[SmartcardServices-Users] Mountain Lion Login window
Yoann Gini
yoann.gini at gmail.com
Wed May 29 14:14:01 PDT 2013
Hi Will,
Le 17 mai 2013 à 17:43, "Jorgensen, Will A" <Will at pnnl.gov> a écrit :
> I'm trying to get a PIV card working for login on mountain lion. I installed the tokend and driver for the reader. When I'm already logged in, the PIV card shows up in the keychain and the certificates show up as valid (I had to install some root certificates to get that). I've used sc_auth to enable the certificate for a local account. I've tried enabling and disabling the cacloginconfig.plist (my understanding is it should be disabled when logging in to a local account). However, under no circumstances have I been able to get a prompt to appear at the login window. I've tried switching back and forth between username/password and list of users views to no affect as well.
A lot of clue have been give in the feed. The most important was from Shawn: before trying to do anything on the login window, your system must be able to check your certificate authenticity. That’s mean your root and intermediate public keys need to be add to the system keychain (note the system root who is in read only, not the login who is local for the user, the system one).
When it’s done, you’ve to configure /etc/authorization.
Like I’ve said in the past, I’ve write a documentation about that on my blog [1], it’s in french and a bit old (it’s write for 10.7 and my sc_auth fix has been commited to the trunk) but the workflow is still good and the command line to edit your authorization file without any syntax error are still good. If you don’t read french, a lot of people already use it successfully with the help of Google Translation.
When you’re OK with you trust chain and when you’ve check with my article if you’ve done all the steps, if it’s still don’t work, please, send us some logs.
The best way to do that is with two Mac, your system with the smartcard configured and an other one for monitoring. From your monitor, connect to your test computer by ssh (who’s waiting on the login screen, smartcard out of the reader), run a « sudo syslog -w » and then do a cmd-K to clean your screen. Put the smartcard in and see what happen. Send the log created at this time.
Best regards,
Yoann
[1] http://blog.inig-services.com/archives/1068
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20130529/334c8d09/attachment-0001.html>
More information about the SmartcardServices-Users
mailing list