[SmartcardServices-Users] Storing Keychain data

[Brian Reese]

This is just my opinion, so use it at your own risk ;)

If you are using a data at rest encryption solution like FileVault 2 (which you really should if you are concerned about security on a laptop you take to the field), having the login keychain encrypted with a PIN is probably not that big a deal. Somebody would have to get past the disk encryption before they could try to brute force your login keychain.

Of course that comes back to the whole issue of having to use a strong password for FileVault 2, since I don't think there's any way to use a smart card at the preboot screen (yet?).

There supposedly is a way to encrypt your keychain with the actual key on the smart card rather than just the PIN, but it involves some command line steps and I've never actually gotten it to work. That also sounds like it wouldn't be ideal for you though, because if you didn't log in with your smart card, there would be no way at all to unlock the keychain.

What it boils down to is that you can't use multiple ways of logging in (username/pass, smart card) and have the login keychain unlock automatically with all of those ways. Keychains only support one way of unlocking them at a time.

-Brian

On Mar 4, 2012, at 10:23 AM, SB Tech wrote:

> Are you sure you want/need to use a Smart Card ?  What characteristics or capabilities were you looking for that lead you to Smart Cards ?
> 
> I simply wanted a way to log in securely to a work notebook used in the field that would obviate the need to remember a complicated and lengthy password.  The Smart Card solution fell short of this requirement because entering the PIN on login failed to unlock the default keychain, so that several login services I rely on (automatic connections to remembered wifi networks, mounting of encrypted disk images) failed to work without the unlocking of the default keychain.
> 
> I learned I could use the same PIN on my default keychain as used on the Smart Card during login to get around this, but this weakened the password on the default keychain too much.  It also raised the issue that, should the Smart Card be unavailable, logging in would once again require the manual unlock of the default keychain.  So, I discarded this workaround as unsatisfactory
> 
> Hence my pursuit of a way to store Keychain Access-recognizable objects directly on the Smart Card, so that login services would have access to them when I log in with the Smart Card.  My logic has led me to assume this to be the most appropriate way to solve this problem.  So far as I understand it, the Smart Card cannot be used to single-handedly authenticate to every service that might have its password stored in the default keychain.
> 
> It's true that, along the way, I've failed to understand quite a few things, and this has made things harder (both for me and for those who attempt to help).  Hopefully we can move past that.
> _______________________________________________
> SmartcardServices-Users mailing list
> SmartcardServices-Users at lists.macosforge.org
> http://lists.macosforge.org/mailman/listinfo.cgi/smartcardservices-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20120304/12f8852d/attachment.html>