[SmartcardServices-Users] Mountain Lion Login window

Jorgensen, Will A Will at pnnl.gov
Tue May 28 16:44:25 PDT 2013 

I've answered some of your questions inline below.  I thought the problem
may have been an issue with /etc/authorization, but as far as  I can tell
the file I'm using is correct and I'm still having issues.  Since you're
email I've tried to configure attribute matching again and I still don't get
the PIN input prompt at login window.

__________________________________________________
Will Jorgensen 
Desktop and Mobile Services
Pacific Northwest National Laboratory

From:  Shawn Geddis <geddis at me.com>
Date:  Tuesday, May 28, 2013 11:44 AM
To:  Staff Member <will at pnnl.gov>
Cc:  "SmartcardServices-Users at lists.macosforge.org"
<SmartcardServices-Users at lists.macosforge.org>
Subject:  Re: [SmartcardServices-Users] Mountain Lion Login window

Will,

Questions / comments inline below...

On May 17, 2013, at 5:43 PM, "Jorgensen, Will A" <Will at pnnl.gov> wrote:
> I'm trying to get a PIV card working for login on mountain lion.  I installed
> the tokend and driver for the reader.

Just to be sure we know your environment, you installed the PIV tokend from
MacOSForge ?  As for installing the driver for the reader, why did you need
to do that ?  Is the reader a non-CCID compliant reader or is it that the
built-in CCID Class Driver just did not support that particular one ?

Answer ­ I installed the tokend from MacOSForge.  I didn't need to install
the driver, but because things weren't working the way I expected, I found
the driver from omnikey and installed it.  I'm still a little bit new to
smart card login so some of this was because I didn't know how things are
supposed work.  The reader is the omnikey 3121 which I believe is a CCID
compliant reader.

> When I'm already logged in, the PIV card shows up in the keychain and the
> certificates show up as valid (I had to install some root certificates to get
> that).

Question again on why you would need to install roots for certificates on a
PIV card.  Is this a self-generated PIV Card with internal / test identities
and not US Federal Government issued Identities ?  I ask because the System
Root Keychain should already have the necessary CA Roots Certificates for
proper trust validation and revocation checking for US Federal Government
issued Identities.  If not, please let me know what was not there, so that I
can correct that.

Answer ­ They are DOE certificates issued by an Entrust Managed Services SSP
CA which I didn't see in the system root keychain.  Looking at it further,
I'm not sure I actually solved it anyway since the certificates in the PIV
card show up as being signed by an untrusted user.

>  I've used sc_auth to enable the certificate for a local account.

Just a note: This is the generic way to associate a card to a Directory
Service account that would work with any supported card that can digitally
sign data.  This very capability made it possible for DoD Academy graduates
to begin using their cards on OS X even though the cards only had an ID
Identity and had not been issued with Email Signing Identities - DoD chose
to set and Extended Key Usage for Smart Card Login to the Email Signing
Certificate.  



> I've tried enabling and disabling the cacloginconfig.plist (my understanding
> is it should be disabled when logging in to a local account).

There are three methods for associating Smart Cards to your DS Record for
authenticated Login:
> a) PubKeyHash - pubkeyhash;......  in AuthenticationAuthority of DS record
> b) Attribute Matching - /etc/cacloginconfig.plist configured to map lookup key
> in DS
> c) PKINIT - /etc/cacloginconfig.plist & Kerberos configured (ie. bound to AD)

Default Smart Card <-> DSrecord association is indeed PubKeyHash method
which is the use of the PubKeyHash entry in the AuthenticationAuthority
attribute of your DS record.  Out of the box this is the behavior.

*IF* the /etc/cacloginconfig.plist file exists, then the behavior switches
to b) Attribute Matching  or c) PKINIT depending on the configuration of
your system.

Configuration for each method:

> PubKeyHash
> * Enable Smart Card Sniffer for Login Window
>> * Update Authorization Databse (/etc/authorization) - Add "smartcard-sniffer"
>> entries back in
>>> * <string>builtin:smartcard-sniffer,privileged</string>
> * Add PubKeyHash of an Identity from Smart Card that has key usage of digital
> signature
>> * Use the sc_auth command to add the hash from the card entry to your user
>> record
> * Switch to Login Window, insert card, enter PIN...

> Attribute Matching
> 
> * Enable Smart Card Sniffer for Login Window
>> * Update Authorization Databse (/etc/authorization) - Add "smartcard-sniffer"
>> entries back in
>>> * <string>builtin:smartcard-sniffer,privileged</string>
> * Add/Create Attribute Matching plist
>> * Add/Create the /etc/cacloginconfig.plist file - option install in current
>> MacOSForge installers
>> * Set DS lookup key mapping from the Certificate to the DS Attribute.
> * Configure selected DS attribute to equal the attribute value being pulled
> from cert
> * Switch to Login Window, insert card, enter PIN...
> 
> PKINT
> * Enable Smart Card Sniffer for Login Window
>> * Update Authorization Databse (/etc/authorization) - Add "smartcard-sniffer"
>> entries back in
>>> * <string>builtin:smartcard-sniffer,privileged</string>
> * Add/Create Attribute Matching plist
>> * Add/Create the /etc/cacloginconfig.plist file - option install in current
>> MacOSForge installers
>>> * Default:    Cert: NT Principal Name --> DS:
>>> dsAttrTypeNative:userPrincipalName
> * Configure selected DS Record for Smart Card Login - matching attribute
> values
> * Configure Binding Client --> DS/Kerberos  (ie. Bind your Mac to AD)
>> * If the Mac is bound to a Windows Server 2003, create the
>> com.apple.Kerberos.plist file in /Library/Preferences
> * Ensure client trusts Roots
>> * Trust the Root of Trust Chain for Leaf Cert on Card
>> * Trust the Root of Trust Chain for AD DC Root of Trust Chain for Server Cert
> * Test acquiring a ticket:
>> * kinit -C KEYCHAIN: -D KEYCHAIN: --windows --pk-enterprise
> * Switch to Login Window, insert card, enter PIN...
> 

Give us a status back of your success / issues...
You might want to turn on DS logging as well.  You could also run
"dsconfigad -show" to show what the configuration is on the box.

> 
>> __________________________________________________
>> Will Jorgensen
>> Desktop and Mobile Services
>> Pacific Northwest National Laboratory

- Shawn
______________________________________________________
Shawn Geddis             geddis at me.com
Enterprise Security Consulting Engineer, Apple     geddis at apple.com

MacOSForge: Smart Card Services  Project Lead:
Web: http://smartcardservices.macosforge.org/
Lists: http://lists.macosforge.org/mailman/listinfo
______________________________________________________











-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20130528/297a592e/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4063 bytes
Desc: not available
URL: <http://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20130528/297a592e/attachment-0001.p7s>

More information about the SmartcardServices-Users mailing list