[SmartcardServices-Users] Storing Keychain data

Paul Nelson nelson at thursby.com
Wed Feb 29 09:46:40 PST 2012 

I think that SB was using a smart card to log into the mac.  When this happens, the password or PIN used to unlock the card is also used to attempt to unlock the login keychain.
If the user account was already in use before the smart card was configured for login, it is unlikely that the card's PIN matches the login keychain password.

1) The login keychain requires a password to unlock it. Apple's user login (via the authorization mechs) does know how to unlock the login keychain unless the password/PIN you enter in the login window is the right keychain password.
2) I am not aware of any tokend for MacOS that allow writing to the card.
3) Connecting to services, otherwise known as single sign on depends on the service.  For WiFi, you might get the smart card to work, but I never have.  For file servers, you probably need Kerberos with PKINIT support.  My company has a product that handles this.  Apple has their own solution too.

Apple's smart card system involves a number of components that make a smart card appear in the list of keychains for a user:
a) securityd - the central security service on the mac
b) pcscd - the PCSC software that provides a framework for smart card developers to use to communicate with a smart card in a standard card reader
c) tokend - the "middleware" that knows how to communicate with a specific kind of smart card.  This is basically a CDSA architecture piece on one side, and a PCSC user on the other.  10.6 ships some, 10.7 does not.  The CDSA architecture piece is wrapped up in a private framework named SecurityTokend.  The SecurityTokend stuff is extremely complex, and it is no surprise that Apple wants to lose the CDSA in future operating systems.

Paul Nelson
Thursby Software Systems, Inc.



On Feb 29, 2012, at 11:17 AM, Miller, Timothy J. wrote:

> You initially asked:
> 
>>>> So, my question is: how does one go about using a Smart Card to store
>>>> Keychain Access-specific data, so that the Smart Card "dynamic
>>>> keychain" can more fully perform the functions required on login?
> 
> Per the document you quote, this is not permitted for smartcard-based keychains.
> 
> So now I'm confused what you're actually asking.  You're observing the documented behavior, so what's the problem?
> 
> -- T
> 
> On Feb 29, 2012, at 11:09 AM, SB Tech wrote:
> 
>> If you don't mind, I'm going to quote from Apple's "Mac OS X Security
>> Configuration For Mac OS X Version 10.6 Snow Leopard" document:
>> 
>> "Snow Leopard integrates support for hardware-based smart cards as
>> dynamic keychains where any application using keychains can access
>> that smart card. A smart card can be thought of as a portable
>> protected keychain.
>> Smart cards are seen by the operating system as dynamic keychains and
>> are added to the top of the Keychain Access list. They are the first
>> searched in the list. They can be treated as other keychains on the
>> user’s computer, with the limitation that users can’t add other secure
>> objects.
>> When you attach a supported smart card to your computer, it appears in
>> Keychain Access. If multiple smart cards are attached to your
>> computer, they appear at the top of the keychain list alphabetically
>> as separate keychains." (p.136)
>> 
>> This encouraged me to believe that the behaviour I was seeing,
>> regarding my Smart Card displacing my Login keychain, was both normal
>> and expected behaviour.  So, how exactly does your Smart Card interact
>> with Keychain Access?  Does it appear at all in the list of Keychains?
>> If not, perhaps there's a low-level setting I can toggle to prevent
>> it appearing.
>> 
>> S.
>> 
>> On 29 February 2012 13:24, Miller, Timothy J. <tmiller at mitre.org> wrote:
>>> I'm thinking there must be something peculiar about the tokend or card you're using, because I've been using smart cards through CDSA for years without this particular problem arising.
>>> 
>>> Unless you're using a stored-value card, you're not going to be able to update data on a smart card.  That's usually reserved for the token manager, since mucking with card data is inherently a security critical operation.  Stored-value cards aren't the best idea for the same reason.
>>> 
>>> -- T
>>> 
>>> On Feb 18, 2012, at 1:05 PM, SB Tech wrote:
>>> 
>>>> Hi,
>>>> 
>>>> I looked into using a Smart Card for authentication purposes in my
>>>> SOHO, but came away disappointed by its interaction with Keychain
>>>> Access.  Specifically, because it took the top position in the
>>>> Keychain list, it assumed the Login keychain's duties; but because I
>>>> was unable to store passwords directly on the Smart Card (eg. wifi
>>>> passwords) I found myself having to authenticate a second time, to the
>>>> Login keychain.  In the meantime, there was no automatic
>>>> authentication of login services such as connecting to wifi or
>>>> mounting of secure disk images.
>>>> 
>>>> So, my question is: how does one go about using a Smart Card to store
>>>> Keychain Access-specific data, so that the Smart Card "dynamic
>>>> keychain" can more fully perform the functions required on login?
>>>> 
>>>> At the moment, I'm not concerned with any particular Smart Card or
>>>> software solution, I'm more interested in knowing whether it's
>>>> actually possible.
>>>> 
>>>> Regards.
>>>> _______________________________________________
>>>> SmartcardServices-Users mailing list
>>>> SmartcardServices-Users at lists.macosforge.org
>>>> http://lists.macosforge.org/mailman/listinfo.cgi/smartcardservices-users
>>> 
> 
> _______________________________________________
> SmartcardServices-Users mailing list
> SmartcardServices-Users at lists.macosforge.org
> http://lists.macosforge.org/mailman/listinfo.cgi/smartcardservices-users
>

More information about the SmartcardServices-Users mailing list