[SmartcardServices-Users] [Fed-Talk] Re: Require smart card login

Shawn A. Geddis geddis at apple.com
Wed Oct 13 13:37:35 PDT 2010 

Ridley,

> If the organization requiring smartcards as an AD user object property, and the user is an admin, how would they execute a sudo command?


Very good question.  This is where there are trade offs with how an organization would proceed in managing accounts and limiting authentication methods.  Mac OS X 10.6.x does not provide compiled support for Smart Card authentication for several unix commands, but remember that sudo itself is not the actual command per se that you are executing but a directive to use alternate credentials with which to execute the command that follows.  Some folks have either re-compiled or added additional CLI commands which do provide support for Smart Card / Keychain authentication rather than user/pass.  


> Also, would this mean that [by default] the Login Keychain Password is only a 6-8 digit PIN, if using a Federal PIV card?  So to make the Keychain Password follow password guidelines would they have to manually change it and type it in at login?


Your most appropriate protection of the User's Login Keychain is to protect it with the Smart Card and not the PIN.  

How do you do that ?

$ sudo systemkeychain -T /Volumes/<user>/Library/keychains/login.keychain


I notice this does not appear in the man page for systemkeychain (ie. 'man systemkeychain'), but it does appear in the 'usage' for systemkeychain ('$ systemkeychain') -- so many of you may never have known this.  It has been around for quite sometime and I know I have conveyed it in many different forums, but there are many new people on these lists who may benefit from this.

$ systemkeychain
Usage: 	systemkeychain -C [passphrase]  # (re)create system root keychain
		systemkeychain [-k destination-keychain] -s source-keychain ...
		systemkeychain -T token-protected-keychain-name


-Shawn

On Oct 13, 2010, at 4:15 PM, Disiena, Ridley J. (GRC-VO00)[DB Consulting Group, Inc.] wrote:

> 
> Shawn,
> 
> If the organization requiring smartcards as an AD user object property, and the user is an admin, how would they execute a sudo command?
> 
> Also, would this mean that [by default] the Login Keychain Password is only a 6-8 digit PIN, if using a Federal PIV card?  So to make the Keychain Password follow password guidelines would they have to manually change it and type it in at login?
> 
> -Ridley
> 
> On Oct 13, 2010, at 3:59 PM, Shawn A. Geddis wrote:
> 
>> Paul,
>> 
>> Organizations apply policy such as requiring smart cards by managing their AD.  This is not something that they would do at the client side.  What is managed on the client side would be any necessary mods to support the required authentication methods (ie. manage or install client side middleware such your ADmitMac for CAC).
>> 
>> The Mac would be bound to AD (for Authentication and Authorization) hence if AD requires ONLY Smart Cards then the Mac User would only be able to authenticate via smart cards.  Whether the client system is OS X or Windows the end result is the same --- management of forced authentication methods is at the Directory Service.
>> 
>> - Shawn
>> _____________________________________________________
>> Shawn Geddis  -  Security Consulting Engineer  -  Apple Enterprise
>> 
>> 
>> 
>> On Oct 13, 2010, at 3:24 PM, Paul Nelson wrote:
>> 
>>> Shawn,
>>> 
>>> How does one apply organizational policies such as "smart card required" to the Apple 10.6.3+ PKINIT solution?
>>> 
>>> Paul
>>> 
>>> On Oct 13, 2010, at 2:01 PM, Shawn A. Geddis wrote:
>>> 
>>>> Before everyone claims what is and isn't the issue, we need to understand the actual setup that Souheil is using.
>>>> 
>>>> Souheil,
>>>> 
>>>> There are multiple methods supported for using Smart Cards for Authentication & SSO on Mac OS X 10.6.
>>>> 
>>>> What method are you using today ?
>>>> 
>>>> Old methods still supported:
>>>> - PubKeyHash		
>>>> 	- This is a simple Hash matching between card and account 
>>>> 	- The user is then presented with a  PIN Challenge which 
>>>> 		wraps/unwraps/verifies challenge - uses Private key on Card to prove ownership of card
>>>> 	- uses sc_auth to update the DS with appropriate ";pubkeyhash;" and <hash> entries 
>>>> - Attribute Matching	
>>>> 	- This allows for selective attributes from Smart Card Login Certificate (ie. NT Principal Name) 
>>>> 		to be used for mapping to a single DS attribute (ie. UserPrincipalName)
>>>> 	- uses /etc/cacloginconfig.plist mapping to define lookup in DS
>>>> 
>>>> 
>>>> Mac OS X 10.6.3+
>>>> - PKINIT  (initialization of Kerberos Session [TGT] with Auth from X.509 Cert) 
>>>> 	- SSO to Directory Service of choice (ie. AD)
>>>> 	simplified explanation of process
>>>> 	- System Bound to DS (ie. AD)
>>>> 	- Utilizes NT Principal Name along with the Cert with EKU of Smart Card Login ( 1 3 6 1 4 1 311 20 2 2 )
>>>> 		--relies on /etc/cacloginconfig.plist to reference the NTPrincipalName 
>>>> 	- Request for Auth to KDC - acquires a TGT
>>>> 	- uses PKINITMechanism configured in /etc/authorization/  for Login and ScreenSaver
>>>> 	- Success: Access to HomeDir and subsequent Service Tickets
>>>> 	- ... life continues ...
>>>> 
>>>> Also, copying SmartCardServices-Users Mailing List where this discussion should be taking place
>>>> 
>>>> - Shawn
>>>> _____________________________________________________
>>>> Shawn Geddis  -  Security Consulting Engineer  -  Apple Enterprise
>>>> 
>>>> 
>>>> On Oct 13, 2010, at 2:00 PM, Paul Nelson wrote:
>>>>> You probably are not configured to verify the user's smart card credentials with AD.  The Mac only matches the user account, and checks the certs to see if they are trusted.
>>>>> 
>>>>> If you want true AD login with single sign-on, you could check out Thursby's ADmitMac PKI.  This software obtains Kerberos credentials using a PIV card, and will configure itself using group policy so that you can enforce smart card logon that way.  It also configures your system keychain with necessary certificates from Active Directory and group policy.
>>>>> 
>>>>> Paul Nelson
>>>>> Thursby Software Systems, Inc.
>>>>> 
>>>>> On Oct 13, 2010, at 12:14 PM, Inati, Souheil (NIH/NIMH) [E] wrote:
>>>>> 
>>>>>> These machines are bound to the NIH active directory and I only care about domain users for now.  I haven't had to use sc_auth, the AD lookup based on the card credentials has been working fine.
>>>>>> 
>>>>>> 
>>>>>> On Oct 13, 2010, at 12:51 PM, Qureshi, Usman wrote:
>>>>>> 
>>>>>>> Have you tried using the sc_auth command? Is the user a domain user or a
>>>>>>> local user?
>>>>>>> 
>>>>>>> -----Original Message-----
>>>>>>> From: fed-talk-bounces+usman.qureshi=unisys.com at lists.apple.com
>>>>>>> [mailto:fed-talk-bounces+usman.qureshi=unisys.com at lists.apple.com] On Behalf
>>>>>>> Of Inati, Souheil (NIH/NIMH) [E]
>>>>>>> Sent: Wednesday, October 13, 2010 12:15 PM
>>>>>>> To: fed-talk at lists.apple.com
>>>>>>> Subject: [Fed-Talk] Require smart card login
>>>>>>> 
>>>>>>> Hi all,
>>>>>>> 
>>>>>>> Does anyone know the right way to set up /etc/authorization so that users
>>>>>>> are REQUIRED to use a smart card?
>>>>>>> A Snow Leopard 10.6 only solution is sufficient.
>>>>>>> 
>>>>>>> Thanks,
>>>>>>> Souheil
>> <smime.p7s>_______________________________________________
>> SmartcardServices-Users mailing list
>> SmartcardServices-Users at lists.macosforge.org
>> http://lists.macosforge.org/mailman/listinfo.cgi/smartcardservices-users
> 
> Ridley DiSiena
> Emerging Technology and Desktop Standards (ETADS)
> ICAM Engineering 
> ridley.disiena at nasa.gov
> 
> _______________________________________________
> SmartcardServices-Users mailing list
> SmartcardServices-Users at lists.macosforge.org
> http://lists.macosforge.org/mailman/listinfo.cgi/smartcardservices-users

- Shawn
________________________________________
Shawn Geddis                               T (703) 264-5103
Security Consulting Engineer    C (703) 623-9329
Apple Enterprise Division           geddis at apple.com

11921 Freedom Drive, Suite 600, Reston VA  20190-5634



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20101013/9be6622a/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3864 bytes
Desc: not available
URL: <http://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20101013/9be6622a/attachment-0001.bin>

More information about the SmartcardServices-Users mailing list