[SmartcardServices-Users] Storing Keychain data

SB Tech sirgadabout1 at gmail.com
Wed Feb 29 09:55:48 PST 2012


> I think that SB was using a smart card to log into the mac.

You're right, I forgot to mention that.  And your subsequent analysis of
what happens as a result is spot on - that is the problem I experience.  A
workaround is to change the Login keychain password to match the PIN of the
Smart Card - but this creates the problem where, should you choose to login
in with a password (perhaps because you have misplaced or damaged your
smart card) you, once again, have to login a second time to the Login
keychain.  Furthermore, the Login keychain now has a _very_ poor password
protecting it.  It's a fudge.

> it is no surprise that Apple wants to lose the CDSA in future operating
systems.

I don't suppose there's any information, not covered by NDA, that anyone
can share regarding the future of Smart Cards on OS X?  On Apple's fedtalk
mailing list, I was advised that it may be largely third-party in the
future (though I may have misunderstood/recalled poorly).

S.

On 29 February 2012 17:46, Paul Nelson <nelson at thursby.com> wrote:

> I think that SB was using a smart card to log into the mac.  When this
> happens, the password or PIN used to unlock the card is also used to
> attempt to unlock the login keychain.
> If the user account was already in use before the smart card was
> configured for login, it is unlikely that the card's PIN matches the login
> keychain password.
>
> 1) The login keychain requires a password to unlock it. Apple's user login
> (via the authorization mechs) does know how to unlock the login keychain
> unless the password/PIN you enter in the login window is the right keychain
> password.
> 2) I am not aware of any tokend for MacOS that allow writing to the card.
> 3) Connecting to services, otherwise known as single sign on depends on
> the service.  For WiFi, you might get the smart card to work, but I never
> have.  For file servers, you probably need Kerberos with PKINIT support.
>  My company has a product that handles this.  Apple has their own solution
> too.
>
> Apple's smart card system involves a number of components that make a
> smart card appear in the list of keychains for a user:
> a) securityd - the central security service on the mac
> b) pcscd - the PCSC software that provides a framework for smart card
> developers to use to communicate with a smart card in a standard card reader
> c) tokend - the "middleware" that knows how to communicate with a specific
> kind of smart card.  This is basically a CDSA architecture piece on one
> side, and a PCSC user on the other.  10.6 ships some, 10.7 does not.  The
> CDSA architecture piece is wrapped up in a private framework named
> SecurityTokend.  The SecurityTokend stuff is extremely complex, and it is
> no surprise that Apple wants to lose the CDSA in future operating systems.
>
> Paul Nelson
> Thursby Software Systems, Inc.
>
>
>
> On Feb 29, 2012, at 11:17 AM, Miller, Timothy J. wrote:
>
> > You initially asked:
> >
> >>>> So, my question is: how does one go about using a Smart Card to store
> >>>> Keychain Access-specific data, so that the Smart Card "dynamic
> >>>> keychain" can more fully perform the functions required on login?
> >
> > Per the document you quote, this is not permitted for smartcard-based
> keychains.
> >
> > So now I'm confused what you're actually asking.  You're observing the
> documented behavior, so what's the problem?
> >
> > -- T
> >
> > On Feb 29, 2012, at 11:09 AM, SB Tech wrote:
> >
> >> If you don't mind, I'm going to quote from Apple's "Mac OS X Security
> >> Configuration For Mac OS X Version 10.6 Snow Leopard" document:
> >>
> >> "Snow Leopard integrates support for hardware-based smart cards as
> >> dynamic keychains where any application using keychains can access
> >> that smart card. A smart card can be thought of as a portable
> >> protected keychain.
> >> Smart cards are seen by the operating system as dynamic keychains and
> >> are added to the top of the Keychain Access list. They are the first
> >> searched in the list. They can be treated as other keychains on the
> >> user’s computer, with the limitation that users can’t add other secure
> >> objects.
> >> When you attach a supported smart card to your computer, it appears in
> >> Keychain Access. If multiple smart cards are attached to your
> >> computer, they appear at the top of the keychain list alphabetically
> >> as separate keychains." (p.136)
> >>
> >> This encouraged me to believe that the behaviour I was seeing,
> >> regarding my Smart Card displacing my Login keychain, was both normal
> >> and expected behaviour.  So, how exactly does your Smart Card interact
> >> with Keychain Access?  Does it appear at all in the list of Keychains?
> >> If not, perhaps there's a low-level setting I can toggle to prevent
> >> it appearing.
> >>
> >> S.
> >>
> >> On 29 February 2012 13:24, Miller, Timothy J. <tmiller at mitre.org>
> wrote:
> >>> I'm thinking there must be something peculiar about the tokend or card
> you're using, because I've been using smart cards through CDSA for years
> without this particular problem arising.
> >>>
> >>> Unless you're using a stored-value card, you're not going to be able
> to update data on a smart card.  That's usually reserved for the token
> manager, since mucking with card data is inherently a security critical
> operation.  Stored-value cards aren't the best idea for the same reason.
> >>>
> >>> -- T
> >>>
> >>> On Feb 18, 2012, at 1:05 PM, SB Tech wrote:
> >>>
> >>>> Hi,
> >>>>
> >>>> I looked into using a Smart Card for authentication purposes in my
> >>>> SOHO, but came away disappointed by its interaction with Keychain
> >>>> Access.  Specifically, because it took the top position in the
> >>>> Keychain list, it assumed the Login keychain's duties; but because I
> >>>> was unable to store passwords directly on the Smart Card (eg. wifi
> >>>> passwords) I found myself having to authenticate a second time, to the
> >>>> Login keychain.  In the meantime, there was no automatic
> >>>> authentication of login services such as connecting to wifi or
> >>>> mounting of secure disk images.
> >>>>
> >>>> So, my question is: how does one go about using a Smart Card to store
> >>>> Keychain Access-specific data, so that the Smart Card "dynamic
> >>>> keychain" can more fully perform the functions required on login?
> >>>>
> >>>> At the moment, I'm not concerned with any particular Smart Card or
> >>>> software solution, I'm more interested in knowing whether it's
> >>>> actually possible.
> >>>>
> >>>> Regards.
> >>>> _______________________________________________
> >>>> SmartcardServices-Users mailing list
> >>>> SmartcardServices-Users at lists.macosforge.org
> >>>>
> http://lists.macosforge.org/mailman/listinfo.cgi/smartcardservices-users
> >>>
> >
> > _______________________________________________
> > SmartcardServices-Users mailing list
> > SmartcardServices-Users at lists.macosforge.org
> > http://lists.macosforge.org/mailman/listinfo.cgi/smartcardservices-users
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20120229/f1eddd7b/attachment-0001.html>


More information about the SmartcardServices-Users mailing list