[SmartcardServices-Users] [Fed-Talk] Re: Require smart card login

Inati, Souheil (NIH/NIMH) [E] souheil.inati at nih.gov
Wed Oct 13 14:21:18 PDT 2010


Shawn,

Ron and Paul are absolutely correct.  Restricting to smartcard only cannot be done at the user level in the AD.  It HAS to be done at the client side, or else many other things will break.

What we are trying to do is protect a computer that contains sensitive data.  Requirements state that this has to be done with card/pin.  There are many other apps we have at the NIH that authenticate against the AD, some are name/password only, some are either name/password OR card/pin, and some (eventually anyway) will be card/pin ONLY.

Now, whether the management on the client side is done via AD computer management or an MCX record or a modified /etc/authorization file or a bit of specialized code in a login script, it absolutely does not matter.  The point is to protect a particular asset, a computer that contains sensitive data.

-Souheil

On Oct 13, 2010, at 4:21 PM, Ron Colvin wrote:

>  On 10/13/10 3:59 PM, Shawn A. Geddis wrote:
>> Organizations apply policy such as requiring smart cards by managing 
>> their AD.  This is not something that they would do at the client 
>> side.  What is managed on the client side would be any necessary mods 
>> to support the required authentication methods (ie. manage or install 
>> client side middleware such your ADmitMac for CAC).
>> 
>> The Mac would be bound to AD (for Authentication and Authorization) 
>> hence if AD requires ONLY Smart Cards then the Mac User would only be 
>> able to authenticate via smart cards.  Whether the client system is OS 
>> X or Windows the end result is the same --- management of forced 
>> authentication methods is at the Directory Service.
>> 
> Shawn I could definitely see a use case for smartcard only at console to 
> require two-factor authentication for a client box. I see a different 
> use case for requiring only a smartcard ever for that account. I could 
> certainly see a different use depending on what type of data the client 
> processes and whether it is a mobile workstation or a smartphone. On or 
> off for the user account only is not sufficient.
> 
> -- 
> 
> 
> ***************************************************************
> Ron Colvin CISSP, CEH
> Enterprise Integration Engineer, Security Analyst Code 700
> DCSE Code 100&  110
> NASA - Goddard Space Flight Center
> <ron.colvin at nasa.gov>
> Direct phone 301-286-2451
> NASA Jabber (rdcolvin at im.nasa.gov) AIM rcolvin13
> NASA LCS (ronald.d.colvin at nasa.gov)
> ****************************************************************
> 

On Oct 13, 2010, at 4:17 PM, Paul Nelson wrote:

> If the original poster wanted to prevent users from logging into the Mac unless they had a smart card, they could do this the way you suggest below. 
> However, that may prevent them from using a password with their account for other reasons (run as for example).
> 
> While you can set an AD account to "require smartcard login", that prevents a password from being used for ANY purpose.  Microsoft clients also look for a group policy item "ScForceOption" that means a user must use a smartcard for interactive logon.
> 
> Paul
> 
> On Oct 13, 2010, at 2:59 PM, Shawn A. Geddis wrote:
> 
>> Paul,
>> 
>> Organizations apply policy such as requiring smart cards by managing their AD.  This is not something that they would do at the client side.  What is managed on the client side would be any necessary mods to support the required authentication methods (ie. manage or install client side middleware such your ADmitMac for CAC).
>> 
>> The Mac would be bound to AD (for Authentication and Authorization) hence if AD requires ONLY Smart Cards then the Mac User would only be able to authenticate via smart cards.  Whether the client system is OS X or Windows the end result is the same --- management of forced authentication methods is at the Directory Service.
>> 
>> - Shawn
>> _____________________________________________________
>> Shawn Geddis  -  Security Consulting Engineer  -  Apple Enterprise
>> 
>> 
>> 
>> On Oct 13, 2010, at 3:24 PM, Paul Nelson wrote:
>> 
>>> Shawn,
>>> 
>>> How does one apply organizational policies such as "smart card required" to the Apple 10.6.3+ PKINIT solution?
>>> 
>>> Paul
>>> 
>>> On Oct 13, 2010, at 2:01 PM, Shawn A. Geddis wrote:
>>> 
>>>> Before everyone claims what is and isn't the issue, we need to understand the actual setup that Souheil is using.
>>>> 
>>>> Souheil,
>>>> 
>>>> There are multiple methods supported for using Smart Cards for Authentication & SSO on Mac OS X 10.6.
>>>> 
>>>> What method are you using today ?
>>>> 
>>>> Old methods still supported:
>>>> - PubKeyHash		
>>>> 	- This is a simple Hash matching between card and account 
>>>> 	- The user is then presented with a  PIN Challenge which 
>>>> 		wraps/unwraps/verifies challenge - uses Private key on Card to prove ownership of card
>>>> 	- uses sc_auth to update the DS with appropriate ";pubkeyhash;" and <hash> entries 
>>>> - Attribute Matching	
>>>> 	- This allows for selective attributes from Smart Card Login Certificate (ie. NT Principal Name) 
>>>> 		to be used for mapping to a single DS attribute (ie. UserPrincipalName)
>>>> 	- uses /etc/cacloginconfig.plist mapping to define lookup in DS
>>>> 
>>>> 
>>>> Mac OS X 10.6.3+
>>>> - PKINIT  (initialization of Kerberos Session [TGT] with Auth from X.509 Cert) 
>>>> 	- SSO to Directory Service of choice (ie. AD)
>>>> 	simplified explanation of process
>>>> 	- System Bound to DS (ie. AD)
>>>> 	- Utilizes NT Principal Name along with the Cert with EKU of Smart Card Login ( 1 3 6 1 4 1 311 20 2 2 )
>>>> 		--relies on /etc/cacloginconfig.plist to reference the NTPrincipalName 
>>>> 	- Request for Auth to KDC - acquires a TGT
>>>> 	- uses PKINITMechanism configured in /etc/authorization/  for Login and ScreenSaver
>>>> 	- Success: Access to HomeDir and subsequent Service Tickets
>>>> 	- ... life continues ...
>>>> 
>>>> Also, copying SmartCardServices-Users Mailing List where this discussion should be taking place
>>>> 
>>>> - Shawn
>>>> _____________________________________________________
>>>> Shawn Geddis  -  Security Consulting Engineer  -  Apple Enterprise
>>>> 
>>>> 
>>>> On Oct 13, 2010, at 2:00 PM, Paul Nelson wrote:
>>>>> You probably are not configured to verify the user's smart card credentials with AD.  The Mac only matches the user account, and checks the certs to see if they are trusted.
>>>>> 
>>>>> If you want true AD login with single sign-on, you could check out Thursby's ADmitMac PKI.  This software obtains Kerberos credentials using a PIV card, and will configure itself using group policy so that you can enforce smart card logon that way.  It also configures your system keychain with necessary certificates from Active Directory and group policy.
>>>>> 
>>>>> Paul Nelson
>>>>> Thursby Software Systems, Inc.
>>>>> 
>>>>> On Oct 13, 2010, at 12:14 PM, Inati, Souheil (NIH/NIMH) [E] wrote:
>>>>> 
>>>>>> These machines are bound to the NIH active directory and I only care about domain users for now.  I haven't had to use sc_auth, the AD lookup based on the card credentials has been working fine.
>>>>>> 
>>>>>> 
>>>>>> On Oct 13, 2010, at 12:51 PM, Qureshi, Usman wrote:
>>>>>> 
>>>>>>> Have you tried using the sc_auth command? Is the user a domain user or a
>>>>>>> local user?
>>>>>>> 
>>>>>>> -----Original Message-----
>>>>>>> From: fed-talk-bounces+usman.qureshi=unisys.com at lists.apple.com
>>>>>>> [mailto:fed-talk-bounces+usman.qureshi=unisys.com at lists.apple.com] On Behalf
>>>>>>> Of Inati, Souheil (NIH/NIMH) [E]
>>>>>>> Sent: Wednesday, October 13, 2010 12:15 PM
>>>>>>> To: fed-talk at lists.apple.com
>>>>>>> Subject: [Fed-Talk] Require smart card login
>>>>>>> 
>>>>>>> Hi all,
>>>>>>> 
>>>>>>> Does anyone know the right way to set up /etc/authorization so that users
>>>>>>> are REQUIRED to use a smart card?
>>>>>>> A Snow Leopard 10.6 only solution is sufficient.
>>>>>>> 
>>>>>>> Thanks,
>>>>>>> Souheil
> 



More information about the SmartcardServices-Users mailing list