[SmartcardServices-Users] Storing Keychain data
Miller, Timothy J.
tmiller at mitre.org
Wed Feb 29 09:17:39 PST 2012
You initially asked:
>>> So, my question is: how does one go about using a Smart Card to store
>>> Keychain Access-specific data, so that the Smart Card "dynamic
>>> keychain" can more fully perform the functions required on login?
Per the document you quote, this is not permitted for smartcard-based keychains.
So now I'm confused what you're actually asking. You're observing the documented behavior, so what's the problem?
-- T
On Feb 29, 2012, at 11:09 AM, SB Tech wrote:
> If you don't mind, I'm going to quote from Apple's "Mac OS X Security
> Configuration For Mac OS X Version 10.6 Snow Leopard" document:
>
> "Snow Leopard integrates support for hardware-based smart cards as
> dynamic keychains where any application using keychains can access
> that smart card. A smart card can be thought of as a portable
> protected keychain.
> Smart cards are seen by the operating system as dynamic keychains and
> are added to the top of the Keychain Access list. They are the first
> searched in the list. They can be treated as other keychains on the
> user’s computer, with the limitation that users can’t add other secure
> objects.
> When you attach a supported smart card to your computer, it appears in
> Keychain Access. If multiple smart cards are attached to your
> computer, they appear at the top of the keychain list alphabetically
> as separate keychains." (p.136)
>
> This encouraged me to believe that the behaviour I was seeing,
> regarding my Smart Card displacing my Login keychain, was both normal
> and expected behaviour. So, how exactly does your Smart Card interact
> with Keychain Access? Does it appear at all in the list of Keychains?
> If not, perhaps there's a low-level setting I can toggle to prevent
> it appearing.
>
> S.
>
> On 29 February 2012 13:24, Miller, Timothy J. <tmiller at mitre.org> wrote:
>> I'm thinking there must be something peculiar about the tokend or card you're using, because I've been using smart cards through CDSA for years without this particular problem arising.
>>
>> Unless you're using a stored-value card, you're not going to be able to update data on a smart card. That's usually reserved for the token manager, since mucking with card data is inherently a security critical operation. Stored-value cards aren't the best idea for the same reason.
>>
>> -- T
>>
>> On Feb 18, 2012, at 1:05 PM, SB Tech wrote:
>>
>>> Hi,
>>>
>>> I looked into using a Smart Card for authentication purposes in my
>>> SOHO, but came away disappointed by its interaction with Keychain
>>> Access. Specifically, because it took the top position in the
>>> Keychain list, it assumed the Login keychain's duties; but because I
>>> was unable to store passwords directly on the Smart Card (eg. wifi
>>> passwords) I found myself having to authenticate a second time, to the
>>> Login keychain. In the meantime, there was no automatic
>>> authentication of login services such as connecting to wifi or
>>> mounting of secure disk images.
>>>
>>> So, my question is: how does one go about using a Smart Card to store
>>> Keychain Access-specific data, so that the Smart Card "dynamic
>>> keychain" can more fully perform the functions required on login?
>>>
>>> At the moment, I'm not concerned with any particular Smart Card or
>>> software solution, I'm more interested in knowing whether it's
>>> actually possible.
>>>
>>> Regards.
>>> _______________________________________________
>>> SmartcardServices-Users mailing list
>>> SmartcardServices-Users at lists.macosforge.org
>>> http://lists.macosforge.org/mailman/listinfo.cgi/smartcardservices-users
>>
More information about the SmartcardServices-Users
mailing list