[SmartcardServices-Users] [Tokend-Dev] PIV Auth with CRL Checks
Shawn A. Geddis
geddis at mac.com
Wed Jul 21 12:42:15 PDT 2010
On Jul 21, 2010, at 3:14 PM, Bram Cymet wrote:
> Hi Shawn,
>
> Thanks for the response. I am using PubKeyHash at the moment. Which
> based on what you have written above I guess it is working the way it
> should be. So is PKINIT or Attribute Matching or either the Client
> Authentication method I should be using? Or can I make it work with
> PubKeyHash as well?
>
> Thanks,
>
> --
> Bram Cymet
> Software Developer
> Canadian Bank Note Co. Ltd.
> Cell: 613-608-9752
Bram,
PKINIT method is what you want. PKINIT is what provides full SSO to your Directory Service by Initializing your Kerberos Session (Obtaining your TGT) after authenticating to the KDC with the appropriate X.509 Certificate. Mac OS X 10.6.3 has PKINIT support built in, but you need to make some very minor config changes to fully enable for Login. I will attempt to get draft instructions up very soon.
Add PKINIT information to /etc/authorization file
Please make sure to make a backup of the /etc/authorization file before you make any changes as a misconfigured version of this file may prevent the system from booting. A backup of the authorization file could be done with the following command:
cp /etc/authorization /etc/authorization_original_`date +%M-%H-%m-%d-%y`
Edit the /etc/authorization file to add <string>PKINITMechanism:auth,privileged</string> below <string>MCXMechanism:login</string> as in the example below. This could be done with a defaults command or plistbuddy.
<key>system.login.console</key>
<dict>
<key>class</key>
<string>evaluate-mechanisms</string>
<key>comment</key>
<string>Login mechanism based rule. Not for general use, yet.</string>
<key>mechanisms</key>
<array>
<string>builtin:smartcard-sniffer,privileged</string>
<string>loginwindow:login</string>
<string>builtin:reset-password,privileged</string>
<string>builtin:auto-login,privileged</string>
<string>builtin:authenticate,privileged</string>
<string>loginwindow:success</string>
<string>HomeDirMechanism:login,privileged</string>
<string>HomeDirMechanism:status</string>
<string>MCXMechanism:login</string>
<string>PKINITMechanism:auth,privileged</string>
<string>loginwindow:done</string>
</array>
</dict>
Test to verify PKINIT is working
First, insert your smart card into the reader. Run the following command to verify that PKINIT is working:
/System/Library/PrivateFrameworks/Heimdal.framework/Helpers/kinit -C KEYCHAIN: -D KEYCHAIN: --windows --pk-enterprise
If the command works, you should be prompted for a PIN. You can verify that you have a kerberos ticket by opening Keychain Access and going to Ticket Viewer or by going to Terminal and typing klist.
-Shawn
__________________________________________________
Shawn Geddis geddis at mac.com
Security Consulting Engineer geddis at apple.com
MacOSForge Project Lead: Smart Card Services
Web: http://smartcardservices.macosforge.org/
Lists: http://lists.macosforge.org/mailman/listinfo
__________________________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20100721/5c4ef7e1/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3859 bytes
Desc: not available
URL: <http://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20100721/5c4ef7e1/attachment-0001.bin>
More information about the SmartcardServices-Users
mailing list