[SmartcardServices-Users] tokenadmin, FileVault etc
Juha Ratilainen
semipro at me.com
Thu Sep 9 10:01:14 PDT 2010
Thank you for answers. As always, these raise more questions...
1) I can use sc_auth to bind a token for login to an account. After that, I can also set screen to lock with token removal. However, after screen is locked I cannot use token's PIN anymore for login, only password is accepted even if I plug the token back.
There is a noticeable delay for the token/card to be recognized upon insertion for Screen Saver. There are also cases when some readers (not sure what token/reader you are using) are not properly recognized upon removal and reinsertion (sometimes limited to same port). If your system has multiple USB ports, you might want to try and insert into a different USB port and see if your reader suffers from that issue.
I had this working with aladdin eToken, in 10.5, however they have not updated their client software for 10.6 AFAIK. Problematic token is plug'n crypt from charismathics, which is also provider of tokend. I guess the question is, if this does not work, is it propably bug in tokend implementation? Should I report this to Charismathics? Token is recognized in login window, with window changing for PIN entry, likewise locking screen with token removal works. Only re-plugging it does not work?
You can take two avenues to report this issue to Apple.
a) You can submit a ticket here at the SmartCardServices Project and I will submit a corresponding ticket internal
b) You can submit directly to Apple at http://bugreport.apple.com/ and emphasize the need for a 10.6.x fix.
(please notify me if you submit this, so that I can track and add to internal diagnostics)
Thanks for clarification. I can submit this directly.
2) I could do without FileVault if I could create an encrypted image bound to token certificate. However, I haven't found an option to do this. hdiutil can create an encrypted container with path to a certificate as an argument. However, it doesn't understand a reference to a keychain that is a token. Any suggestions to overcome this?
Using hdituil's option " -pubkey PK1,PK2,...,PKn" would help you here....
D'uh. There it was under my nose... However, I'm still missing something.
If I create a test certificate with Keychain Access, export it and try to create an image with it, it works:
hdiutil create -size 20m -encryption -fs HFS+J -certificate test.cer enc.dmg
However, trying to create the same image with -pubkey, with the certificate in login keychain of local admin:
hdiutil create -size 20m -fs=HFS+J -pubkey 2A09D74BC583A3ECAE066441552076FF659778C2 enc.dmg
only gives generic help message:
Usage: hdiutil create <sizespec> [options] <imagepath>
hdiutil create -help
Any pointers for this?
Thanks,
Juha Ratilainen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20100909/7b4bda51/attachment.html>
More information about the SmartcardServices-Users
mailing list