smart card. That's usually reserved for the token manager, since mucking with card data is inherently a security critical operation. Stored-value cards aren't the best idea for the same reason.
-- T
On Feb 18, 2012, at 1:05 PM, SB Tech wrote:
Hi,
I looked into using a Smart Card for authentication purposes in my SOHO, but came away disappointed by its interaction with Keychain Access. Specifically, because it took the top position in the Keychain list, it assumed the Login keychain's duties; but because I was unable to store passwords directly on the Smart Card (eg. wifi passwords) I found myself having to authenticate a second time, to the Login keychain. In the meantime, there was no automatic authentication of login services such as connecting to wifi or mounting of secure disk images.
So, my question is: how does one go about using a Smart Card to store Keychain Access-specific data, so that the Smart Card "dynamic keychain" can more fully perform the functions required on login?
At the moment, I'm not concerned with any particular Smart Card or software solution, I'm more interested in knowing whether it's actually possible.
Regards. _______________________________________________ SmartcardServices-Users mailing list SmartcardServices-Users@lists.macosforge.org http://lists.macosforge.org/mailman/listinfo.cgi/smartcardservices-users
You initially asked:
So, my question is: how does one go about using a Smart Card to store Keychain Access-specific data, so that the Smart Card "dynamic keychain" can more fully perform the functions required on login?
Per the document you quote, this is not permitted for smartcard-based keychains. So now I'm confused what you're actually asking. You're observing the documented behavior, so what's the problem? -- T On Feb 29, 2012, at 11:09 AM, SB Tech wrote:
If you don't mind, I'm going to quote from Apple's "Mac OS X Security Configuration For Mac OS X Version 10.6 Snow Leopard" document:
"Snow Leopard integrates support for hardware-based smart cards as dynamic keychains where any application using keychains can access that smart card. A smart card can be thought of as a portable protected keychain. Smart cards are seen by the operating system as dynamic keychains and are added to the top of the Keychain Access list. They are the first searched in the list. They can be treated as other keychains on the user’s computer, with the limitation that users can’t add other secure objects. When you attach a supported smart card to your computer, it appears in Keychain Access. If multiple smart cards are attached to your computer, they appear at the top of the keychain list alphabetically as separate keychains." (p.136)
This encouraged me to believe that the behaviour I was seeing, regarding my Smart Card displacing my Login keychain, was both normal and expected behaviour. So, how exactly does your Smart Card interact with Keychain Access? Does it appear at all in the list of Keychains? If not, perhaps there's a low-level setting I can toggle to prevent it appearing.
S.
On 29 February 2012 13:24, Miller, Timothy J. <tmiller@mitre.org> wrote:
I'm thinking there must be something peculiar about the tokend or card you're using, because I've been using smart cards through CDSA for years without this particular problem arising.
Unless you're using a stored-value card, you're not going to be able to update data on a smart card. That's usually reserved for the token manager, since mucking with card data is inherently a security critical operation. Stored-value cards aren't the best idea for the same reason.
-- T
On Feb 18, 2012, at 1:05 PM, SB Tech wrote:
Hi,
I looked into using a Smart Card for authentication purposes in my SOHO, but came away disappointed by its interaction with Keychain Access. Specifically, because it took the top position in the Keychain list, it assumed the Login keychain's duties; but because I was unable to store passwords directly on the Smart Card (eg. wifi passwords) I found myself having to authenticate a second time, to the Login keychain. In the meantime, there was no automatic authentication of login services such as connecting to wifi or mounting of secure disk images.
So, my question is: how does one go about using a Smart Card to store Keychain Access-specific data, so that the Smart Card "dynamic keychain" can more fully perform the functions required on login?
At the moment, I'm not concerned with any particular Smart Card or software solution, I'm more interested in knowing whether it's actually possible.
Regards. _______________________________________________ SmartcardServices-Users mailing list SmartcardServices-Users@lists.macosforge.org http://lists.macosforge.org/mailman/listinfo.cgi/smartcardservices-users
I assume you're referring to the following line:
They can be treated as other keychains on the user’s computer, with the limitation that users can’t add other secure objects.
I would respond: what's the point of adding the Smart Card to keychain access if it cannot store Keychain Access-recognized objects? Because it seemed such a ludicrous thing to implement, I assumed that, "can’t add other secure objects," simply referred to Keychain Access. I presumed that it might be possible to add Keychain Access-compatible objects using another method. I'm a lay user, considering Smart Cards for a SOHO, not a government IT professional. Clearly I'm missing some vital reason why the Smart Card should show up as a Dynamic Keychain. I'd be grateful if someone could explain this to me. S. On 29 February 2012 17:17, Miller, Timothy J. <tmiller@mitre.org> wrote:
You initially asked:
So, my question is: how does one go about using a Smart Card to store Keychain Access-specific data, so that the Smart Card "dynamic keychain" can more fully perform the functions required on login?
Per the document you quote, this is not permitted for smartcard-based keychains.
So now I'm confused what you're actually asking. You're observing the documented behavior, so what's the problem?
-- T
On Feb 29, 2012, at 11:09 AM, SB Tech wrote:
If you don't mind, I'm going to quote from Apple's "Mac OS X Security Configuration For Mac OS X Version 10.6 Snow Leopard" document:
"Snow Leopard integrates support for hardware-based smart cards as dynamic keychains where any application using keychains can access that smart card. A smart card can be thought of as a portable protected keychain. Smart cards are seen by the operating system as dynamic keychains and are added to the top of the Keychain Access list. They are the first searched in the list. They can be treated as other keychains on the user’s computer, with the limitation that users can’t add other secure objects. When you attach a supported smart card to your computer, it appears in Keychain Access. If multiple smart cards are attached to your computer, they appear at the top of the keychain list alphabetically as separate keychains." (p.136)
This encouraged me to believe that the behaviour I was seeing, regarding my Smart Card displacing my Login keychain, was both normal and expected behaviour. So, how exactly does your Smart Card interact with Keychain Access? Does it appear at all in the list of Keychains? If not, perhaps there's a low-level setting I can toggle to prevent it appearing.
S.
On 29 February 2012 13:24, Miller, Timothy J. <tmiller@mitre.org> wrote:
I'm thinking there must be something peculiar about the tokend or card you're using, because I've been using smart cards through CDSA for years without this particular problem arising.
Unless you're using a stored-value card, you're not going to be able to update data on a smart card. That's usually reserved for the token manager, since mucking with card data is inherently a security critical operation. Stored-value cards aren't the best idea for the same reason.
-- T
On Feb 18, 2012, at 1:05 PM, SB Tech wrote:
Hi,
I looked into using a Smart Card for authentication purposes in my SOHO, but came away disappointed by its interaction with Keychain Access. Specifically, because it took the top position in the Keychain list, it assumed the Login keychain's duties; but because I was unable to store passwords directly on the Smart Card (eg. wifi passwords) I found myself having to authenticate a second time, to the Login keychain. In the meantime, there was no automatic authentication of login services such as connecting to wifi or mounting of secure disk images.
So, my question is: how does one go about using a Smart Card to store Keychain Access-specific data, so that the Smart Card "dynamic keychain" can more fully perform the functions required on login?
At the moment, I'm not concerned with any particular Smart Card or software solution, I'm more interested in knowing whether it's actually possible.
Regards. _______________________________________________ SmartcardServices-Users mailing list SmartcardServices-Users@lists.macosforge.org
http://lists.macosforge.org/mailman/listinfo.cgi/smartcardservices-users
The main reason is so you can use it to log into web servers that require two factor authentication. Smart cards are mainly used in the industry to store a X509 cert plus the private key that goes with it. The combination of these provides you with a "digital identity" that has advantages over using a password. Two browsers for the Mac can make use of these: Safari and Chrome. I think that you would be fine if you simply change your login keychain password to match the PIN on your smart card, then think of your smart card as physical key that you can't make a copy of and give to someone else. Be aware that you will probably make the password for your login keychain weaker by doing this. Apple has some hooks to encrypt and decrypt your login keychain, but they are very obscure and I don't think they work with a master key in case your smart card is destroyed. The infrastructure on a Mac is still not ready to do much more that this. Paul Nelson Thursby Software Systems, Inc. On Feb 29, 2012, at 11:33 AM, SB Tech wrote:
I assume you're referring to the following line:
They can be treated as other keychains on the user’s computer, with the limitation that users can’t add other secure objects.
I would respond: what's the point of adding the Smart Card to keychain access if it cannot store Keychain Access-recognized objects? Because it seemed such a ludicrous thing to implement, I assumed that, "can’t add other secure objects," simply referred to Keychain Access. I presumed that it might be possible to add Keychain Access-compatible objects using another method.
I'm a lay user, considering Smart Cards for a SOHO, not a government IT professional. Clearly I'm missing some vital reason why the Smart Card should show up as a Dynamic Keychain. I'd be grateful if someone could explain this to me.
S.
On 29 February 2012 17:17, Miller, Timothy J. <tmiller@mitre.org> wrote: You initially asked:
So, my question is: how does one go about using a Smart Card to store Keychain Access-specific data, so that the Smart Card "dynamic keychain" can more fully perform the functions required on login?
Per the document you quote, this is not permitted for smartcard-based keychains.
So now I'm confused what you're actually asking. You're observing the documented behavior, so what's the problem?
-- T
On Feb 29, 2012, at 11:09 AM, SB Tech wrote:
If you don't mind, I'm going to quote from Apple's "Mac OS X Security Configuration For Mac OS X Version 10.6 Snow Leopard" document:
"Snow Leopard integrates support for hardware-based smart cards as dynamic keychains where any application using keychains can access that smart card. A smart card can be thought of as a portable protected keychain. Smart cards are seen by the operating system as dynamic keychains and are added to the top of the Keychain Access list. They are the first searched in the list. They can be treated as other keychains on the user’s computer, with the limitation that users can’t add other secure objects. When you attach a supported smart card to your computer, it appears in Keychain Access. If multiple smart cards are attached to your computer, they appear at the top of the keychain list alphabetically as separate keychains." (p.136)
This encouraged me to believe that the behaviour I was seeing, regarding my Smart Card displacing my Login keychain, was both normal and expected behaviour. So, how exactly does your Smart Card interact with Keychain Access? Does it appear at all in the list of Keychains? If not, perhaps there's a low-level setting I can toggle to prevent it appearing.
S.
On 29 February 2012 13:24, Miller, Timothy J. <tmiller@mitre.org> wrote:
I'm thinking there must be something peculiar about the tokend or card you're using, because I've been using smart cards through CDSA for years without this particular problem arising.
Unless you're using a stored-value card, you're not going to be able to update data on a smart card. That's usually reserved for the token manager, since mucking with card data is inherently a security critical operation. Stored-value cards aren't the best idea for the same reason.
-- T
On Feb 18, 2012, at 1:05 PM, SB Tech wrote:
Hi,
I looked into using a Smart Card for authentication purposes in my SOHO, but came away disappointed by its interaction with Keychain Access. Specifically, because it took the top position in the Keychain list, it assumed the Login keychain's duties; but because I was unable to store passwords directly on the Smart Card (eg. wifi passwords) I found myself having to authenticate a second time, to the Login keychain. In the meantime, there was no automatic authentication of login services such as connecting to wifi or mounting of secure disk images.
So, my question is: how does one go about using a Smart Card to store Keychain Access-specific data, so that the Smart Card "dynamic keychain" can more fully perform the functions required on login?
At the moment, I'm not concerned with any particular Smart Card or software solution, I'm more interested in knowing whether it's actually possible.
Regards. _______________________________________________ SmartcardServices-Users mailing list SmartcardServices-Users@lists.macosforge.org http://lists.macosforge.org/mailman/listinfo.cgi/smartcardservices-users
_______________________________________________ SmartcardServices-Users mailing list SmartcardServices-Users@lists.macosforge.org http://lists.macosforge.org/mailman/listinfo.cgi/smartcardservices-users
Since I Manage the Smart Card Services Project and have been supporting Smart Cards on OS X for many years now, please allow me to attempt to clear up your confusion and some misinformation that has been shared on this thread. I think the best way to address this and ensure complete coverage is to take your points one at a time along with responses you received and comment accordingly....
On Feb 18, 2012, at 1:05 PM, SB Tech wrote: Hi, I looked into using a Smart Card for authentication purposes in my SOHO, but came away disappointed by its interaction with Keychain Access. Specifically, because it took the top position in the Keychain list, it assumed the Login keychain's duties;
I think you may be confused between what you are seeing and what is actually happening on your system with respect to Smart Cards, Keychains generically and specifically your Login Keychain. Keychain Access is a tool for the viewing and manipulation of Credential Stores a.k.a. “Keychains" and their contents. Smart Cards are abstracted into OS X's Credential Stores (Keychains) which appear as a dynamic keychain — they come and go with the insertion and removal of the card. The Keychain Entry you see in Keychain Access List represents the Smart Card while the main panel will reveal the contents of the smart card (Certificates and Keys). Smart Card(s) appear at the top of the Keychain Access List.
but because I was unable to store passwords directly on the Smart Card (eg. wifi passwords) I found myself having to authenticate a second time, to the Login keychain.
You would not be able to store new security tokens (ie. passwords) on the Smart Card, since by design they are managed by Card Management Systems external to your own computer. Smart Cards are a protected container for your corporate provisioned X.509 Identities and usual also includes some personal content included by the issuer. The Smart Card Keychain is separate from your Login Keychain. A Login keychain is created when any user account is created on the OS X system and stored inside the user’s account path — /Users/<user>/Library/Keychains/login.keychain If you are using a Smart Card to login to your computer, the “login.keychain” would simply be another keychain for you that would of course need to be unlocked to store/retrieve any private information (ie. passwords, private keys, etc.). The Default keychain is any user's keychain configured to be, well, the default keychain. This means that anytime information needs to be added (such as the automatic gleaning of certificates from signed email messages you receive in Mail) those items are added to that keychain without interrupting the user (as long as it is unlocked). The Default Keychain can be assigned to any USER keychain other than a Smart Card (hardware tokend) and is set initially to be the automatically created “login.keychain”. You know which keychain is set as the Default keychain because its name appears in BOLD within the Keychain Access Keychain List.
In the meantime, there was no automatic authentication of login services such as connecting to wifi or mounting of secure disk images.
If you wanted authentication to any service such as Wifi, you would need to configure the Wifi authentication to use an identity from your Smart Card. Once you would authenticate at the Login window, your Smart Card would remain unlocked (until you pull the card or your lock the screen) and used for the wi-fi authentication without further interaction by you. You would configure WiFi to use 802.1X using EAP-TLS.
So, my question is: how does one go about using a Smart Card to store Keychain Access-specific data, so that the Smart Card “dynamic keychain" can more fully perform the functions required on login?
Keychain Access-specific data ? Again, I think you have a misunderstanding of what you are trying to do and what technology is used for. A “Dynamic Keychain” is not something you configure or alter or need to modify. It simply means that the Keychain appears and can be used when the smart card is inserted in the reader and recognized and disappears when the card is removed from the reader — hence “dynamic”. Other than that, there is nothing you need to think of with respect to “Dynamic Keychain”. A “Dynamic Keychain” does not mean it is used for Login. You are confusing the fact that you want to Log into your computer with your Smart Card with the fact that the Smart Card just happens to be a “Dynamic Keychain”. What “Keychain Access-specific data" are you thinking you need to place on the card ?
At the moment, I'm not concerned with any particular Smart Card or software solution, I'm more interested in knowing whether it’s actually possible.
Smart Cards have been used for both Login and authentication on OS X for many years now. Then you followed up ... on the FedTalk List with...
It turns out I left out some crucial information: the scenario below regards logging into computers using a Smart Card.
Yes, this was a major omission, but one I think we all assumed you meant anyway. Smart Cards have been used for both Login and authentication on OS X for many years now, so that is not in question.
Given this information, can anyone using such a method enlighten me on how they get round the kludge of the Smart Card dynamic keychain displacing the Login keychain?
“Kludge” ? Again, I think there is a misunderstanding of how smart cards work and also what and how Keychains work on OS X. I would refer you to my earlier comments about what a Dynamic Keychain is and using a Smart Card to Login to your computer. I can have many Smart Cards attached to my OS X system at any one time and all of them appear as Dynamic Keychains, but you would only login with one of them. On Feb 29, 2012, at 11:09 AM, SB Tech wrote:
If you don't mind, I'm going to quote from Apple's "Mac OS X Security Configuration For Mac OS X Version 10.6 Snow Leopard" document:
[snip]
This encouraged me to believe that the behaviour I was seeing, regarding my Smart Card displacing my Login keychain, was both normal and expected behavior.
A Smart Card does not displace a Login Keychain.
So, how exactly does your Smart Card interact with Keychain Access? Does it appear at all in the list of Keychains?
As stated earlier, Keychain Access is a Tool for manipulating Keychains (typically but not limited to file-based keychains), but you are getting confused with Keychain Access and Your Smart Card being used for Login. Under normal conditions, you would not even need to look at Keychain Access.
If not, perhaps there's a low-level setting I can toggle to prevent it appearing.
Might be better to forget Keychain Access is there for your current purposes. It seems to be the rot cause of your confusion. On Feb 29, 2012, at 11:33 AM, SB Tech wrote:
I assume you're referring to the following line:
They can be treated as other keychains on the user’s computer, with the limitation that users can’t add other secure objects.
I would respond: what's the point of adding the Smart Card to keychain access if it cannot store Keychain Access-recognized objects?
Smart Cards are “listed” in Keychain Access to give you the ability of viewing the contents of the card, reseting the PIN, setting Identity Preferences, etc. “Smart Cards as Keychains” is the core reason that ANY Application that leverages the Keychain APIs can utilize a Smart Card without even needing to know it is a Smart Card or performing complex communication with the card. Applications just communicate to any and all Keychains via the Keychain APIs.
Because it seemed such a ludicrous thing to implement, I assumed that, "can’t add other secure objects," simply referred to Keychain Access.
You started this thread out by asking about the use of Smart Cards. It can be quite daunting to people new to them, but it does require an understanding that one significant security benefit of a Smart Card is that the end user cannot modify the contents of the card. It is personalized using a Card Management System (CMS) by authorized administrators who are granted the ability to issue Smarts Cards and the Identities on them. If you really want/need to use Smart Card for Login, you will want to spend some time learning more about the significant infrastructure necessary to issue and manage them. There are many proprietary Smart Cards, but you are best served by looking to a CMS that would allow you to issue PIV compliant cards (there are actually multiple variants of PIV dependent on say who is issuing the card - ie. US Government Agency).
I presumed that it might be possible to add Keychain Access-compatible objects using another method.
What Keychain Access-compatible objects are you thinking of ? Passwords ? Private Keys ? Internet Passwords, Web Form Passwords, etc. ? Again, think of a Smart Card as a “Read Only” Keychain. This is a characteristic of Smart Cards, not just of Smart Cards as Keychains on OS X.
I'm a lay user, considering Smart Cards for a SOHO, not a government IT professional. Clearly I'm missing some vital reason why the Smart Card should show up as a Dynamic Keychain. I'd be grateful if someone could explain this to me.
Are you sure you want/need to use a Smart Card ? What characteristics or capabilities were you looking for that lead you to Smart Cards ? - Shawn ________________________________________ Shawn Geddis Security Consulting Engineer Apple Enterprise Division On Feb 29, 2012, at 12:55 PM, Paul Nelson wrote:
The main reason is so you can use it to log into web servers that require two factor authentication. Smart cards are mainly used in the industry to store a X509 cert plus the private key that goes with it. The combination of these provides you with a "digital identity" that has advantages over using a password.
Two browsers for the Mac can make use of these: Safari and Chrome.
I think that you would be fine if you simply change your login keychain password to match the PIN on your smart card, then think of your smart card as physical key that you can't make a copy of and give to someone else. Be aware that you will probably make the password for your login keychain weaker by doing this. Apple has some hooks to encrypt and decrypt your login keychain, but they are very obscure and I don't think they work with a master key in case your smart card is destroyed.
The infrastructure on a Mac is still not ready to do much more that this.
Paul Nelson Thursby Software Systems, Inc.
Are you sure you want/need to use a Smart Card ? What characteristics or capabilities were you looking for that lead you to Smart Cards ? I simply wanted a way to log in securely to a work notebook used in the field that would obviate the need to remember a complicated and lengthy password. The Smart Card solution fell short of this requirement because entering the PIN on login failed to unlock the default keychain, so that several login services I rely on (automatic connections to remembered wifi networks, mounting of encrypted disk images) failed to work without the unlocking of the default keychain. I learned I could use the same PIN on my default keychain as used on the Smart Card during login to get around this, but this weakened the password on the default keychain too much. It also raised the issue that, should the Smart Card be unavailable, logging in would once again require the manual unlock of the default keychain. So, I discarded this workaround as unsatisfactory Hence my pursuit of a way to store Keychain Access-recognizable objects directly on the Smart Card, so that login services would have access to them when I log in with the Smart Card. My logic has led me to assume this to be the most appropriate way to solve this problem. So far as I understand it, the Smart Card cannot be used to single-handedly authenticate to every service that might have its password stored in the default keychain. It's true that, along the way, I've failed to understand quite a few things, and this has made things harder (both for me and for those who attempt to help). Hopefully we can move past that.
This is just my opinion, so use it at your own risk ;) If you are using a data at rest encryption solution like FileVault 2 (which you really should if you are concerned about security on a laptop you take to the field), having the login keychain encrypted with a PIN is probably not that big a deal. Somebody would have to get past the disk encryption before they could try to brute force your login keychain. Of course that comes back to the whole issue of having to use a strong password for FileVault 2, since I don't think there's any way to use a smart card at the preboot screen (yet?). There supposedly is a way to encrypt your keychain with the actual key on the smart card rather than just the PIN, but it involves some command line steps and I've never actually gotten it to work. That also sounds like it wouldn't be ideal for you though, because if you didn't log in with your smart card, there would be no way at all to unlock the keychain. What it boils down to is that you can't use multiple ways of logging in (username/pass, smart card) and have the login keychain unlock automatically with all of those ways. Keychains only support one way of unlocking them at a time. -Brian On Mar 4, 2012, at 10:23 AM, SB Tech wrote:
Are you sure you want/need to use a Smart Card ? What characteristics or capabilities were you looking for that lead you to Smart Cards ?
I simply wanted a way to log in securely to a work notebook used in the field that would obviate the need to remember a complicated and lengthy password. The Smart Card solution fell short of this requirement because entering the PIN on login failed to unlock the default keychain, so that several login services I rely on (automatic connections to remembered wifi networks, mounting of encrypted disk images) failed to work without the unlocking of the default keychain.
I learned I could use the same PIN on my default keychain as used on the Smart Card during login to get around this, but this weakened the password on the default keychain too much. It also raised the issue that, should the Smart Card be unavailable, logging in would once again require the manual unlock of the default keychain. So, I discarded this workaround as unsatisfactory
Hence my pursuit of a way to store Keychain Access-recognizable objects directly on the Smart Card, so that login services would have access to them when I log in with the Smart Card. My logic has led me to assume this to be the most appropriate way to solve this problem. So far as I understand it, the Smart Card cannot be used to single-handedly authenticate to every service that might have its password stored in the default keychain.
It's true that, along the way, I've failed to understand quite a few things, and this has made things harder (both for me and for those who attempt to help). Hopefully we can move past that. _______________________________________________ SmartcardServices-Users mailing list SmartcardServices-Users@lists.macosforge.org http://lists.macosforge.org/mailman/listinfo.cgi/smartcardservices-users
I think that SB was using a smart card to log into the mac. When this happens, the password or PIN used to unlock the card is also used to attempt to unlock the login keychain. If the user account was already in use before the smart card was configured for login, it is unlikely that the card's PIN matches the login keychain password. 1) The login keychain requires a password to unlock it. Apple's user login (via the authorization mechs) does know how to unlock the login keychain unless the password/PIN you enter in the login window is the right keychain password. 2) I am not aware of any tokend for MacOS that allow writing to the card. 3) Connecting to services, otherwise known as single sign on depends on the service. For WiFi, you might get the smart card to work, but I never have. For file servers, you probably need Kerberos with PKINIT support. My company has a product that handles this. Apple has their own solution too. Apple's smart card system involves a number of components that make a smart card appear in the list of keychains for a user: a) securityd - the central security service on the mac b) pcscd - the PCSC software that provides a framework for smart card developers to use to communicate with a smart card in a standard card reader c) tokend - the "middleware" that knows how to communicate with a specific kind of smart card. This is basically a CDSA architecture piece on one side, and a PCSC user on the other. 10.6 ships some, 10.7 does not. The CDSA architecture piece is wrapped up in a private framework named SecurityTokend. The SecurityTokend stuff is extremely complex, and it is no surprise that Apple wants to lose the CDSA in future operating systems. Paul Nelson Thursby Software Systems, Inc. On Feb 29, 2012, at 11:17 AM, Miller, Timothy J. wrote:
You initially asked:
So, my question is: how does one go about using a Smart Card to store Keychain Access-specific data, so that the Smart Card "dynamic keychain" can more fully perform the functions required on login?
Per the document you quote, this is not permitted for smartcard-based keychains.
So now I'm confused what you're actually asking. You're observing the documented behavior, so what's the problem?
-- T
On Feb 29, 2012, at 11:09 AM, SB Tech wrote:
If you don't mind, I'm going to quote from Apple's "Mac OS X Security Configuration For Mac OS X Version 10.6 Snow Leopard" document:
"Snow Leopard integrates support for hardware-based smart cards as dynamic keychains where any application using keychains can access that smart card. A smart card can be thought of as a portable protected keychain. Smart cards are seen by the operating system as dynamic keychains and are added to the top of the Keychain Access list. They are the first searched in the list. They can be treated as other keychains on the user’s computer, with the limitation that users can’t add other secure objects. When you attach a supported smart card to your computer, it appears in Keychain Access. If multiple smart cards are attached to your computer, they appear at the top of the keychain list alphabetically as separate keychains." (p.136)
This encouraged me to believe that the behaviour I was seeing, regarding my Smart Card displacing my Login keychain, was both normal and expected behaviour. So, how exactly does your Smart Card interact with Keychain Access? Does it appear at all in the list of Keychains? If not, perhaps there's a low-level setting I can toggle to prevent it appearing.
S.
On 29 February 2012 13:24, Miller, Timothy J. <tmiller@mitre.org> wrote:
I'm thinking there must be something peculiar about the tokend or card you're using, because I've been using smart cards through CDSA for years without this particular problem arising.
Unless you're using a stored-value card, you're not going to be able to update data on a smart card. That's usually reserved for the token manager, since mucking with card data is inherently a security critical operation. Stored-value cards aren't the best idea for the same reason.
-- T
On Feb 18, 2012, at 1:05 PM, SB Tech wrote:
Hi,
I looked into using a Smart Card for authentication purposes in my SOHO, but came away disappointed by its interaction with Keychain Access. Specifically, because it took the top position in the Keychain list, it assumed the Login keychain's duties; but because I was unable to store passwords directly on the Smart Card (eg. wifi passwords) I found myself having to authenticate a second time, to the Login keychain. In the meantime, there was no automatic authentication of login services such as connecting to wifi or mounting of secure disk images.
So, my question is: how does one go about using a Smart Card to store Keychain Access-specific data, so that the Smart Card "dynamic keychain" can more fully perform the functions required on login?
At the moment, I'm not concerned with any particular Smart Card or software solution, I'm more interested in knowing whether it's actually possible.
Regards. _______________________________________________ SmartcardServices-Users mailing list SmartcardServices-Users@lists.macosforge.org http://lists.macosforge.org/mailman/listinfo.cgi/smartcardservices-users
_______________________________________________ SmartcardServices-Users mailing list SmartcardServices-Users@lists.macosforge.org http://lists.macosforge.org/mailman/listinfo.cgi/smartcardservices-users
I think that SB was using a smart card to log into the mac.
You're right, I forgot to mention that. And your subsequent analysis of what happens as a result is spot on - that is the problem I experience. A workaround is to change the Login keychain password to match the PIN of the Smart Card - but this creates the problem where, should you choose to login in with a password (perhaps because you have misplaced or damaged your smart card) you, once again, have to login a second time to the Login keychain. Furthermore, the Login keychain now has a _very_ poor password protecting it. It's a fudge.
it is no surprise that Apple wants to lose the CDSA in future operating systems.
I don't suppose there's any information, not covered by NDA, that anyone can share regarding the future of Smart Cards on OS X? On Apple's fedtalk mailing list, I was advised that it may be largely third-party in the future (though I may have misunderstood/recalled poorly). S. On 29 February 2012 17:46, Paul Nelson <nelson@thursby.com> wrote:
I think that SB was using a smart card to log into the mac. When this happens, the password or PIN used to unlock the card is also used to attempt to unlock the login keychain. If the user account was already in use before the smart card was configured for login, it is unlikely that the card's PIN matches the login keychain password.
1) The login keychain requires a password to unlock it. Apple's user login (via the authorization mechs) does know how to unlock the login keychain unless the password/PIN you enter in the login window is the right keychain password. 2) I am not aware of any tokend for MacOS that allow writing to the card. 3) Connecting to services, otherwise known as single sign on depends on the service. For WiFi, you might get the smart card to work, but I never have. For file servers, you probably need Kerberos with PKINIT support. My company has a product that handles this. Apple has their own solution too.
Apple's smart card system involves a number of components that make a smart card appear in the list of keychains for a user: a) securityd - the central security service on the mac b) pcscd - the PCSC software that provides a framework for smart card developers to use to communicate with a smart card in a standard card reader c) tokend - the "middleware" that knows how to communicate with a specific kind of smart card. This is basically a CDSA architecture piece on one side, and a PCSC user on the other. 10.6 ships some, 10.7 does not. The CDSA architecture piece is wrapped up in a private framework named SecurityTokend. The SecurityTokend stuff is extremely complex, and it is no surprise that Apple wants to lose the CDSA in future operating systems.
Paul Nelson Thursby Software Systems, Inc.
On Feb 29, 2012, at 11:17 AM, Miller, Timothy J. wrote:
You initially asked:
So, my question is: how does one go about using a Smart Card to store Keychain Access-specific data, so that the Smart Card "dynamic keychain" can more fully perform the functions required on login?
Per the document you quote, this is not permitted for smartcard-based keychains.
So now I'm confused what you're actually asking. You're observing the documented behavior, so what's the problem?
-- T
On Feb 29, 2012, at 11:09 AM, SB Tech wrote:
If you don't mind, I'm going to quote from Apple's "Mac OS X Security Configuration For Mac OS X Version 10.6 Snow Leopard" document:
"Snow Leopard integrates support for hardware-based smart cards as dynamic keychains where any application using keychains can access that smart card. A smart card can be thought of as a portable protected keychain. Smart cards are seen by the operating system as dynamic keychains and are added to the top of the Keychain Access list. They are the first searched in the list. They can be treated as other keychains on the user’s computer, with the limitation that users can’t add other secure objects. When you attach a supported smart card to your computer, it appears in Keychain Access. If multiple smart cards are attached to your computer, they appear at the top of the keychain list alphabetically as separate keychains." (p.136)
This encouraged me to believe that the behaviour I was seeing, regarding my Smart Card displacing my Login keychain, was both normal and expected behaviour. So, how exactly does your Smart Card interact with Keychain Access? Does it appear at all in the list of Keychains? If not, perhaps there's a low-level setting I can toggle to prevent it appearing.
S.
On 29 February 2012 13:24, Miller, Timothy J. <tmiller@mitre.org> wrote:
I'm thinking there must be something peculiar about the tokend or card you're using, because I've been using smart cards through CDSA for years without this particular problem arising.
Unless you're using a stored-value card, you're not going to be able to update data on a smart card. That's usually reserved for the token manager, since mucking with card data is inherently a security critical operation. Stored-value cards aren't the best idea for the same reason.
-- T
On Feb 18, 2012, at 1:05 PM, SB Tech wrote:
Hi,
I looked into using a Smart Card for authentication purposes in my SOHO, but came away disappointed by its interaction with Keychain Access. Specifically, because it took the top position in the Keychain list, it assumed the Login keychain's duties; but because I was unable to store passwords directly on the Smart Card (eg. wifi passwords) I found myself having to authenticate a second time, to the Login keychain. In the meantime, there was no automatic authentication of login services such as connecting to wifi or mounting of secure disk images.
So, my question is: how does one go about using a Smart Card to store Keychain Access-specific data, so that the Smart Card "dynamic keychain" can more fully perform the functions required on login?
At the moment, I'm not concerned with any particular Smart Card or software solution, I'm more interested in knowing whether it's actually possible.
Regards. _______________________________________________ SmartcardServices-Users mailing list SmartcardServices-Users@lists.macosforge.org
http://lists.macosforge.org/mailman/listinfo.cgi/smartcardservices-users
_______________________________________________ SmartcardServices-Users mailing list SmartcardServices-Users@lists.macosforge.org http://lists.macosforge.org/mailman/listinfo.cgi/smartcardservices-users
participants (5)
-
Brian Reese
-
Miller, Timothy J.
-
Paul Nelson
-
SB Tech
-
Shawn Geddis