[SmartcardServices-Users] CAC login on OS X 10.7 & 10.8

Michael Kluskens michael.kluskens at nrl.navy.mil
Wed Feb 20 13:04:51 PST 2013


1) I cleaned installed and updated OS X Lion on a unused disk.
2) I installed the SmartCardServices Installer v2.0.b2 for Lion
3) I used sc_auth hash and selected the first hash for use with sc_auth accept -u useraccount -h ...
4) I confirmed the hash entry with dscl . -read /Users/useraccount
5) I added builtin:smartcard-sniffer,privileged to both the system.login.console and authenticate sections of /etc/authorization

Confirmed that my Gemalto CAC card works with OS X Mail and Safari, log out and insert card, no effect, reboot, insert card, no effect.

What step did I miss?  I was never inserting a reader / card on a vanilla install of OS X Lion.

Are there newer instructions on the precise location for the smartcard-sniffer entries?  What log files do I look at, secure.log seems related but I can't tell if anything in there was an error.

> There are three methods for associating a Smart Card to a given user account in either the local or remote DS.
> PubKey Hash			- Default method used by OS X and requires sc_auth
> Attribute Matching		- requires /etc/cacloginconfig.plist
> PKINIT					- requires /etc/cacloginconfig.plist and Mac bound to a KDC
> All methods require that the smartcard-sniffer line be present in /etc/authorization for catching the Smart Card and gathering the PIN for the associated Challenge Response with the card for use of the Private Key on the card.
> Tokend modules no longer ship with OS X (as of OS X Lion), but are freely available for 10.7, 10.8 from Apple's SmartCardServices project at MacOSForge.  This is why nothing happens when you insert a reader / card on a vanilla install of OS X Lion or higher.  ALL other components of SmartCard Services are present and have even been updated in released versions of OS X since OS X Lion v10.7.0.  
> Project Site:		
> http://smartcardservices.macosforge.org/
> 
> Installers:		
> http://smartcardservices.macosforge.org/trac/wiki/installers
> 
> There are also third-party commercially supported solutions from, for example, Centrify, charismathics and Thursby.
> 


More information about the SmartcardServices-Users mailing list