[SmartcardServices-Users] Mountain Lion Login window

Hoit, Daniel S. hoit2 at llnl.gov
Wed May 29 13:11:13 PDT 2013

After many conversations with you, I'm pretty familiar with how this whole process is supposed to work, and in fact I've used methods A, B and C to do smart card login on 10.6.8 and previous, but no matter what I've tried, I've been unable to do so with 10.7/10.8.
Like Will, I've never even seen a smart card specific prompt at the login window.
I spent a little time on it again this week (I try it with every new seed available to me), and cannot seem to make the connections.

Details for my experiments today, starting with a machine that can read my smart card (and that works for pkinit or sc_auth in 10.6.8):
Method A:
1. run sc_auth hash to get a list of available hashes
2.  run sc_auth accept -u localusername -h longhashnumber
3.  run security authorizationdb read system.login.console > slc.plist
4.  edit slc.plist to include "builtin:smartcard-sniffer,privileged" as the first mechanism (I've also tried moving it around in the mechanism list, but no luck)
5.  run security authorizationdb write system.login.console < slc.plist
6.  logout/reboot to login window, insert card, brief flash, and no change. Window remains an empty user name and password field.

Method C:
1. remove hashes from previous sc_auth play.
2. Drop in /etc/cacloginconfig.plist (standard mapping, from the smartcard installer)
3. Ensure that certificate on card's NT Principal Name and user's userPrincipalName match
4. Ensure that certificate chain is trusted. Cert looks good, shows as trusted.
5. Check pkinit with kinit -C KEYCHAIN: -D KEYCHAIN: --windows --pk-enterprise
If "virtual keychain" for card is locked, I get kinit: krb5_get_init_creds: Create CMS signedData: RSA private encrypt failed: 569888
If "virtual keychain" for card is unlocked, I get kinit: krb5_get_init_creds: Client not trusted
Whoops. No matter how I google around, I can't find a solution for this piece.
The 569888 error does pop up in some heimdal mailing list with a reference to errors with small keys (512), but in this case the key is 2048.
Perhaps there is a bug in Apple's heimdal that chokes on both small /and/ large keys? Certainly a possibility. If so, where do I file this bug? With Apple? Will they support it given its with smart card pkinit?

In any case, checking the login window produces the same flash-but-no-change that I got with the sc_auth method. I expected as much.

Again, I've had all three methods working on 10.6.8, and I've done the first two much further back. None of this is new to me, yet I can't make it work.
Perhaps /someone/ involved with the smartcardservices project can actually document the procedures on 10.8, just in case there is something missing.
I realize that the heimdal error I'm getting is the biggest obstacle to using pkinit, but I'm quite surprised that I can't even make sc_auth work.


On May 28, 2013, at 11:44 AM, Shawn Geddis wrote:


Questions / comments inline below...

On May 17, 2013, at 5:43 PM, "Jorgensen, Will A" <Will at pnnl.gov<mailto:Will at pnnl.gov>> wrote:
I'm trying to get a PIV card working for login on mountain lion.  I installed the tokend and driver for the reader.

Just to be sure we know your environment, you installed the PIV tokend from MacOSForge ?  As for installing the driver for the reader, why did you need to do that ?  Is the reader a non-CCID compliant reader or is it that the built-in CCID Class Driver just did not support that particular one ?

When I'm already logged in, the PIV card shows up in the keychain and the certificates show up as valid (I had to install some root certificates to get that).

Question again on why you would need to install roots for certificates on a PIV card.  Is this a self-generated PIV Card with internal / test identities and not US Federal Government issued Identities ?  I ask because the System Root Keychain should already have the necessary CA Roots Certificates for proper trust validation and revocation checking for US Federal Government issued Identities.  If not, please let me know what was not there, so that I can correct that.

 I've used sc_auth to enable the certificate for a local account.

Just a note: This is the generic way to associate a card to a Directory Service account that would work with any supported card that can digitally sign data.  This very capability made it possible for DoD Academy graduates to begin using their cards on OS X even though the cards only had an ID Identity and had not been issued with Email Signing Identities - DoD chose to set and Extended Key Usage for Smart Card Login to the Email Signing Certificate.

I've tried enabling and disabling the cacloginconfig.plist (my understanding is it should be disabled when logging in to a local account).

There are three methods for associating Smart Cards to your DS Record for authenticated Login:
a) PubKeyHash - pubkeyhash;......  in AuthenticationAuthority of DS record
b) Attribute Matching  - /etc/cacloginconfig.plist configured to map lookup key in DS
c) PKINIT - /etc/cacloginconfig.plist & Kerberos configured (ie. bound to AD)

Default Smart Card <-> DSrecord association is indeed PubKeyHash method which is the use of the PubKeyHash entry in the AuthenticationAuthority attribute of your DS record.  Out of the box this is the behavior.

*IF* the /etc/cacloginconfig.plist file exists, then the behavior switches to b) Attribute Matching  or c) PKINIT depending on the configuration of your system.

Configuration for each method:


  *   Enable Smart Card Sniffer for Login Window
     *   Update Authorization Databse (/etc/authorization) - Add "smartcard-sniffer" entries back in
        *   <string>builtin:smartcard-sniffer,privileged</string>
  *   Add PubKeyHash of an Identity from Smart Card that has key usage of digital signature
     *   Use the sc_auth command to add the hash from the card entry to your user record
  *   Switch to Login Window, insert card, enter PIN...

Attribute Matching

  *   Enable Smart Card Sniffer for Login Window
     *   Update Authorization Databse (/etc/authorization) - Add "smartcard-sniffer" entries back in
        *   <string>builtin:smartcard-sniffer,privileged</string>
  *   Add/Create Attribute Matching plist
     *   Add/Create the /etc/cacloginconfig.plist file - option install in current MacOSForge installers
     *   Set DS lookup key mapping from the Certificate to the DS Attribute.
  *   Configure selected DS attribute to equal the attribute value being pulled from cert
  *   Switch to Login Window, insert card, enter PIN...


  *   Enable Smart Card Sniffer for Login Window
     *   Update Authorization Databse (/etc/authorization) - Add "smartcard-sniffer" entries back in
        *   <string>builtin:smartcard-sniffer,privileged</string>
  *   Add/Create Attribute Matching plist
     *   Add/Create the /etc/cacloginconfig.plist file - option install in current MacOSForge installers
        *   Default:    Cert: NT Principal Name --> DS: dsAttrTypeNative:userPrincipalName
  *   Configure selected DS Record for Smart Card Login - matching attribute values
  *   Configure Binding Client --> DS/Kerberos  (ie. Bind your Mac to AD)
     *   If the Mac is bound to a Windows Server 2003, create the com.apple.Kerberos.plist file in /Library/Preferences
  *   Ensure client trusts Roots
     *   Trust the Root of Trust Chain for Leaf Cert on Card
     *   Trust the Root of Trust Chain for AD DC Root of Trust Chain for Server Cert
  *   Test acquiring a ticket:
     *   kinit -C KEYCHAIN: -D KEYCHAIN: --windows --pk-enterprise
  *   Switch to Login Window, insert card, enter PIN...

Give us a status back of your success / issues...
You might want to turn on DS logging as well.  You could also run "dsconfigad -show" to show what the configuration is on the box.

SmartcardServices-Users mailing list
SmartcardServices-Users at lists.macosforge.org<mailto:SmartcardServices-Users at lists.macosforge.org>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20130529/d0052c80/attachment.html>

More information about the SmartcardServices-Users mailing list