<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif; "><div><div><div>I've answered some of your questions inline below. I thought the problem may have been an issue with /etc/authorization, but as far as I can tell the file I'm using is correct and I'm still having issues. Since you're email I've tried to configure attribute matching again and I still don't get the PIN input prompt at login window. </div><div><br></div><div><div><div><span class="Apple-style-span" style="font-family: Helvetica; font-size: medium; "><font color="#D37400"><font size="1"><font face="Arial"><span style="font-size: 9pt; ">__________________________________________________</span></font></font></font></span><span class="Apple-style-span" style="font-family: Helvetica; font-size: medium; "><font size="1"><span style="font-size: 9pt; "><font face="Verdana,Helvetica,Arial"> <br><b>Will Jorgensen</b> <br>Desktop and Mobile Services <br>Pacific Northwest National Laboratory </font></span></font></span></div></div></div></div></div><div><br></div><span id="OLK_SRC_BODY_SECTION"><div style="font-family:Calibri; font-size:11pt; text-align:left; color:black; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt"><span style="font-weight:bold">From: </span> Shawn Geddis <<a href="mailto:geddis@me.com">geddis@me.com</a>><br><span style="font-weight:bold">Date: </span> Tuesday, May 28, 2013 11:44 AM<br><span style="font-weight:bold">To: </span> Staff Member <<a href="mailto:will@pnnl.gov">will@pnnl.gov</a>><br><span style="font-weight:bold">Cc: </span> "<a href="mailto:SmartcardServices-Users@lists.macosforge.org">SmartcardServices-Users@lists.macosforge.org</a>" <<a href="mailto:SmartcardServices-Users@lists.macosforge.org">SmartcardServices-Users@lists.macosforge.org</a>><br><span style="font-weight:bold">Subject: </span> Re: [SmartcardServices-Users] Mountain Lion Login window<br></div><div><br></div><div><meta http-equiv="Content-Type" content="text/html charset=windows-1252"><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div><div>Will,</div><div><br></div><div>Questions / comments inline below...</div><div><br></div><div>On May 17, 2013, at 5:43 PM, "Jorgensen, Will A" <<a href="mailto:Will@pnnl.gov">Will@pnnl.gov</a>> wrote:</div><blockquote type="cite"><meta http-equiv="Content-Type" content="text/html; charset=Windows-1252"><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; font-size: 14px; font-family: Calibri, sans-serif; "><div><div><div>I'm trying to get a PIV card working for login on mountain lion. I installed the tokend and driver for the reader.</div></div></div></div></blockquote><div><br></div><div>Just to be sure we know your environment, you installed the PIV tokend from MacOSForge ? As for installing the driver for the reader, why did you need to do that ? Is the reader a non-CCID compliant reader or is it that the built-in CCID Class Driver just did not support that particular one ?</div></div></div></div></span><div><br></div><div><b>Answer</b> – I installed the tokend from MacOSForge. I didn't need to install the driver, but because things weren't working the way I expected, I found the driver from omnikey and installed it. I'm still a little bit new to smart card login so some of this was because I didn't know how things are supposed work. The reader is the omnikey 3121 which I believe is a CCID compliant reader.</div><span id="OLK_SRC_BODY_SECTION"><div><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div><div><br></div><blockquote type="cite"><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; font-size: 14px; font-family: Calibri, sans-serif; "><div><div><div>When I'm already logged in, the PIV card shows up in the keychain and the certificates show up as valid (I had to install some root certificates
to get that).</div></div></div></div></blockquote><div><br></div><div>Question again on why you would need to install roots for certificates on a PIV card. Is this a self-generated PIV Card with internal / test identities and not US Federal Government issued Identities ? I ask because the <b>System Root </b>Keychain should already have the necessary CA Roots Certificates for proper trust validation and revocation checking for US Federal Government issued Identities. If not, please let me know what was not there, so that I can correct that.</div></div></div></div></span><div><br></div><div><b>Answer</b> – They are DOE certificates issued by an Entrust Managed Services SSP CA which I didn't see in the system root keychain. Looking at it further, I'm not sure I actually solved it anyway since the certificates in the PIV card show up as being signed by an untrusted user. </div><span id="OLK_SRC_BODY_SECTION"><div><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div><div><br></div><blockquote type="cite"><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; font-size: 14px; font-family: Calibri, sans-serif; "><div><div><div> I've used sc_auth to enable the certificate for a local account.</div></div></div></div></blockquote><div><br></div><div>Just a note: This is the generic way to associate a card to a Directory Service account that would work with any supported card that can digitally sign data. This very capability made it possible for DoD Academy graduates to begin using their cards on OS X even though the cards only had an ID Identity and had not been issued with Email Signing Identities - DoD chose to set and Extended Key Usage for Smart Card Login to the Email Signing Certificate. </div></div></div></div></span><div><br></div><span id="OLK_SRC_BODY_SECTION"><div><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div><div><br></div><br><blockquote type="cite"><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; font-size: 14px; font-family: Calibri, sans-serif; "><div><div><div>I've tried enabling and disabling the cacloginconfig.plist (my understanding is it should be disabled when logging in to a local account). </div></div></div></div></blockquote><div><br></div><div>There are three methods for associating Smart Cards to your DS Record for authenticated Login:</div></div><blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;"><div><div>a) <b>PubKeyHash</b><span class="Apple-tab-span" style="font-weight: bold; white-space: pre; ">                        </span>- <b>pubkeyhash</b>;...... in AuthenticationAuthority of DS record</div><div>b) <b>Attribute Matching</b> <span class="Apple-tab-span" style="white-space:pre">        </span>- <b>/etc/cacloginconfig.plist</b> configured to map lookup key in DS</div><div>c) <b>PKINIT</b><span class="Apple-tab-span" style="font-weight: bold; white-space: pre; ">                                </span>- <b>/etc/cacloginconfig.plist</b> & <b>Kerberos</b> configured (ie. bound to AD)</div></div></blockquote><div><div><br></div><div>Default Smart Card <-> DSrecord association is indeed PubKeyHash method which is the use of the PubKeyHash entry in the AuthenticationAuthority attribute of your DS record. Out of the box this is the behavior.</div><div><br></div><div>*IF* the <b>/etc/cacloginconfig.plist </b>file exists, then the behavior switches to <b>b)</b> <b>Attribute Matching</b> or <b>c)</b> <b>PKINIT</b> depending on the configuration of your system.</div><div><br></div><div>Configuration for each method:</div><div><b><br></b></div></div><blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;"><div><div><b>PubKeyHash</b></div></div></blockquote><blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;"><div><div><ul class="MailOutline"><li>Enable Smart Card Sniffer for Login Window</li><ul><li>Update Authorization Databse (<b>/etc/authorization</b>)<span class="Apple-tab-span" style="white-space:pre">        </span>- Add "smartcard-sniffer" entries back in</li><ul><li><span style="letter-spacing: 0px; "><string>builtin:smartcard-sniffer,privileged</string></span></li></ul></ul><li>Add <b>PubKeyHash</b> of an Identity from Smart Card that has <b>key usage</b> of digital signature</li><ul><li>Use the sc_auth command to add the hash from the card entry to your user record</li></ul><li>Switch to Login Window, insert card, enter PIN...</li></ul></div></div></blockquote><div><div><br></div></div><blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;"><div><div><b>Attribute Matching </b></div><div><b><br></b></div><div><ul class="MailOutline"><li><b><span style="font-weight: normal; ">Enable Smart Card Sniffer for Login Window</span></b></li><ul><li><b><span style="font-weight: normal; ">Update Authorization Databse (<b>/etc/authorization</b>)<span class="Apple-tab-span" style="white-space: pre; ">        </span>- Add "smartcard-sniffer" entries back in</span></b></li><ul><li><b><span style="font-weight: normal; "><string>builtin:smartcard-sniffer,privileged</string></span></b></li></ul></ul><li>Add/Create Attribute Matching plist </li><ul><li>Add/Create the /etc/cacloginconfig.plist file<span class="Apple-tab-span" style="white-space:pre">                        </span>- option install in current MacOSForge installers</li><li>Set DS lookup key mapping from the Certificate to the DS Attribute.</li></ul><li>Configure selected DS attribute to equal the attribute value being pulled from cert</li><li>Switch to Login Window, insert card, enter PIN...</li></ul><div><br></div><div><b>PKINT</b></div><div><ul class="MailOutline"><li><b><span style="font-weight: normal; ">Enable Smart Card Sniffer for Login Window</span></b></li><ul><li><b><span style="font-weight: normal; ">Update Authorization Databse (<b>/etc/authorization</b>)<span class="Apple-tab-span" style="white-space: pre; ">        </span>- Add "smartcard-sniffer" entries back in</span></b></li><ul><li><span style="letter-spacing: 0px; "><string>builtin:smartcard-sniffer,privileged</string></span></li></ul></ul><li>Add/Create Attribute Matching plist </li><ul><li>Add/Create the /etc/cacloginconfig.plist file<span class="Apple-tab-span" style="white-space: pre; ">                        </span>- option install in current MacOSForge installers</li><ul><li>Default: Cert: NT Principal Name --> DS: dsAttrTypeNative:userPrincipalName </li></ul></ul><li>Configure selected DS Record for Smart Card Login - matching attribute values</li><li>Configure Binding Client --> DS/Kerberos (ie. Bind your Mac to AD)</li><ul><li><span style="letter-spacing: 0px; font-size: 12px; font-family: 'Helvetica Neue'; ">If the Mac is bound to a Windows Server 2003, create the com.apple.Kerberos.plist file in </span><span style="letter-spacing: 0px; font-size: 12px; font-family: 'Helvetica Neue'; ">/Library/Preferences</span></li></ul><li>Ensure client trusts Roots</li><ul><li>Trust the Root of Trust Chain for Leaf Cert on Card</li><li>Trust the Root of Trust Chain for AD DC Root of Trust Chain for Server Cert</li></ul><li>Test acquiring a ticket: </li><ul><li><span style="letter-spacing: 0px; font-size: 12px; font-family: 'Courier New'; ">kinit -C KEYCHAIN: -D KEYCHAIN: --windows --pk-enterprise</span></li></ul><li>Switch to Login Window, insert card, enter PIN...</li></ul></div></div></div></blockquote><blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;"><div><div><br></div></div></blockquote><div><div><br></div><div>Give us a status back of your success / issues...</div><div>You might want to turn on DS logging as well. You could also run "dsconfigad -show" to show what the configuration is on the box.</div><div><br></div></div><blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;"><div><div><br></div></div><div><blockquote type="cite"><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; font-size: 14px; font-family: Calibri, sans-serif; "><div><div><div><div><div><font color="#D37400"><font size="1"><font face="Arial"><span style="font-size: 9pt; ">__________________________________________________</span></font></font></font></div></div></div></div></div></div></blockquote></div><div><blockquote type="cite"><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; font-size: 14px; font-family: Calibri, sans-serif; "><div><div><div><div><div><font size="1"><span style="font-size: 9pt; "><font face="Verdana,Helvetica,Arial"><b>Will Jorgensen</b></font></span></font></div></div></div></div></div></div></blockquote></div><div><blockquote type="cite"><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; font-size: 14px; font-family: Calibri, sans-serif; "><div><div><div><div><div><font size="1"><span style="font-size: 9pt; "><font face="Verdana,Helvetica,Arial">
Desktop and Mobile Services </font></span></font></div></div></div></div></div></div></blockquote></div><div><blockquote type="cite"><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; font-size: 14px; font-family: Calibri, sans-serif; "><div><div><div><div><div><font size="1"><span style="font-size: 9pt; "><font face="Verdana,Helvetica,Arial">
Pacific Northwest National Laboratory </font></span></font></div></div></div></div></div></div></blockquote></div></blockquote><br><div apple-content-edited="true"><span class="Apple-style-span" style="border-collapse: separate; border-spacing: 0px; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">- Shawn<br>______________________________________________________<br>Shawn Geddis<span class="Apple-tab-span" style="font-weight: normal; white-space: pre; ">                                </span> <span class="Apple-tab-span" style="font-weight: normal; white-space: pre; ">                        </span> <a href="mailto:geddis@me.com">geddis@me.com</a><br>Enterprise Security Consulting Engineer, Apple <a href="mailto:geddis@apple.com">geddis@apple.com</a><br><br>MacOSForge:<span class="Apple-converted-space"> </span><b>Smart Card Services</b><span class="Apple-converted-space"> </span> Project Lead: <br><span class="Apple-tab-span" style="font-weight: normal; white-space: pre; ">        </span>Web:<span class="Apple-tab-span" style="font-weight: normal; white-space: pre; ">        </span><a href="http://smartcardservices.macosforge.org/">http://smartcardservices.macosforge.org/</a><br><span class="Apple-tab-span" style="font-weight: normal; white-space: pre; ">        </span>Lists:<span class="Apple-tab-span" style="font-weight: normal; white-space: pre; ">        </span><a href="http://lists.macosforge.org/mailman/listinfo">http://lists.macosforge.org/mailman/listinfo</a><br>______________________________________________________<br><br><br><br><br><br><br><br><br></div></span></div><br></div></div></span></body></html>