[SmartcardServices-Users] tokenadmin, FileVault etc
Shawn A. Geddis
geddis at apple.com
Wed Sep 8 07:26:09 PDT 2010
On Sep 7, 2010, at 6:11 AM, Juha Ratilainen wrote:
> I'm trying to utilize a smart token for various purposes, ultimately I'd like to have a single token for login, encrypting data either with FileVault or specific disk image, and VPN connection.
>
> FWIW, I'm using Charismathics CSSI, their tokend and plug'n crypt tokens. We are utilizing Open Directory, but having a lot of mobile users for which I'd like to use portable account (no synchronization).
>
> I have run into various problems with these aims and I'm hoping that someone could help with these.
>
> 1) I can use sc_auth to bind a token for login to an account. After that, I can also set screen to lock with token removal. However, after screen is locked I cannot use token's PIN anymore for login, only password is accepted even if I plug the token back.
There is a noticeable delay for the token/card to be recognized upon insertion for Screen Saver. There are also cases when some readers (not sure what token/reader you are using) are not properly recognized upon removal and reinsertion (sometimes limited to same port). If your system has multiple USB ports, you might want to try and insert into a different USB port and see if your reader suffers from that issue.
> 2) tokenadmin create-fv-user fails for creating FileVaulted new account.
>
> sudo tokenadmin -v create-fv-user -u tokenuser -l "Token User"
There was a regression in Mac OS X 10.6 that caused this failure for tokenadmin. It is an issue outside the Smart Card Services project control, so we are unable to fix it here. It is noted and identified in Apple's Bug Tracking System.
You can take two avenues to report this issue to Apple.
a) You can submit a ticket here at the SmartCardServices Project and I will submit a corresponding ticket internal
b) You can submit directly to Apple at http://bugreport.apple.com/ and emphasize the need for a 10.6.x fix.
(please notify me if you submit this, so that I can track and add to internal diagnostics)
> 2) I could do without FileVault if I could create an encrypted image bound to token certificate. However, I haven't found an option to do this. hdiutil can create an encrypted container with path to a certificate as an argument. However, it doesn't understand a reference to a keychain that is a token. Any suggestions to overcome this?
Using hdituil's option " -pubkey PK1,PK2,...,PKn" would help you here....
-pubkey PK1,PK2,...,PKn
specify a list of public keys, identified by their hexadeci-
mal hashes, to be used to protect the encrypted image being
created.
__________________________________________________
Shawn Geddis geddis at mac.com
Security Consulting Engineer geddis at apple.com
MacOSForge Project Lead: Smart Card Services
Web: http://smartcardservices.macosforge.org/
Lists: http://lists.macosforge.org/mailman/listinfo
__________________________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20100908/212cbdb3/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3864 bytes
Desc: not available
URL: <http://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20100908/212cbdb3/attachment.bin>
More information about the SmartcardServices-Users
mailing list