[SmartcardServices-Users] macOS update \ Clear History in Safari
patrick.krosbakken.CTR at eu.navy.mil
patrick.krosbakken.CTR at eu.navy.mil
Fri Oct 28 05:04:16 PDT 2016
"Uri the Great",
That was excellent news, tested it and it works fine except for one issue.
Used it to login into an OWA site using my PKI token but Safari retains the cache and allows subsequence access without the PKI token.
The only way I found to resolve the issue was to Clear History in Safari.
An easy procedure but I cannot trust users to adhere to this procedure, and it would be considered a vulnerability.
I am not using PKI token to log into my system.
The computer is locked down with a DISA STIG for ver 10.11.
Had the same issue using Thursby PKard.
Do you (or anyone else) have a solution?
Thanks,
Patrick Krosbakken
-----Original Message-----
From: smartcardservices-users-bounces at lists.macosforge.org [mailto:smartcardservices-users-bounces at lists.macosforge.org] On Behalf Of Uri Blumenthal
Sent: Friday, October 14, 2016 20:09
To: Jasmine Hall
Cc: smartcardservices-users at lists.macosforge.org
Subject: [Non-DoD Source] Re: [SmartcardServices-Users] macOS update/unable to install smart card reader
On Oct 14, 2016, at 7:52 , Jasmine Hall <princessjazzyp at gmail.com> wrote:
> My Mac just got an update to macOS Sierra. I’m trying to update everything i need in order to use the smart card reader but I can go no further because the latest on this website is for the macOS El Chapitan. When will an updated version of the installer come out??
If all you need your smart card for is login, and your smartcard-requiring applications are Apple Mail and Safari (and nothing else) - then you don’t need any more software, and Sierra is better at supporting smart card login than El Capitan could possibly be. Except that for smart card login to work you must set "System Preferences -> Users -> Login options -> Display login window as” to “List users”. Setting it to “Name and password” will make smart card login impossible (Apple bug, tracked at Radars 28542438, 28572563).
If you need more, like using other browsers (Chrome and Firefox come to mind), MS Office (e.g., Outlook 2016), or Adobe Acrobat - then Sierra will break all of that for you. AFAIK, your only choice until Apple remedies this issue (tracked in Radars 27827716 and 28572661) is installing a different tokend (I usually recommend https://github.com/OpenSC/OpenSC.git and https://github.com/mouse07410/OpenSC.tokend.git).
Then you’ll need to enable legacy smart card support via
sudo security authorizationdb smartcard enable
and disable the new Sierra’s pivtoken via
sudo defaults write /Library/Preferences/com.apple.security.smartcard DisabledTokens -array com.apple.CryptoTokenKit.pivtoken
It might be possible to just install SmartCardServices for El Capitan (and they might work correctly) on Sierra - but my preferred way that I’ve tested both at work and at home was described above.
--
Uri the Great
uri at mit.edu
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5679 bytes
Desc: not available
URL: <https://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20161028/d53988de/attachment.p7s>
More information about the SmartcardServices-Users
mailing list