[SmartcardServices-Users] Can MacOSX work with Oberthur ID-One PIV (type A) cards and ID Prime .Net from Gemalto?
Hoit, Daniel S.
hoit2 at llnl.gov
Fri Apr 8 11:07:19 PDT 2016
Glenn,
We are using both at LLNL, although we are looking into replacing the .Net cards since it causes issues switching libraries on the linux boxes.
The .Net cards use the PKCS11.tokend module that Ludovic Rousseau wrote, along with a Framework and some libraries to provide the pkcs11 support.
Unfortunately, the version that Gemalto is currently providing will only look in /usr/lib/pkcs11, and since that location is restricted on SIP enabled systems, it breaks.
Luckily, the source for PKCS11.tokend is on the smartcard services web site, and Ludovic has an updated version there that will look in /usr/local/lib/pkcs11.
Hopefully Gemalto updates their installer to use that version in the future, but in the meantime I simply pulled down the newer tokend code, built it, and packaged it with the existing libraries set to be put in SIP compliant locations.
They do use different pkcs11 modules, so if thats part of your deployment, you may have issues.
I can use the tokendpkcs11.so for generating a key off the .Net cards, but trying to use it with SSH it relays a signing error, and fails. Considering its doing the gemalto PKCS11 -> PKCS11.tokend -> tokendPKCS11.so, its not really surprising that its flakey. Most tools allow you to point to a separate library at the command line though, so you could always have an aliased SSH for the .NET card that uses -I /usr/local/lib/pkcs11/<whichever gemalto pkcs11.so you are using>
The biggest issue with using a “civ” card along side the PIV is user mapping. Once we solved that, everything else has been pretty straight forward.
I’d be happy to discuss the details of our implementation if you’d like. You know how to get ahold of me. :)
—DH
On Apr 8, 2016, at 10:32 AM, Machin, Glenn D <GMachin at sandia.gov<mailto:GMachin at sandia.gov>> wrote:
We have a situation where will have users using a PIV (Oberthur ID-One PIV (type A)) and the ID Prime .Net from Gemalto.
We want to make sure MacOSX can support both cards. Out of the box on MacOSX ID Prime .Net from Gemalto does not work and we want to make sure we don’t break the PIV to get the .Net card to work.
We have found that on Linux (red hat) only one pkcs11 module will work at a time for either pam_pkcs11 or pam_krb5, and each card needs its own pkcs11 module, therefore only one card can be configured at a time. We don’t want to fall into the same trap with MacOSX.
Appreciate any help.
Glenn
_______________________________________________
SmartcardServices-Users mailing list
SmartcardServices-Users at lists.macosforge.org<mailto:SmartcardServices-Users at lists.macosforge.org>
https://lists.macosforge.org/mailman/listinfo/smartcardservices-users
Daniel Hoit
hoit2 at llnl.gov<mailto:hoit2 at llnl.gov>
925.424.5256
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20160408/95d11a15/attachment.html>
More information about the SmartcardServices-Users
mailing list