[SmartcardServices-Users] Mountain Lion Login window

Shawn Geddis geddis at me.com
Tue May 28 11:44:13 PDT 2013 

Will,

Questions / comments inline below...

On May 17, 2013, at 5:43 PM, "Jorgensen, Will A" <Will at pnnl.gov> wrote:
> I'm trying to get a PIV card working for login on mountain lion.  I installed the tokend and driver for the reader.

Just to be sure we know your environment, you installed the PIV tokend from MacOSForge ?  As for installing the driver for the reader, why did you need to do that ?  Is the reader a non-CCID compliant reader or is it that the built-in CCID Class Driver just did not support that particular one ?

> When I'm already logged in, the PIV card shows up in the keychain and the certificates show up as valid (I had to install some root certificates to get that).

Question again on why you would need to install roots for certificates on a PIV card.  Is this a self-generated PIV Card with internal / test identities and not US Federal Government issued Identities ?  I ask because the System Root Keychain should already have the necessary CA Roots Certificates for proper trust validation and revocation checking for US Federal Government issued Identities.  If not, please let me know what was not there, so that I can correct that.

>  I've used sc_auth to enable the certificate for a local account.

Just a note: This is the generic way to associate a card to a Directory Service account that would work with any supported card that can digitally sign data.  This very capability made it possible for DoD Academy graduates to begin using their cards on OS X even though the cards only had an ID Identity and had not been issued with Email Signing Identities - DoD chose to set and Extended Key Usage for Smart Card Login to the Email Signing Certificate.  


> I've tried enabling and disabling the cacloginconfig.plist (my understanding is it should be disabled when logging in to a local account).

There are three methods for associating Smart Cards to your DS Record for authenticated Login:
a) PubKeyHash			- pubkeyhash;......  in AuthenticationAuthority of DS record
b) Attribute Matching 	- /etc/cacloginconfig.plist configured to map lookup key in DS
c) PKINIT				- /etc/cacloginconfig.plist & Kerberos configured (ie. bound to AD)

Default Smart Card <-> DSrecord association is indeed PubKeyHash method which is the use of the PubKeyHash entry in the AuthenticationAuthority attribute of your DS record.  Out of the box this is the behavior.

*IF* the /etc/cacloginconfig.plist file exists, then the behavior switches to b) Attribute Matching  or c) PKINIT depending on the configuration of your system.

Configuration for each method:

PubKeyHash
Enable Smart Card Sniffer for Login Window
Update Authorization Databse (/etc/authorization)	- Add "smartcard-sniffer" entries back in
<string>builtin:smartcard-sniffer,privileged</string>
Add PubKeyHash of an Identity from Smart Card that has key usage of digital signature
Use the sc_auth command to add the hash from the card entry to your user record
Switch to Login Window, insert card, enter PIN...

Attribute Matching 

Enable Smart Card Sniffer for Login Window
Update Authorization Databse (/etc/authorization)	- Add "smartcard-sniffer" entries back in
<string>builtin:smartcard-sniffer,privileged</string>
Add/Create Attribute Matching plist 
Add/Create the /etc/cacloginconfig.plist file			- option install in current MacOSForge installers
Set DS lookup key mapping from the Certificate to the DS Attribute.
Configure selected DS attribute to equal the attribute value being pulled from cert
Switch to Login Window, insert card, enter PIN...

PKINT
Enable Smart Card Sniffer for Login Window
Update Authorization Databse (/etc/authorization)	- Add "smartcard-sniffer" entries back in
<string>builtin:smartcard-sniffer,privileged</string>
Add/Create Attribute Matching plist 
Add/Create the /etc/cacloginconfig.plist file			- option install in current MacOSForge installers
Default:    Cert: NT Principal Name --> DS: dsAttrTypeNative:userPrincipalName 
Configure selected DS Record for Smart Card Login - matching attribute values
Configure Binding Client --> DS/Kerberos  (ie. Bind your Mac to AD)
If the Mac is bound to a Windows Server 2003, create the com.apple.Kerberos.plist file in /Library/Preferences
Ensure client trusts Roots
Trust the Root of Trust Chain for Leaf Cert on Card
Trust the Root of Trust Chain for AD DC Root of Trust Chain for Server Cert
Test acquiring a ticket:  
kinit -C KEYCHAIN: -D KEYCHAIN: --windows --pk-enterprise
Switch to Login Window, insert card, enter PIN...


Give us a status back of your success / issues...
You might want to turn on DS logging as well.  You could also run "dsconfigad -show" to show what the configuration is on the box.


> __________________________________________________

> Will Jorgensen

> Desktop and Mobile Services 

> Pacific Northwest National Laboratory 

- Shawn
______________________________________________________
Shawn Geddis				  			          geddis at me.com
Enterprise Security Consulting Engineer, Apple     geddis at apple.com

MacOSForge: Smart Card Services  Project Lead:                                                                                 
	Web:	http://smartcardservices.macosforge.org/
	Lists:	http://lists.macosforge.org/mailman/listinfo
______________________________________________________









-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20130528/4d5015d5/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4382 bytes
Desc: not available
URL: <http://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20130528/4d5015d5/attachment.p7s>

More information about the SmartcardServices-Users mailing list