I was able to use the token on that machine (using ssh-agent), so I
know OpenSC works (1). I have been able to run the sc_auth commands in the
page, which suggests the tokend works too.
My problem is the /etc/authorization change. The proposed changes do not
match what I have in the file. At the two places, where this is documented:
I have this:
I tried various changes. I have been able to get the login windows
telling me I was using a smart card and prompting the PIN, but it
never logged me in. Moreover, the login windows could not start up on
reboot (2). Here is what I have in /etc/authorization prior any change;
What modification should I do?
On Jun 30, 2010, at 12:19 , Emmanuel Dreyfus wrote:
> This page explains how to setup smart card authentication on MacOS X,
> for the console login:
> http://www.opensc-project.org/sca/wiki/LogonAuthenticate Please note that there is a (non-bold) description on that page that the change of /etc/authorization file is only required on OS X 10.4, which is NOT supported by recent OpenSC. Only 10.5 and 10.6 are supported. Any existing packages that work on 10.4 should be taken "AS IS".
I have two comments:
1) if a working tokend is found at boot time, at least some versions of OS X (at least in 10.5 line, can't recall if it has happened with 10.6 as well) used to send the password entered on the login prompt to the tokend, causing cards to lock up. The login window asks for a password, not a PIN code. This happened without any configuration changes, so it was a bug of OS X.
2) With 10.5 and 10.6, you only need to do sc_auth hash; sudo sc_auth accept -u $USER -h $HASH with the proper hash of your credential and username to which to bind it and it should work.
I personally found usability issues with the smart card logon, so I don't use it.
On Jul 1, 2010, at 07:25 , Emmanuel Dreyfus wrote:
> Martin Paljak <[hidden email]> wrote:
>> Any existing packages that work on 10.4 should be taken "AS IS".
> I did the build on my own. I would like to fix things, but I need some
> hints. A correct /etc/authorization is probably the first step.
How did you build OpenSC.tokend (that depends on 10.5+ API-s in its current source base and was a PAIN to build for 10.4 last time I remember doing it) ? You'd have to fetch an older version of OpenSC.tokend from sca SVN for it to work on 10.4 at all (maybe things have changed, don't have a 10.4 machine to try anything out)
I don't think anyone here uses 10.4 nor know how it should work. There was a .pdf findable via Google that described the OS X security systems and also described the authorization file.