Re: [SmartcardServices-Users] [Fed-Talk] Re: Require smart card login
Paul, Organizations apply policy such as requiring smart cards by managing their AD. This is not something that they would do at the client side. What is managed on the client side would be any necessary mods to support the required authentication methods (ie. manage or install client side middleware such your ADmitMac for CAC). The Mac would be bound to AD (for Authentication and Authorization) hence if AD requires ONLY Smart Cards then the Mac User would only be able to authenticate via smart cards. Whether the client system is OS X or Windows the end result is the same --- management of forced authentication methods is at the Directory Service. - Shawn _____________________________________________________ Shawn Geddis - Security Consulting Engineer - Apple Enterprise On Oct 13, 2010, at 3:24 PM, Paul Nelson wrote:
Shawn,
How does one apply organizational policies such as "smart card required" to the Apple 10.6.3+ PKINIT solution?
Paul
On Oct 13, 2010, at 2:01 PM, Shawn A. Geddis wrote:
Before everyone claims what is and isn't the issue, we need to understand the actual setup that Souheil is using.
Souheil,
There are multiple methods supported for using Smart Cards for Authentication & SSO on Mac OS X 10.6.
What method are you using today ?
Old methods still supported: - PubKeyHash - This is a simple Hash matching between card and account - The user is then presented with a PIN Challenge which wraps/unwraps/verifies challenge - uses Private key on Card to prove ownership of card - uses sc_auth to update the DS with appropriate ";pubkeyhash;" and <hash> entries - Attribute Matching - This allows for selective attributes from Smart Card Login Certificate (ie. NT Principal Name) to be used for mapping to a single DS attribute (ie. UserPrincipalName) - uses /etc/cacloginconfig.plist mapping to define lookup in DS
Mac OS X 10.6.3+ - PKINIT (initialization of Kerberos Session [TGT] with Auth from X.509 Cert) - SSO to Directory Service of choice (ie. AD) simplified explanation of process - System Bound to DS (ie. AD) - Utilizes NT Principal Name along with the Cert with EKU of Smart Card Login ( 1 3 6 1 4 1 311 20 2 2 ) --relies on /etc/cacloginconfig.plist to reference the NTPrincipalName - Request for Auth to KDC - acquires a TGT - uses PKINITMechanism configured in /etc/authorization/ for Login and ScreenSaver - Success: Access to HomeDir and subsequent Service Tickets - ... life continues ...
Also, copying SmartCardServices-Users Mailing List where this discussion should be taking place
- Shawn _____________________________________________________ Shawn Geddis - Security Consulting Engineer - Apple Enterprise
On Oct 13, 2010, at 2:00 PM, Paul Nelson wrote:
You probably are not configured to verify the user's smart card credentials with AD. The Mac only matches the user account, and checks the certs to see if they are trusted.
If you want true AD login with single sign-on, you could check out Thursby's ADmitMac PKI. This software obtains Kerberos credentials using a PIV card, and will configure itself using group policy so that you can enforce smart card logon that way. It also configures your system keychain with necessary certificates from Active Directory and group policy.
Paul Nelson Thursby Software Systems, Inc.
On Oct 13, 2010, at 12:14 PM, Inati, Souheil (NIH/NIMH) [E] wrote:
These machines are bound to the NIH active directory and I only care about domain users for now. I haven't had to use sc_auth, the AD lookup based on the card credentials has been working fine.
On Oct 13, 2010, at 12:51 PM, Qureshi, Usman wrote:
Have you tried using the sc_auth command? Is the user a domain user or a local user?
-----Original Message----- From: fed-talk-bounces+usman.qureshi=unisys.com@lists.apple.com [mailto:fed-talk-bounces+usman.qureshi=unisys.com@lists.apple.com] On Behalf Of Inati, Souheil (NIH/NIMH) [E] Sent: Wednesday, October 13, 2010 12:15 PM To: fed-talk@lists.apple.com Subject: [Fed-Talk] Require smart card login
Hi all,
Does anyone know the right way to set up /etc/authorization so that users are REQUIRED to use a smart card? A Snow Leopard 10.6 only solution is sufficient.
Thanks, Souheil
Shawn, If the organization requiring smartcards as an AD user object property, and the user is an admin, how would they execute a sudo command? Also, would this mean that [by default] the Login Keychain Password is only a 6-8 digit PIN, if using a Federal PIV card? So to make the Keychain Password follow password guidelines would they have to manually change it and type it in at login? -Ridley On Oct 13, 2010, at 3:59 PM, Shawn A. Geddis wrote: Paul, Organizations apply policy such as requiring smart cards by managing their AD. This is not something that they would do at the client side. What is managed on the client side would be any necessary mods to support the required authentication methods (ie. manage or install client side middleware such your ADmitMac for CAC). The Mac would be bound to AD (for Authentication and Authorization) hence if AD requires ONLY Smart Cards then the Mac User would only be able to authenticate via smart cards. Whether the client system is OS X or Windows the end result is the same --- management of forced authentication methods is at the Directory Service. - Shawn _____________________________________________________ Shawn Geddis - Security Consulting Engineer - Apple Enterprise On Oct 13, 2010, at 3:24 PM, Paul Nelson wrote: Shawn, How does one apply organizational policies such as "smart card required" to the Apple 10.6.3+ PKINIT solution? Paul On Oct 13, 2010, at 2:01 PM, Shawn A. Geddis wrote: Before everyone claims what is and isn't the issue, we need to understand the actual setup that Souheil is using. Souheil, There are multiple methods supported for using Smart Cards for Authentication & SSO on Mac OS X 10.6. What method are you using today ? Old methods still supported: - PubKeyHash - This is a simple Hash matching between card and account - The user is then presented with a PIN Challenge which wraps/unwraps/verifies challenge - uses Private key on Card to prove ownership of card - uses sc_auth to update the DS with appropriate ";pubkeyhash;" and <hash> entries - Attribute Matching - This allows for selective attributes from Smart Card Login Certificate (ie. NT Principal Name) to be used for mapping to a single DS attribute (ie. UserPrincipalName) - uses /etc/cacloginconfig.plist mapping to define lookup in DS Mac OS X 10.6.3+ - PKINIT (initialization of Kerberos Session [TGT] with Auth from X.509 Cert) - SSO to Directory Service of choice (ie. AD) simplified explanation of process - System Bound to DS (ie. AD) - Utilizes NT Principal Name along with the Cert with EKU of Smart Card Login ( 1 3 6 1 4 1 311 20 2 2 ) --relies on /etc/cacloginconfig.plist to reference the NTPrincipalName - Request for Auth to KDC - acquires a TGT - uses PKINITMechanism configured in /etc/authorization/ for Login and ScreenSaver - Success: Access to HomeDir and subsequent Service Tickets - ... life continues ... Also, copying SmartCardServices-Users Mailing List where this discussion should be taking place - Shawn _____________________________________________________ Shawn Geddis - Security Consulting Engineer - Apple Enterprise On Oct 13, 2010, at 2:00 PM, Paul Nelson wrote: You probably are not configured to verify the user's smart card credentials with AD. The Mac only matches the user account, and checks the certs to see if they are trusted. If you want true AD login with single sign-on, you could check out Thursby's ADmitMac PKI. This software obtains Kerberos credentials using a PIV card, and will configure itself using group policy so that you can enforce smart card logon that way. It also configures your system keychain with necessary certificates from Active Directory and group policy. Paul Nelson Thursby Software Systems, Inc. On Oct 13, 2010, at 12:14 PM, Inati, Souheil (NIH/NIMH) [E] wrote: These machines are bound to the NIH active directory and I only care about domain users for now. I haven't had to use sc_auth, the AD lookup based on the card credentials has been working fine. On Oct 13, 2010, at 12:51 PM, Qureshi, Usman wrote: Have you tried using the sc_auth command? Is the user a domain user or a local user? -----Original Message----- From: fed-talk-bounces+usman.qureshi=unisys.com@lists.apple.com<mailto:fed-talk-bounces+usman.qureshi=unisys.com@lists.apple.com> [mailto:fed-talk-bounces+usman.qureshi=unisys.com@lists.apple.com] On Behalf Of Inati, Souheil (NIH/NIMH) [E] Sent: Wednesday, October 13, 2010 12:15 PM To: fed-talk@lists.apple.com<mailto:fed-talk@lists.apple.com> Subject: [Fed-Talk] Require smart card login Hi all, Does anyone know the right way to set up /etc/authorization so that users are REQUIRED to use a smart card? A Snow Leopard 10.6 only solution is sufficient. Thanks, Souheil <smime.p7s>_______________________________________________ SmartcardServices-Users mailing list SmartcardServices-Users@lists.macosforge.org<mailto:SmartcardServices-Users@lists.macosforge.org> http://lists.macosforge.org/mailman/listinfo.cgi/smartcardservices-users Ridley DiSiena Emerging Technology and Desktop Standards (ETADS) ICAM Engineering ridley.disiena@nasa.gov<mailto:ridley.disiena@nasa.gov>
Ridley,
If the organization requiring smartcards as an AD user object property, and the user is an admin, how would they execute a sudo command?
Very good question. This is where there are trade offs with how an organization would proceed in managing accounts and limiting authentication methods. Mac OS X 10.6.x does not provide compiled support for Smart Card authentication for several unix commands, but remember that sudo itself is not the actual command per se that you are executing but a directive to use alternate credentials with which to execute the command that follows. Some folks have either re-compiled or added additional CLI commands which do provide support for Smart Card / Keychain authentication rather than user/pass.
Also, would this mean that [by default] the Login Keychain Password is only a 6-8 digit PIN, if using a Federal PIV card? So to make the Keychain Password follow password guidelines would they have to manually change it and type it in at login?
Your most appropriate protection of the User's Login Keychain is to protect it with the Smart Card and not the PIN. How do you do that ? $ sudo systemkeychain -T /Volumes/<user>/Library/keychains/login.keychain I notice this does not appear in the man page for systemkeychain (ie. 'man systemkeychain'), but it does appear in the 'usage' for systemkeychain ('$ systemkeychain') -- so many of you may never have known this. It has been around for quite sometime and I know I have conveyed it in many different forums, but there are many new people on these lists who may benefit from this. $ systemkeychain Usage: systemkeychain -C [passphrase] # (re)create system root keychain systemkeychain [-k destination-keychain] -s source-keychain ... systemkeychain -T token-protected-keychain-name -Shawn On Oct 13, 2010, at 4:15 PM, Disiena, Ridley J. (GRC-VO00)[DB Consulting Group, Inc.] wrote:
Shawn,
If the organization requiring smartcards as an AD user object property, and the user is an admin, how would they execute a sudo command?
Also, would this mean that [by default] the Login Keychain Password is only a 6-8 digit PIN, if using a Federal PIV card? So to make the Keychain Password follow password guidelines would they have to manually change it and type it in at login?
-Ridley
On Oct 13, 2010, at 3:59 PM, Shawn A. Geddis wrote:
Paul,
Organizations apply policy such as requiring smart cards by managing their AD. This is not something that they would do at the client side. What is managed on the client side would be any necessary mods to support the required authentication methods (ie. manage or install client side middleware such your ADmitMac for CAC).
The Mac would be bound to AD (for Authentication and Authorization) hence if AD requires ONLY Smart Cards then the Mac User would only be able to authenticate via smart cards. Whether the client system is OS X or Windows the end result is the same --- management of forced authentication methods is at the Directory Service.
- Shawn _____________________________________________________ Shawn Geddis - Security Consulting Engineer - Apple Enterprise
On Oct 13, 2010, at 3:24 PM, Paul Nelson wrote:
Shawn,
How does one apply organizational policies such as "smart card required" to the Apple 10.6.3+ PKINIT solution?
Paul
On Oct 13, 2010, at 2:01 PM, Shawn A. Geddis wrote:
Before everyone claims what is and isn't the issue, we need to understand the actual setup that Souheil is using.
Souheil,
There are multiple methods supported for using Smart Cards for Authentication & SSO on Mac OS X 10.6.
What method are you using today ?
Old methods still supported: - PubKeyHash - This is a simple Hash matching between card and account - The user is then presented with a PIN Challenge which wraps/unwraps/verifies challenge - uses Private key on Card to prove ownership of card - uses sc_auth to update the DS with appropriate ";pubkeyhash;" and <hash> entries - Attribute Matching - This allows for selective attributes from Smart Card Login Certificate (ie. NT Principal Name) to be used for mapping to a single DS attribute (ie. UserPrincipalName) - uses /etc/cacloginconfig.plist mapping to define lookup in DS
Mac OS X 10.6.3+ - PKINIT (initialization of Kerberos Session [TGT] with Auth from X.509 Cert) - SSO to Directory Service of choice (ie. AD) simplified explanation of process - System Bound to DS (ie. AD) - Utilizes NT Principal Name along with the Cert with EKU of Smart Card Login ( 1 3 6 1 4 1 311 20 2 2 ) --relies on /etc/cacloginconfig.plist to reference the NTPrincipalName - Request for Auth to KDC - acquires a TGT - uses PKINITMechanism configured in /etc/authorization/ for Login and ScreenSaver - Success: Access to HomeDir and subsequent Service Tickets - ... life continues ...
Also, copying SmartCardServices-Users Mailing List where this discussion should be taking place
- Shawn _____________________________________________________ Shawn Geddis - Security Consulting Engineer - Apple Enterprise
On Oct 13, 2010, at 2:00 PM, Paul Nelson wrote:
You probably are not configured to verify the user's smart card credentials with AD. The Mac only matches the user account, and checks the certs to see if they are trusted.
If you want true AD login with single sign-on, you could check out Thursby's ADmitMac PKI. This software obtains Kerberos credentials using a PIV card, and will configure itself using group policy so that you can enforce smart card logon that way. It also configures your system keychain with necessary certificates from Active Directory and group policy.
Paul Nelson Thursby Software Systems, Inc.
On Oct 13, 2010, at 12:14 PM, Inati, Souheil (NIH/NIMH) [E] wrote:
These machines are bound to the NIH active directory and I only care about domain users for now. I haven't had to use sc_auth, the AD lookup based on the card credentials has been working fine.
On Oct 13, 2010, at 12:51 PM, Qureshi, Usman wrote:
> Have you tried using the sc_auth command? Is the user a domain user or a > local user? > > -----Original Message----- > From: fed-talk-bounces+usman.qureshi=unisys.com@lists.apple.com > [mailto:fed-talk-bounces+usman.qureshi=unisys.com@lists.apple.com] On Behalf > Of Inati, Souheil (NIH/NIMH) [E] > Sent: Wednesday, October 13, 2010 12:15 PM > To: fed-talk@lists.apple.com > Subject: [Fed-Talk] Require smart card login > > Hi all, > > Does anyone know the right way to set up /etc/authorization so that users > are REQUIRED to use a smart card? > A Snow Leopard 10.6 only solution is sufficient. > > Thanks, > Souheil <smime.p7s>_______________________________________________ SmartcardServices-Users mailing list SmartcardServices-Users@lists.macosforge.org http://lists.macosforge.org/mailman/listinfo.cgi/smartcardservices-users
Ridley DiSiena Emerging Technology and Desktop Standards (ETADS) ICAM Engineering ridley.disiena@nasa.gov
_______________________________________________ SmartcardServices-Users mailing list SmartcardServices-Users@lists.macosforge.org http://lists.macosforge.org/mailman/listinfo.cgi/smartcardservices-users
- Shawn ________________________________________ Shawn Geddis T (703) 264-5103 Security Consulting Engineer C (703) 623-9329 Apple Enterprise Division geddis@apple.com 11921 Freedom Drive, Suite 600, Reston VA 20190-5634
Is there a similar command which can be used to substitute a cert for the Master Password? Seems silly to protect a single user that way if you can still use a plain old password as a go-around. On Oct 13, 2010, at 1:37 PM, Shawn A. Geddis wrote:
Your most appropriate protection of the User's Login Keychain is to protect it with the Smart Card and not the PIN.
How do you do that ?
$ sudo systemkeychain -T /Volumes/<user>/Library/keychains/login.keychain
I notice this does not appear in the man page for systemkeychain (ie. 'man systemkeychain'), but it does appear in the 'usage' for systemkeychain ('$ systemkeychain') -- so many of you may never have known this. It has been around for quite sometime and I know I have conveyed it in many different forums, but there are many new people on these lists who may benefit from this.
$ systemkeychain Usage: systemkeychain -C [passphrase] # (re)create system root keychain systemkeychain [-k destination-keychain] -s source-keychain ... systemkeychain -T token-protected-keychain-name
-Shawn
------------------------------------------------------ The opinions expressed in this message are mine, not those of Caltech, JPL, NASA, or the US Government. Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu
On Jan 19, 2011, at 2:26 PM, Henry B. Hotz wrote:
Is there a similar command which can be used to substitute a cert for the Master Password?
Seems silly to protect a single user that way if you can still use a plain old password as a go-around.
Henry, I want to be sure I did not lose the intent of the original question, so please correct me if I misstate it in anyway -- I will correct it then! Folks who want all of the in-depth discussion of FileVault, the encrypted storage and usage of keys should take a look at my whitepaper: Best Practices for Using FileVault http://images.apple.com/server/macosx/docs/L416842B-US_Best_Practices_for_Us... and a related whitepaper... Best Practices for Data Protection http://images.apple.com/server/macosx/docs/L416841B-US_Best_Practices_For_Da... As a short description here.... with a longer one in the FV document noted above... I believe the reference to a "Master Password" is a bit misleading for IT folks when discussing FileVault. An Encrypted Container / Logical Volume (a.k.a Encrypted Disk Image) storing and protecting a User's Home Directory can be accessed by either of two paths: a) successful entry of User Credentials; or b) Having the FileVault Master Identity (Self-Signed Certificate & corresponding Private Key). The "Master Password" is a simplified method for 'joe/jane user' on their own to access the FileVault Master Identity when s/he is managing the complete system. Methods of accessing Encrypted Container: a) User Login 1) Entry of Username/Password at Login PW -> PBKDF2: Password Based Key Derivation Derived Key (Symmetric Key) is used to unwrap Data Key (Symmetric Key - AES-128) Data Key is used to encrypt/decrypt the blocks of the logical volume b) FileVault Master 2) Escrow of the FV Identity is usually done by IT Best Practice, ONLY the Public Cert remains in the FileVaultMaster.keychain IT makes the escrowed Private Key (or simply the escrowed keychain) available during recovery IT unlocks access to Container and resets User Access Credential or extracts data of interest. User Keychains can be protected by: a) Password-based PBKDF2 Key generated from password used for Keychain User's Default keychain for an account is created using Password used for account at creation time. b) Smart Card-based Key obtained from Smart Card defined when using "systemkeychain -T token-protected-keychain-name" -Shawn __________________________________________________ Shawn Geddis geddis@me.com Security Consulting Engineer geddis@apple.com __________________________________________________ MacOSForge Project Lead: Smart Card Services Web: http://smartcardservices.macosforge.org/ Lists: http://lists.macosforge.org/mailman/listinfo __________________________________________________ 11921 Freedom Drive, Suite 600, Reston VA 20190-5634
On Oct 13, 2010, at 1:37 PM, Shawn A. Geddis wrote:
Your most appropriate protection of the User's Login Keychain is to protect it with the Smart Card and not the PIN.
How do you do that ?
$ sudo systemkeychain -T /Volumes/<user>/Library/keychains/login.keychain
I notice this does not appear in the man page for systemkeychain (ie. 'man systemkeychain'), but it does appear in the 'usage' for systemkeychain ('$ systemkeychain') -- so many of you may never have known this. It has been around for quite sometime and I know I have conveyed it in many different forums, but there are many new people on these lists who may benefit from this.
$ systemkeychain Usage: systemkeychain -C [passphrase] # (re)create system root keychain systemkeychain [-k destination-keychain] -s source-keychain ... systemkeychain -T token-protected-keychain-name
-Shawn
First, thanks for the document pointers! I remember you giving a verbal overview of that stuff many years ago at a WWDC, and I've been trying to find the info recently with incomplete success. My general intent is to address these concerns: 1) In an enterprise setting using FileVault you need a way for the enterprise to gain access to the vault independent of the normal user's credentials. 2) The security of the enterprise's access credentials should be at least as good as the user's. 3) If the user's access to the vault requires a smart card that will never export its private key, then so should the enterprise's access (e.g. the FileVault Master). Assuming my logic above is perfect and admits no alternatives ;-) then what one needs is a way to use a recovery smart card as FileVaultMaster.keychain. I suspect it's easy to create a keychain file with the public key, but without the private key of the recovery smart card. That keychain file could be installed as the FileVaultMaster.keychain file for normal use. I think the one missing piece is how to use the recovery smart card to actually do a recovery. Is there a file path for the card that could be used in the security and hdiutil commands? Am I off base or unclear anywhere? On Jan 21, 2011, at 1:41 PM, Shawn Geddis wrote:
On Jan 19, 2011, at 2:26 PM, Henry B. Hotz wrote:
Is there a similar command which can be used to substitute a cert for the Master Password?
Seems silly to protect a single user that way if you can still use a plain old password as a go-around.
Henry,
I want to be sure I did not lose the intent of the original question, so please correct me if I misstate it in anyway -- I will correct it then!
Folks who want all of the in-depth discussion of FileVault, the encrypted storage and usage of keys should take a look at my whitepaper:
Best Practices for Using FileVault http://images.apple.com/server/macosx/docs/L416842B-US_Best_Practices_for_Us...
and a related whitepaper...
Best Practices for Data Protection http://images.apple.com/server/macosx/docs/L416841B-US_Best_Practices_For_Da...
As a short description here.... with a longer one in the FV document noted above...
I believe the reference to a "Master Password" is a bit misleading for IT folks when discussing FileVault. An Encrypted Container / Logical Volume (a.k.a Encrypted Disk Image) storing and protecting a User's Home Directory can be accessed by either of two paths: a) successful entry of User Credentials; or b) Having the FileVault Master Identity (Self-Signed Certificate & corresponding Private Key). The "Master Password" is a simplified method for 'joe/jane user' on their own to access the FileVault Master Identity when s/he is managing the complete system.
Methods of accessing Encrypted Container: a) User Login 1) Entry of Username/Password at Login PW -> PBKDF2: Password Based Key Derivation Derived Key (Symmetric Key) is used to unwrap Data Key (Symmetric Key - AES-128) Data Key is used to encrypt/decrypt the blocks of the logical volume
b) FileVault Master 2) Escrow of the FV Identity is usually done by IT Best Practice, ONLY the Public Cert remains in the FileVaultMaster.keychain IT makes the escrowed Private Key (or simply the escrowed keychain) available during recovery IT unlocks access to Container and resets User Access Credential or extracts data of interest.
User Keychains can be protected by: a) Password-based PBKDF2 Key generated from password used for Keychain User's Default keychain for an account is created using Password used for account at creation time.
b) Smart Card-based Key obtained from Smart Card defined when using "systemkeychain -T token-protected-keychain-name"
-Shawn __________________________________________________ Shawn Geddis geddis@me.com Security Consulting Engineer geddis@apple.com __________________________________________________ MacOSForge Project Lead: Smart Card Services Web: http://smartcardservices.macosforge.org/ Lists: http://lists.macosforge.org/mailman/listinfo __________________________________________________
11921 Freedom Drive, Suite 600, Reston VA 20190-5634
On Oct 13, 2010, at 1:37 PM, Shawn A. Geddis wrote:
Your most appropriate protection of the User's Login Keychain is to protect it with the Smart Card and not the PIN.
How do you do that ?
$ sudo systemkeychain -T /Volumes/<user>/Library/keychains/login.keychain
I notice this does not appear in the man page for systemkeychain (ie. 'man systemkeychain'), but it does appear in the 'usage' for systemkeychain ('$ systemkeychain') -- so many of you may never have known this. It has been around for quite sometime and I know I have conveyed it in many different forums, but there are many new people on these lists who may benefit from this.
$ systemkeychain Usage: systemkeychain -C [passphrase] # (re)create system root keychain systemkeychain [-k destination-keychain] -s source-keychain ... systemkeychain -T token-protected-keychain-name
-Shawn
------------------------------------------------------ The opinions expressed in this message are mine, not those of Caltech, JPL, NASA, or the US Government. Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu
Shawn, Can you answer a very simple question? Suppose I have a smart card, and I want to create a File Vault image using my smart card as the credentials. I want to put the file vault image on a thumb drive so I can encrypt data on the thumb drive. Is there a way to create such a file vault disk? (assuming my smart card can be used for data encryption as a minimum) Paul Nelson Thursby Software Systems, Inc. On Jan 21, 2011, at 3:41 PM, Shawn Geddis wrote:
On Jan 19, 2011, at 2:26 PM, Henry B. Hotz wrote:
Is there a similar command which can be used to substitute a cert for the Master Password?
Seems silly to protect a single user that way if you can still use a plain old password as a go-around.
Henry,
I want to be sure I did not lose the intent of the original question, so please correct me if I misstate it in anyway -- I will correct it then!
Folks who want all of the in-depth discussion of FileVault, the encrypted storage and usage of keys should take a look at my whitepaper:
Best Practices for Using FileVault http://images.apple.com/server/macosx/docs/L416842B-US_Best_Practices_for_Us...
and a related whitepaper...
Best Practices for Data Protection http://images.apple.com/server/macosx/docs/L416841B-US_Best_Practices_For_Da...
As a short description here.... with a longer one in the FV document noted above...
I believe the reference to a "Master Password" is a bit misleading for IT folks when discussing FileVault. An Encrypted Container / Logical Volume (a.k.a Encrypted Disk Image) storing and protecting a User's Home Directory can be accessed by either of two paths: a) successful entry of User Credentials; or b) Having the FileVault Master Identity (Self-Signed Certificate & corresponding Private Key). The "Master Password" is a simplified method for 'joe/jane user' on their own to access the FileVault Master Identity when s/he is managing the complete system.
Methods of accessing Encrypted Container: a) User Login 1) Entry of Username/Password at Login PW -> PBKDF2: Password Based Key Derivation Derived Key (Symmetric Key) is used to unwrap Data Key (Symmetric Key - AES-128) Data Key is used to encrypt/decrypt the blocks of the logical volume
b) FileVault Master 2) Escrow of the FV Identity is usually done by IT Best Practice, ONLY the Public Cert remains in the FileVaultMaster.keychain IT makes the escrowed Private Key (or simply the escrowed keychain) available during recovery IT unlocks access to Container and resets User Access Credential or extracts data of interest.
User Keychains can be protected by: a) Password-based PBKDF2 Key generated from password used for Keychain User's Default keychain for an account is created using Password used for account at creation time.
b) Smart Card-based Key obtained from Smart Card defined when using "systemkeychain -T token-protected-keychain-name"
-Shawn __________________________________________________ Shawn Geddis geddis@me.com Security Consulting Engineer geddis@apple.com __________________________________________________ MacOSForge Project Lead: Smart Card Services Web: http://smartcardservices.macosforge.org/ Lists: http://lists.macosforge.org/mailman/listinfo __________________________________________________
11921 Freedom Drive, Suite 600, Reston VA 20190-5634
On Oct 13, 2010, at 1:37 PM, Shawn A. Geddis wrote:
Your most appropriate protection of the User's Login Keychain is to protect it with the Smart Card and not the PIN.
How do you do that ?
$ sudo systemkeychain -T /Volumes/<user>/Library/keychains/login.keychain
I notice this does not appear in the man page for systemkeychain (ie. 'man systemkeychain'), but it does appear in the 'usage' for systemkeychain ('$ systemkeychain') -- so many of you may never have known this. It has been around for quite sometime and I know I have conveyed it in many different forums, but there are many new people on these lists who may benefit from this.
$ systemkeychain Usage: systemkeychain -C [passphrase] # (re)create system root keychain systemkeychain [-k destination-keychain] -s source-keychain ... systemkeychain -T token-protected-keychain-name
-Shawn
_______________________________________________ Do not post admin requests to the list. They will be ignored. Fed-talk mailing list (Fed-talk@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/fed-talk/nelson%40thursby.com
This email sent to nelson@thursby.com
If the original poster wanted to prevent users from logging into the Mac unless they had a smart card, they could do this the way you suggest below. However, that may prevent them from using a password with their account for other reasons (run as for example). While you can set an AD account to "require smartcard login", that prevents a password from being used for ANY purpose. Microsoft clients also look for a group policy item "ScForceOption" that means a user must use a smartcard for interactive logon. Paul On Oct 13, 2010, at 2:59 PM, Shawn A. Geddis wrote:
Paul,
Organizations apply policy such as requiring smart cards by managing their AD. This is not something that they would do at the client side. What is managed on the client side would be any necessary mods to support the required authentication methods (ie. manage or install client side middleware such your ADmitMac for CAC).
The Mac would be bound to AD (for Authentication and Authorization) hence if AD requires ONLY Smart Cards then the Mac User would only be able to authenticate via smart cards. Whether the client system is OS X or Windows the end result is the same --- management of forced authentication methods is at the Directory Service.
- Shawn _____________________________________________________ Shawn Geddis - Security Consulting Engineer - Apple Enterprise
On Oct 13, 2010, at 3:24 PM, Paul Nelson wrote:
Shawn,
How does one apply organizational policies such as "smart card required" to the Apple 10.6.3+ PKINIT solution?
Paul
On Oct 13, 2010, at 2:01 PM, Shawn A. Geddis wrote:
Before everyone claims what is and isn't the issue, we need to understand the actual setup that Souheil is using.
Souheil,
There are multiple methods supported for using Smart Cards for Authentication & SSO on Mac OS X 10.6.
What method are you using today ?
Old methods still supported: - PubKeyHash - This is a simple Hash matching between card and account - The user is then presented with a PIN Challenge which wraps/unwraps/verifies challenge - uses Private key on Card to prove ownership of card - uses sc_auth to update the DS with appropriate ";pubkeyhash;" and <hash> entries - Attribute Matching - This allows for selective attributes from Smart Card Login Certificate (ie. NT Principal Name) to be used for mapping to a single DS attribute (ie. UserPrincipalName) - uses /etc/cacloginconfig.plist mapping to define lookup in DS
Mac OS X 10.6.3+ - PKINIT (initialization of Kerberos Session [TGT] with Auth from X.509 Cert) - SSO to Directory Service of choice (ie. AD) simplified explanation of process - System Bound to DS (ie. AD) - Utilizes NT Principal Name along with the Cert with EKU of Smart Card Login ( 1 3 6 1 4 1 311 20 2 2 ) --relies on /etc/cacloginconfig.plist to reference the NTPrincipalName - Request for Auth to KDC - acquires a TGT - uses PKINITMechanism configured in /etc/authorization/ for Login and ScreenSaver - Success: Access to HomeDir and subsequent Service Tickets - ... life continues ...
Also, copying SmartCardServices-Users Mailing List where this discussion should be taking place
- Shawn _____________________________________________________ Shawn Geddis - Security Consulting Engineer - Apple Enterprise
On Oct 13, 2010, at 2:00 PM, Paul Nelson wrote:
You probably are not configured to verify the user's smart card credentials with AD. The Mac only matches the user account, and checks the certs to see if they are trusted.
If you want true AD login with single sign-on, you could check out Thursby's ADmitMac PKI. This software obtains Kerberos credentials using a PIV card, and will configure itself using group policy so that you can enforce smart card logon that way. It also configures your system keychain with necessary certificates from Active Directory and group policy.
Paul Nelson Thursby Software Systems, Inc.
On Oct 13, 2010, at 12:14 PM, Inati, Souheil (NIH/NIMH) [E] wrote:
These machines are bound to the NIH active directory and I only care about domain users for now. I haven't had to use sc_auth, the AD lookup based on the card credentials has been working fine.
On Oct 13, 2010, at 12:51 PM, Qureshi, Usman wrote:
Have you tried using the sc_auth command? Is the user a domain user or a local user?
-----Original Message----- From: fed-talk-bounces+usman.qureshi=unisys.com@lists.apple.com [mailto:fed-talk-bounces+usman.qureshi=unisys.com@lists.apple.com] On Behalf Of Inati, Souheil (NIH/NIMH) [E] Sent: Wednesday, October 13, 2010 12:15 PM To: fed-talk@lists.apple.com Subject: [Fed-Talk] Require smart card login
Hi all,
Does anyone know the right way to set up /etc/authorization so that users are REQUIRED to use a smart card? A Snow Leopard 10.6 only solution is sufficient.
Thanks, Souheil
AD's 'Require smartcard for interactive logon' applies only to Kerberos authentications. Systems and services that accept NTLM authentication will still happily accept a password from a client even when this option is set. -- Tim ________________________________ From: fed-talk-bounces+tmiller=mitre.org@lists.apple.com [fed-talk-bounces+tmiller=mitre.org@lists.apple.com] On Behalf Of Paul Nelson [nelson@thursby.com] Sent: Wednesday, October 13, 2010 3:17 PM To: Shawn A.Geddis Cc: Qureshi, Usman; Fed Talk; Smart Card Services-Users Subject: Re: [Fed-Talk] Re: Require smart card login If the original poster wanted to prevent users from logging into the Mac unless they had a smart card, they could do this the way you suggest below. However, that may prevent them from using a password with their account for other reasons (run as for example). While you can set an AD account to "require smartcard login", that prevents a password from being used for ANY purpose. Microsoft clients also look for a group policy item "ScForceOption" that means a user must use a smartcard for interactive logon. Paul On Oct 13, 2010, at 2:59 PM, Shawn A. Geddis wrote: Paul, Organizations apply policy such as requiring smart cards by managing their AD. This is not something that they would do at the client side. What is managed on the client side would be any necessary mods to support the required authentication methods (ie. manage or install client side middleware such your ADmitMac for CAC). The Mac would be bound to AD (for Authentication and Authorization) hence if AD requires ONLY Smart Cards then the Mac User would only be able to authenticate via smart cards. Whether the client system is OS X or Windows the end result is the same --- management of forced authentication methods is at the Directory Service. - Shawn _____________________________________________________ Shawn Geddis - Security Consulting Engineer - Apple Enterprise On Oct 13, 2010, at 3:24 PM, Paul Nelson wrote: Shawn, How does one apply organizational policies such as "smart card required" to the Apple 10.6.3+ PKINIT solution? Paul On Oct 13, 2010, at 2:01 PM, Shawn A. Geddis wrote: Before everyone claims what is and isn't the issue, we need to understand the actual setup that Souheil is using. Souheil, There are multiple methods supported for using Smart Cards for Authentication & SSO on Mac OS X 10.6. What method are you using today ? Old methods still supported: - PubKeyHash - This is a simple Hash matching between card and account - The user is then presented with a PIN Challenge which wraps/unwraps/verifies challenge - uses Private key on Card to prove ownership of card - uses sc_auth to update the DS with appropriate ";pubkeyhash;" and <hash> entries - Attribute Matching - This allows for selective attributes from Smart Card Login Certificate (ie. NT Principal Name) to be used for mapping to a single DS attribute (ie. UserPrincipalName) - uses /etc/cacloginconfig.plist mapping to define lookup in DS Mac OS X 10.6.3+ - PKINIT (initialization of Kerberos Session [TGT] with Auth from X.509 Cert) - SSO to Directory Service of choice (ie. AD) simplified explanation of process - System Bound to DS (ie. AD) - Utilizes NT Principal Name along with the Cert with EKU of Smart Card Login ( 1 3 6 1 4 1 311 20 2 2 ) --relies on /etc/cacloginconfig.plist to reference the NTPrincipalName - Request for Auth to KDC - acquires a TGT - uses PKINITMechanism configured in /etc/authorization/ for Login and ScreenSaver - Success: Access to HomeDir and subsequent Service Tickets - ... life continues ... Also, copying SmartCardServices-Users Mailing List where this discussion should be taking place - Shawn _____________________________________________________ Shawn Geddis - Security Consulting Engineer - Apple Enterprise On Oct 13, 2010, at 2:00 PM, Paul Nelson wrote: You probably are not configured to verify the user's smart card credentials with AD. The Mac only matches the user account, and checks the certs to see if they are trusted. If you want true AD login with single sign-on, you could check out Thursby's ADmitMac PKI. This software obtains Kerberos credentials using a PIV card, and will configure itself using group policy so that you can enforce smart card logon that way. It also configures your system keychain with necessary certificates from Active Directory and group policy. Paul Nelson Thursby Software Systems, Inc. On Oct 13, 2010, at 12:14 PM, Inati, Souheil (NIH/NIMH) [E] wrote: These machines are bound to the NIH active directory and I only care about domain users for now. I haven't had to use sc_auth, the AD lookup based on the card credentials has been working fine. On Oct 13, 2010, at 12:51 PM, Qureshi, Usman wrote: Have you tried using the sc_auth command? Is the user a domain user or a local user? -----Original Message----- From: fed-talk-bounces+usman.qureshi=unisys.com@lists.apple.com<mailto:fed-talk-bounces+usman.qureshi=unisys.com@lists.apple.com> [mailto:fed-talk-bounces+usman.qureshi=unisys.com@lists.apple.com] On Behalf Of Inati, Souheil (NIH/NIMH) [E] Sent: Wednesday, October 13, 2010 12:15 PM To: fed-talk@lists.apple.com<mailto:fed-talk@lists.apple.com> Subject: [Fed-Talk] Require smart card login Hi all, Does anyone know the right way to set up /etc/authorization so that users are REQUIRED to use a smart card? A Snow Leopard 10.6 only solution is sufficient. Thanks, Souheil
On 10/13/10 3:59 PM, Shawn A. Geddis wrote:
Organizations apply policy such as requiring smart cards by managing their AD. This is not something that they would do at the client side. What is managed on the client side would be any necessary mods to support the required authentication methods (ie. manage or install client side middleware such your ADmitMac for CAC).
The Mac would be bound to AD (for Authentication and Authorization) hence if AD requires ONLY Smart Cards then the Mac User would only be able to authenticate via smart cards. Whether the client system is OS X or Windows the end result is the same --- management of forced authentication methods is at the Directory Service.
Shawn I could definitely see a use case for smartcard only at console to require two-factor authentication for a client box. I see a different use case for requiring only a smartcard ever for that account. I could certainly see a different use depending on what type of data the client processes and whether it is a mobile workstation or a smartphone. On or off for the user account only is not sufficient. -- *************************************************************** Ron Colvin CISSP, CEH Enterprise Integration Engineer, Security Analyst Code 700 DCSE Code 100& 110 NASA - Goddard Space Flight Center <ron.colvin@nasa.gov> Direct phone 301-286-2451 NASA Jabber (rdcolvin@im.nasa.gov) AIM rcolvin13 NASA LCS (ronald.d.colvin@nasa.gov) ****************************************************************
participants (7)
-
Disiena, Ridley J. (GRC-VO00)[DB Consulting Group, Inc.]
-
Henry B. Hotz
-
Miller, Timothy J.
-
Paul Nelson
-
Ron Colvin
-
Shawn A. Geddis
-
Shawn Geddis