[SmartcardServices-Users] [Fed-Talk] Re: Require smart card login

Paul Nelson nelson at thursby.com
Wed Oct 13 12:24:28 PDT 2010 

Shawn,

How does one apply organizational policies such as "smart card required" to the Apple 10.6.3+ PKINIT solution?

Paul

On Oct 13, 2010, at 2:01 PM, Shawn A. Geddis wrote:

> Before everyone claims what is and isn't the issue, we need to understand the actual setup that Souheil is using.
> 
> Souheil,
> 
> There are multiple methods supported for using Smart Cards for Authentication & SSO on Mac OS X 10.6.
> 
> What method are you using today ?
> 
> Old methods still supported:
> - PubKeyHash		
> 	- This is a simple Hash matching between card and account 
> 	- The user is then presented with a  PIN Challenge which 
> 		wraps/unwraps/verifies challenge - uses Private key on Card to prove ownership of card
> 	- uses sc_auth to update the DS with appropriate ";pubkeyhash;" and <hash> entries 
> - Attribute Matching	
> 	- This allows for selective attributes from Smart Card Login Certificate (ie. NT Principal Name) 
> 		to be used for mapping to a single DS attribute (ie. UserPrincipalName)
> 	- uses /etc/cacloginconfig.plist mapping to define lookup in DS
> 
> 
> Mac OS X 10.6.3+
> - PKINIT  (initialization of Kerberos Session [TGT] with Auth from X.509 Cert) 
> 	- SSO to Directory Service of choice (ie. AD)
> 	simplified explanation of process
> 	- System Bound to DS (ie. AD)
> 	- Utilizes NT Principal Name along with the Cert with EKU of Smart Card Login ( 1 3 6 1 4 1 311 20 2 2 )
> 		--relies on /etc/cacloginconfig.plist to reference the NTPrincipalName 
> 	- Request for Auth to KDC - acquires a TGT
> 	- uses PKINITMechanism configured in /etc/authorization/  for Login and ScreenSaver
> 	- Success: Access to HomeDir and subsequent Service Tickets
> 	- ... life continues ...
> 
> Also, copying SmartCardServices-Users Mailing List where this discussion should be taking place
> 
> - Shawn
> _____________________________________________________
> Shawn Geddis  -  Security Consulting Engineer  -  Apple Enterprise
> 
> 
> On Oct 13, 2010, at 2:00 PM, Paul Nelson wrote:
>> You probably are not configured to verify the user's smart card credentials with AD.  The Mac only matches the user account, and checks the certs to see if they are trusted.
>> 
>> If you want true AD login with single sign-on, you could check out Thursby's ADmitMac PKI.  This software obtains Kerberos credentials using a PIV card, and will configure itself using group policy so that you can enforce smart card logon that way.  It also configures your system keychain with necessary certificates from Active Directory and group policy.
>> 
>> Paul Nelson
>> Thursby Software Systems, Inc.
>> 
>> On Oct 13, 2010, at 12:14 PM, Inati, Souheil (NIH/NIMH) [E] wrote:
>> 
>>> These machines are bound to the NIH active directory and I only care about domain users for now.  I haven't had to use sc_auth, the AD lookup based on the card credentials has been working fine.
>>> 
>>> 
>>> On Oct 13, 2010, at 12:51 PM, Qureshi, Usman wrote:
>>> 
>>>> Have you tried using the sc_auth command? Is the user a domain user or a
>>>> local user?
>>>> 
>>>> -----Original Message-----
>>>> From: fed-talk-bounces+usman.qureshi=unisys.com at lists.apple.com
>>>> [mailto:fed-talk-bounces+usman.qureshi=unisys.com at lists.apple.com] On Behalf
>>>> Of Inati, Souheil (NIH/NIMH) [E]
>>>> Sent: Wednesday, October 13, 2010 12:15 PM
>>>> To: fed-talk at lists.apple.com
>>>> Subject: [Fed-Talk] Require smart card login
>>>> 
>>>> Hi all,
>>>> 
>>>> Does anyone know the right way to set up /etc/authorization so that users
>>>> are REQUIRED to use a smart card?
>>>> A Snow Leopard 10.6 only solution is sufficient.
>>>> 
>>>> Thanks,
>>>> Souheil
> 
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20101013/c1a710c8/attachment.html>

More information about the SmartcardServices-Users mailing list