login using smart card on MacOS X.4

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

login using smart card on MacOS X.4

Emmanuel Dreyfus
Hello

This page explains how to setup smart card authentication on MacOS X,
for the console login:
http://www.opensc-project.org/sca/wiki/LogonAuthenticate

I was able to use the token on that machine (using ssh-agent), so I
know OpenSC works (1). I have been able to run the sc_auth commands in the
page, which suggests the tokend works too.

My problem is the /etc/authorization change. The proposed changes do not
match what I have in the file. At the two places, where this is documented:
        <string>builtin:authenticate,privileged</string>
I have this:
        <string>authinternal</string>

I tried various changes. I have been able to get the login windows
telling me I was using a smart card and prompting the PIN, but it
never logged me in. Moreover, the login windows could not start up on
reboot (2). Here is what I have in /etc/authorization prior any change;
What modification should I do?

<key>system.login.console</key>
<dict>
(...)
        <key>mechanisms</key>
        <array>
                <string>builtin:auto-login,privileged</string>
                <string>loginwindow_builtin:login</string>
                <string>builtin:reset-password,privileged</string>
                <string>authinternal</string>
                <string>builtin:getuserinfo,privileged</string>
                <string>builtin:sso,privileged</string>
                <string>HomeDirMechanism:login,privileged</string>
                <string>HomeDirMechanism:status</string>
                <string>MCXMechanism:login</string>
                <string>loginwindow_builtin:success</string>
                <string>loginwindow_builtin:done</string>
        </array>
</dict>
(...)
<key>authenticate</key>
<dict>
        <key>class</key>
        <string>evaluate-mechanisms</string>
        <key>mechanisms</key>
        <array>
                <string>builtin:authenticate</string>
                <string>authinternal</string>
        </array>
</dict>




(1) a patched ccid build was nescessary, though: it uses API that were
introduced in MacOS X.5

(2) for future reference if someone get stuck here: you just have to
reboot in single user mode (hold apple-S on boot) and restore the file.

--
Emmanuel Dreyfus
[hidden email]
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: login using smart card on MacOS X.4

Martin Paljak-2
Hello,
On Jun 30, 2010, at 12:19 , Emmanuel Dreyfus wrote:
> This page explains how to setup smart card authentication on MacOS X,
> for the console login:
> http://www.opensc-project.org/sca/wiki/LogonAuthenticate
Please note that there is a (non-bold) description on that page that the change of /etc/authorization file is only required on OS X 10.4, which is NOT supported by recent OpenSC. Only 10.5 and 10.6 are supported. Any existing packages that work on 10.4 should be taken "AS IS".

I have two comments:
1) if a working tokend is found at boot time, at least some versions of OS X (at least in 10.5 line, can't recall if it has happened with 10.6 as well) used to send the password entered on the login prompt to the tokend, causing cards to lock up. The login window asks for a password, not a PIN code. This happened without any configuration changes, so it was a bug of OS X.
2) With 10.5 and 10.6, you only need to do sc_auth hash; sudo sc_auth accept -u $USER -h $HASH with the proper hash of your credential and username to which to bind it and it should work.

I personally found usability issues with the smart card logon, so I don't use it.

--
Martin Paljak
@martinpaljak.net
+3725156495

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: login using smart card on MacOS X.4

Emmanuel Dreyfus
Martin Paljak <[hidden email]> wrote:

> Any existing packages that work on 10.4 should be taken "AS IS".

I did the build on my own. I would like to fix things, but I need some
hints. A correct /etc/authorization is probably the first step.

--
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
[hidden email]
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: login using smart card on MacOS X.4

Martin Paljak-2

On Jul 1, 2010, at 07:25 , Emmanuel Dreyfus wrote:

> Martin Paljak <[hidden email]> wrote:
>
>> Any existing packages that work on 10.4 should be taken "AS IS".
>
> I did the build on my own. I would like to fix things, but I need some
> hints. A correct /etc/authorization is probably the first step.
How did you build OpenSC.tokend (that depends on 10.5+ API-s in its current source base and was a PAIN to build for 10.4 last time I remember doing it) ? You'd have to fetch an older version of OpenSC.tokend from sca SVN for it to work on 10.4 at all (maybe things have changed, don't have a 10.4 machine to try anything out)

I don't think anyone here uses 10.4 nor know how it should work. There was a .pdf findable via Google that described the OS X security systems and also described the authorization file.

--
Martin Paljak
@martinpaljak.net
+3725156495

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: login using smart card on MacOS X.4

Emmanuel Dreyfus
Martin Paljak <[hidden email]> wrote:

> How did you build OpenSC.tokend

I took it from SCA. I did the build for ccid and opensc.


--
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
[hidden email]
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: login using smart card on MacOS X.4

SiR GadaBout
In reply to this post by Emmanuel Dreyfus
Here's the link to Apple's official Smart Card setup guide for 10.4.


_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user