[SmartcardServices-Users] Yosemite SmartCard Services and Local and or Open Directory Accounts
Yoann Gini
yoann.gini at gmail.com
Sun Aug 30 11:26:24 PDT 2015
Hi,
> Le 28 août 2015 à 01:26, Schwartz, Jared <Jared.Schwartz at USPTO.GOV> a écrit :
>
> I have made great progress with the Smart Card services tool and our PIV cards. I was able to login to web portals with no issues but I have hit a roadblock and was hoping you could help.
>
> We have our machines connected to an open directory, and would like to login to the account via PIV cards. As a test I used sudo sc_auth accept -u administrator -k "PIV" and or $ sudo sc_auth accept -u Alice -h HASH to bind the certificates hash to the local administrator account.
>
> I verified the hash is set under the local administrator account and then logged out but I never get the "switchover" from password login to PIN on Mac OS 10.10.5. I also tried on a machine that is not connected to the open directory with the same result.
Did you enabled the SmartCard sniffer for the login process?
You’ve to do « sudo security authorizationdb smartcard enable » for that.
The whole process is described on my blog http://blog.inig-services.com/archives/1448 <http://blog.inig-services.com/archives/1448> (it’s in french but many people has successfully used it with Google Translate).
> After we get past the issue of it not being able login with the PIN, any idea how we setup the hash attribute for our users in open directory?
For that you’ve to use my updated version of sc_auth available in my blog post or github account https://github.com/ygini/osx_misc/blob/master/sc_auth <https://github.com/ygini/osx_misc/blob/master/sc_auth>.
It will allow you to specify the directory administrator to use when accessing the directory server for modification (so in case of OD, your diradmin account).
But be aware of something with SmartCards authentication and Open Directory Server.
First, you will loose Kerberos. So for network ressources like file sharing the user will still have to know it’s own password. In any other setup you will be able to use PKINIT process from Kerberos to obtain a TGT from your KDC via a smartcard based authentication. But with OS X Server, Apple don’t allow us to setup PKINIT. Even if all underlaying services are compatible with it.
So as soon as you need to authenticate on something not cert based or web based, your user will have to use their password.
Second, your user will still be able to login with username and password.
The sc_auth based process extend the login capabilities but don’t restrict it.
So if you want to lock the workstation for smartcard only login, you won’t be able to do it with OS X Server. For what I know only a Windows server with proper PKINIT setup (and OS X cacloginconfig based smartcard setup) will allow your to go that way.
Best regards,
Yoann Gini
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20150830/be756458/attachment.html>
More information about the SmartcardServices-Users
mailing list