[SmartcardServices-Users] [Fed-Talk] CAC-enabled login OS X10.7 & 10.8

Shawn Geddis geddis at apple.com
Wed Feb 20 09:46:05 PST 2013


Michael,

All Smart Card related questions should be communicated on Apple's SmartCardServices Project Lists over at MacOSForge.org.  

A brief debunking of misinformation previously shared on this thread...

There are three methods for associating a Smart Card to a given user account in either the local or remote DS.
PubKey Hash			- Default method used by OS X and requires sc_auth
Attribute Matching		- requires /etc/cacloginconfig.plist
PKINIT					- requires /etc/cacloginconfig.plist and Mac bound to a KDC
All methods require that the smartcard-sniffer line be present in /etc/authorization for catching the Smart Card and gathering the PIN for the associated Challenge Response with the card for use of the Private Key on the card.
Tokend modules no longer ship with OS X (as of OS X Lion), but are freely available for 10.7, 10.8 from Apple's SmartCardServices project at MacOSForge.  This is why nothing happens when you insert a reader / card on a vanilla install of OS X Lion or higher.  ALL other components of SmartCard Services are present and have even been updated in released versions of OS X since OS X Lion v10.7.0.  
Project Site:		http://smartcardservices.macosforge.org/
Installers:		http://smartcardservices.macosforge.org/trac/wiki/installers
There are also third-party commercially supported solutions from, for example, Centrify, charismathics and Thursby.
".....Comparing against 10.4 references these seem to indicate that smart card login is already enabled, besides the name change from smartcard-sniffer to PKINITMechanism...."
No, "smartcard-sniffer" is NOT a name change for PKINITMechanism.  
"smartcard-sniffer" performs a swap of the login window (dynamically) and captures PIN
"PKINITMechanism" performs the Apple provided PKINIT services for Login Authentication.
"...Unfortunately Apple dropped support and now it is a requirement in many places, all places that supply Windows-software for this but if you use OS X you have to find your own solution..."
You have the SAME functionality still offered via my installers from Apple's MacOSForge Project
You have multiple commercial solutions as well as noted above:  Centrify, charismathics and Thursby.


Please register and redirect ALL Smart Card related questions to one of the appropriate Mailing list on MacOSForge.
http://lists.macosforge.org/mailman/listinfo
Smart Card Users:
https://lists.macosforge.org/mailman/listinfo/smartcardservices-users
Smart Card Developers:
https://lists.macosforge.org/mailman/listinfo/smartcardservices-dev

- Shawn
______________________________________________________
Shawn Geddis				  			          geddis at me.com
Enterprise Security Consulting Engineer, Apple     geddis at apple.com

MacOSForge: Smart Card Services  Project Lead:                                                                                 
	Web:	http://smartcardservices.macosforge.org/
	Lists:	http://lists.macosforge.org/mailman/listinfo
______________________________________________________

On Feb 19, 2013, at 1:40 PM, Michael Kluskens <mklus at ieee.org> wrote:
> I'm well aware of the sc_auth command and on previous versions of OS X I had CAC login enabled.  However, in testing an OS X Lion and an OS X Mt. Lion system, inserting the CAC card has no effect.  Both systems otherwise have full CAC functionality and I used the Identity Private Key.
> 
> I have not yet tried this on a clean system with no security configuration (disabling suid's binaries, etc.) so it is possible that both systems have been broken with regards to CAC login.
> 
> I was hoping someone could actually confirm what setup works on OS X 10.7 & 10.8 because at present the discussed information has not worked for me.
> 
> Looking at /etc/authorization under system.login I see:
> 
>                                builtin:policy-banner
>                                loginwindow:login
>                                builtin:reset-password,privileged
>                                builtin:forward-login,privileged
>                                builtin:auto-login,privileged
>                                builtin:authenticate,privileged
>                                PKINITMechanism:auth,privileged
>                                loginwindow:success
>                                HomeDirMechanism:login,privileged
>                                HomeDirMechanism:status
>                                MCXMechanism:login
>                                loginwindow:done
> 
> and under authenticate I see:
> 
>                                builtin:authenticate
>                                builtin:reset-password,privileged
>                                builtin:authenticate,privileged
>                                PKINITMechanism:auth,privileged
> 
> Comparing against 10.4 references these seem to indicate that smart card login is already enabled, besides the name change from smartcard-sniffer to PKINITMechanism.
> 
> Michael
> 
>> From: "Danberry, Michael J Mr ARMY GUEST USA" <michael.danberry at us.army.mil>
>> The specific location for this information is at:  http://militarycac.com/errors2.htm#OTHER_QUESTIONS. Question 2
> 
>> From: "Bomar, Matt W ERDC-RDE-ITL-MS Contractor"	<Matthew.W.Bomar at erdc.dren.mil>
>> 
>> Have you looked at the "sc_auth" command? It should allow you to associate
>> a certificate with a local user account for CAC login. It's still present
>> in 10.8.
>> 
>> On 2/14/13 4:30 PM, "Michael Kluskens" <mklus at ieee.org> wrote:
>> 
>>> What are the choices for CAC enabled login on OS X 10.7 & 10.8.
>>> 
>>> I'm looking at OS X systems which may not have access to a MS Domain
>>> Server, i.e. isolated network.  Some would have access and some would not
>>> have access all the time.
>>> 
>>> I thought maybe some changes to /etc/authorization might reenable
>>> CAC-login but I haven't started an attempt yet.
>>> 
>>> Unfortunately Apple dropped support and now it is a requirement in many
>>> places, all places that supply Windows-software for this but if you use
>>> OS X you have to find your own solution.













-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20130220/091d0e08/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4418 bytes
Desc: not available
URL: <http://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20130220/091d0e08/attachment-0001.p7s>


More information about the SmartcardServices-Users mailing list