[SmartcardServices-Users] OpenDirectory and CAC

Mike Hjorleifsson mikeh at go4cast.com
Thu Jul 22 07:07:09 PDT 2010


Shawn, to be clear this should work with PIV as well correct ?

John,
>
> As I just noted to Bram, you need to just do the following for SSO with CAC
> at Login (PKINIT).
>
> Mac OS X 10.6.3 has PKINIT support built in, but you need to make some very
> minor config changes to fully enable for Login.  I will attempt to get draft
> instructions up very soon.
>
> Add PKINIT information to /etc/authorization file
>
> Please make sure to make a backup of the /etc/authorization file before you
> make any changes as a misconfigured version of this file may prevent the
> system from booting. A backup of the authorization file could be done with
> the following command:
>
> cp /etc/authorization /etc/authorization_original_`date +%M-%H-%m-%d-%y`
>
> Edit the /etc/authorization file to add
> <string>PKINITMechanism:auth,privileged</string> below
> <string>MCXMechanism:login</string> as in the example below. This could be
> done with a defaults command or plistbuddy.
>
> <key>system.login.console</key>
>        <dict>
>                <key>class</key>
>                <string>evaluate-mechanisms</string>
>                <key>comment</key>
>                <string>Login mechanism based rule.  Not for general use,
> yet.</string>
>                <key>mechanisms</key>
>                <array>
>
>  <string>builtin:smartcard-sniffer,privileged</string>
>                        <string>loginwindow:login</string>
>                        <string>builtin:reset-password,privileged</string>
>                        <string>builtin:auto-login,privileged</string>
>                        <string>builtin:authenticate,privileged</string>
>                        <string>loginwindow:success</string>
>                        <string>HomeDirMechanism:login,privileged</string>
>                        <string>HomeDirMechanism:status</string>
>                        <string>MCXMechanism:login</string>
>                        <string>PKINITMechanism:auth,privileged</string>
>                        <string>loginwindow:done</string>
>                </array>
>        </dict>
>
>
>
> Test to verify PKINIT is working
>
> First, insert your smart card into the reader. Run the following command to
> verify that PKINIT is working:
>
> /System/Library/PrivateFrameworks/Heimdal.framework/Helpers/kinit -C
> KEYCHAIN: -D KEYCHAIN: --windows --pk-enterprise
>
> If the command works, you should be prompted for a PIN. You can verify that
> you have a kerberos ticket by opening Keychain Access and going to Ticket
> Viewer or by going to Terminal and typing klist.
>
>
> -Shawn
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20100722/9c8c67d1/attachment.html>


More information about the SmartcardServices-Users mailing list