[SmartcardServices-Users] CAC login on OS X 10.7 & 10.8

Michael Kluskens michael.kluskens at nrl.navy.mil
Thu Feb 21 08:01:14 PST 2013 

I identified a problem with SystemCACertificates & Keychain, it refuses to stick in my login keychain (unless I "Add keychain), I'm certain the proper way is for SmartCardServices put it in the System list as shared, but it disappears after a reboot, and when I try to add it myself to the System List it refuses to stay, and if it ever does, it rapidly disappears.

This should be why I see the following error in secure.log

Feb 21 10:49:43 mskpro authorizationhost[998]: validate chain started
Feb 21 10:49:43 mskpro authorizationhost[998]: Certificate could not be verified: 5
Feb 21 10:49:43 mskpro authorizationhost[998]: validate chain completed with: 5
repeated 3 more times.

I haven't retried with a clean system as the steps I outlined below failed on a clean system and until I known for certain that these are the exact steps there is not much point.

On Feb 20, 2013, at 4:04 PM, Michael Kluskens wrote:

> 1) I cleaned installed and updated OS X Lion on a unused disk.
> 2) I installed the SmartCardServices Installer v2.0.b2 for Lion
> 3) I used sc_auth hash and selected the first hash for use with sc_auth accept -u useraccount -h ...
> 4) I confirmed the hash entry with dscl . -read /Users/useraccount
> 5) I added builtin:smartcard-sniffer,privileged to both the system.login.console and authenticate sections of /etc/authorization
> 
> Confirmed that my Gemalto CAC card works with OS X Mail and Safari, log out and insert card, no effect, reboot, insert card, no effect.
> 
> What step did I miss?  I was never inserting a reader / card on a vanilla install of OS X Lion.
> 
> Are there newer instructions on the precise location for the smartcard-sniffer entries?  What log files do I look at, secure.log seems related but I can't tell if anything in there was an error.
> 
>> There are three methods for associating a Smart Card to a given user account in either the local or remote DS.
>> PubKey Hash			- Default method used by OS X and requires sc_auth
>> Attribute Matching		- requires /etc/cacloginconfig.plist
>> PKINIT					- requires /etc/cacloginconfig.plist and Mac bound to a KDC
>> All methods require that the smartcard-sniffer line be present in /etc/authorization for catching the Smart Card and gathering the PIN for the associated Challenge Response with the card for use of the Private Key on the card.
>> Tokend modules no longer ship with OS X (as of OS X Lion), but are freely available for 10.7, 10.8 from Apple's SmartCardServices project at MacOSForge.  This is why nothing happens when you insert a reader / card on a vanilla install of OS X Lion or higher.  ALL other components of SmartCard Services are present and have even been updated in released versions of OS X since OS X Lion v10.7.0.  
>> Project Site:		
>> http://smartcardservices.macosforge.org/
>> 
>> Installers:		
>> http://smartcardservices.macosforge.org/trac/wiki/installers
>> 
>> There are also third-party commercially supported solutions from, for example, Centrify, charismathics and Thursby.
>>

More information about the SmartcardServices-Users mailing list