[SmartcardServices-Users] tokenadmin, FileVault etc

Juha Ratilainen semipro at me.com
Tue Sep 7 03:11:01 PDT 2010 

Greetings,

Hope this is a correct place for these questions.
I'm trying to utilize a smart token for various purposes, ultimately I'd like to have a single token for login, encrypting data either with FileVault or specific disk image, and VPN connection.
FWIW, I'm using Charismathics CSSI, their tokend and plug'n crypt tokens. We are utilizing Open Directory, but having a lot of mobile users for which I'd like to use portable account (no synchronization).

I have run into various problems with these aims and I'm hoping that someone could help with these.

1) I can use sc_auth to bind a token for login to an account. After that, I can also set screen to lock with token removal. However, after screen is locked I cannot use token's PIN anymore for login, only password is accepted even if I plug the token back.


2) tokenadmin create-fv-user fails for creating FileVaulted new account. 

sudo tokenadmin -v create-fv-user -u tokenuser -l "Token User"

gives output:


create-fv-user "-u" "tokenuser" "-l" "Token User"
Authorizing right system.preferences.accounts
Connecting to writeconfig...
Connected
Validating full name: Token User
Validating short name: tokenuser
2010-09-07 13:00:17.908 tokenadmin[42782:e07] failed to convert string
tokenadmin: Creating user "Token User" (tokenuser)
Creating new user account: tokenuser
2010-09-07 13:00:18.354 tokenadmin[42782:e07] *** Terminating app due to uncaught exception 'NSInvalidArgumentException', reason: '*** -[NSPlaceholderString initWithString:]: nil argument'
*** Call stack at first throw:
(
	0   CoreFoundation                      0x00007fff85e95cc4 __exceptionPreprocess + 180
	1   libobjc.A.dylib                     0x00007fff85aa90f3 objc_exception_throw + 45
	2   CoreFoundation                      0x00007fff85e95ae7 +[NSException raise:format:arguments:] + 103
	3   CoreFoundation                      0x00007fff85e95a74 +[NSException raise:format:] + 148
	4   Foundation                          0x00007fff81819aaa -[NSPlaceholderString initWithString:] + 102
	5   Foundation                          0x00007fff81835e01 +[NSString stringWithString:] + 45
	6   Admin                               0x00007fff865d8274 -[User setPassword:] + 79
	7   tokenadmin                          0x0000000100001774 0x0 + 4294973300
	8   tokenadmin                          0x0000000100001085 0x0 + 4294971525
	9   tokenadmin                          0x0000000100000c8c 0x0 + 4294970508
)
terminate called after throwing an instance of 'NSException'
Abort trap
bash-3.2$ 2010-09-07 13:00:20.419 writeconfig[42783:903] writeconfig quitting because of exception:connection went invalid while waiting for a reply


If I add -p, for optional password, a different error, this time account is created but creating sparsebundle fails:

create-fv-user "-u" "tokenuser" "-l" "Token User" "-p" "tokenuser"
Authorizing right system.preferences.accounts
Connecting to writeconfig...
Connected
Validating full name: Token User
Validating short name: tokenuser
tokenadmin: Creating user "Token User" (tokenuser)
Creating new user account: tokenuser
Creating home directory...
2010-09-07 13:02:35.890 writeconfig[42815:903] DIHLFVMount failed with 80
tokenadmin: Failed to create home directory
New user account created and configured



2) I could do without FileVault if I could create an encrypted image bound to token certificate. However, I haven't found an option to do this. hdiutil can create an encrypted container with path to a certificate as an argument. However, it doesn't understand a reference to a keychain that is a token. Any suggestions to overcome this?



Thank you in advance for any replies,

Juha Ratilainen

More information about the SmartcardServices-Users mailing list