[SmartcardServices-Users] tokenadmin, FileVault etc
Juha Ratilainen
semipro at me.com
Tue Sep 7 03:11:01 PDT 2010
Greetings,
Hope this is a correct place for these questions.
I'm trying to utilize a smart token for various purposes, ultimately I'd like to have a single token for login, encrypting data either with FileVault or specific disk image, and VPN connection.
FWIW, I'm using Charismathics CSSI, their tokend and plug'n crypt tokens. We are utilizing Open Directory, but having a lot of mobile users for which I'd like to use portable account (no synchronization).
I have run into various problems with these aims and I'm hoping that someone could help with these.
1) I can use sc_auth to bind a token for login to an account. After that, I can also set screen to lock with token removal. However, after screen is locked I cannot use token's PIN anymore for login, only password is accepted even if I plug the token back.
2) tokenadmin create-fv-user fails for creating FileVaulted new account.
sudo tokenadmin -v create-fv-user -u tokenuser -l "Token User"
gives output:
create-fv-user "-u" "tokenuser" "-l" "Token User"
Authorizing right system.preferences.accounts
Connecting to writeconfig...
Connected
Validating full name: Token User
Validating short name: tokenuser
2010-09-07 13:00:17.908 tokenadmin[42782:e07] failed to convert string
tokenadmin: Creating user "Token User" (tokenuser)
Creating new user account: tokenuser
2010-09-07 13:00:18.354 tokenadmin[42782:e07] *** Terminating app due to uncaught exception 'NSInvalidArgumentException', reason: '*** -[NSPlaceholderString initWithString:]: nil argument'
*** Call stack at first throw:
(
0 CoreFoundation 0x00007fff85e95cc4 __exceptionPreprocess + 180
1 libobjc.A.dylib 0x00007fff85aa90f3 objc_exception_throw + 45
2 CoreFoundation 0x00007fff85e95ae7 +[NSException raise:format:arguments:] + 103
3 CoreFoundation 0x00007fff85e95a74 +[NSException raise:format:] + 148
4 Foundation 0x00007fff81819aaa -[NSPlaceholderString initWithString:] + 102
5 Foundation 0x00007fff81835e01 +[NSString stringWithString:] + 45
6 Admin 0x00007fff865d8274 -[User setPassword:] + 79
7 tokenadmin 0x0000000100001774 0x0 + 4294973300
8 tokenadmin 0x0000000100001085 0x0 + 4294971525
9 tokenadmin 0x0000000100000c8c 0x0 + 4294970508
)
terminate called after throwing an instance of 'NSException'
Abort trap
bash-3.2$ 2010-09-07 13:00:20.419 writeconfig[42783:903] writeconfig quitting because of exception:connection went invalid while waiting for a reply
If I add -p, for optional password, a different error, this time account is created but creating sparsebundle fails:
create-fv-user "-u" "tokenuser" "-l" "Token User" "-p" "tokenuser"
Authorizing right system.preferences.accounts
Connecting to writeconfig...
Connected
Validating full name: Token User
Validating short name: tokenuser
tokenadmin: Creating user "Token User" (tokenuser)
Creating new user account: tokenuser
Creating home directory...
2010-09-07 13:02:35.890 writeconfig[42815:903] DIHLFVMount failed with 80
tokenadmin: Failed to create home directory
New user account created and configured
2) I could do without FileVault if I could create an encrypted image bound to token certificate. However, I haven't found an option to do this. hdiutil can create an encrypted container with path to a certificate as an argument. However, it doesn't understand a reference to a keychain that is a token. Any suggestions to overcome this?
Thank you in advance for any replies,
Juha Ratilainen
More information about the SmartcardServices-Users
mailing list