Mailing Lists: Apple Mailing Lists
 Image of Mac OS face in stamp
Re: Get current 'active' user from a service/tokend
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Get current 'active' user from a service/tokend

On Aug 4, 2009, at 11:49 PM, Martin Paljak wrote:

On 04.08.2009, at 22:00, email@hidden wrote: 
PIN control (and other access control machinery) is managed,
transparently, *per security session*. For example, if you insert a
card, enter the PIN, then fast-user-switch out and let someone else
log in, they will need to re-enter the PIN to use the card, but if
they do they can. (There is some trickery happening behind the scenes
for this. Your tokend does not actually notice the sharing.)
How does this happen? How does this translate to card resets and actual ACLs on the card vs just "popping up a PIN window"? Does Securityd (or all Tokends) reset the card when fast user switching happens?

Maybe, but probably not. Securityd filters PINs provided to the card and (re)validates its ACLs when a different session wants access. Yes, you're trusting securityd to get this right (and it does this based on the ACLs your tokend sends it); but then if securityd is broken, you can't trust the entire system (the one your user just typed the PIN into).

One caveat: a tokend *may* vend ACLs that require interactive PIN
provision (i.e. it won't accept a PIN provided programmatically and is
only satisfied with a PIN prompted directly from the graphic session
user). That implicitly locks out remote users because they can't get
those prompt dialogs.

Once you design in pinpads into the system it is pretty much manageable to have access restrictions that depend on physical access to the machine (yes, you can do fancy usb-over-ssh at least on Linux but that does not count). I'm sure there are many applications (and thus tokend-s) that would like to set such an ACL bit.

It's the difference between CSSM_*_PROMPTED_PASSWORD and CSSM_*_PASSWORD. PROMPTED is for "ask the user and send it in"; plain PASSWORD is for providing it in the ACL credential directly. Used directlty, this checks the PIN each time; wrap a PREAUTH ACL around that to describe locking PIN slots. Resets are handled automatically (if your tokend returns proper error codes). Read The Open Source (or, failing that, get the tokend-development package from DTS, which will cost you a support incident).

Cheers
-- perry
---------------------------------------------------------------------------
Perry The Cynic email@hidden
To a blind optimist, an optimistic realist must seem like an Accursed Cynic.
---------------------------------------------------------------------------

_______________________________________________
Do not post admin requests to the list. They will be ignored.
Apple-cdsa mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden







References: 


 >Re: Get current 'active' user from a service/tokend (From: Martin Paljak <email@hidden>)























Visit the Apple Store online or at retail locations.

1-800-MY-APPLE


Contact Apple | Terms of Use | Privacy Policy


Copyright © 2011 Apple Inc. All rights reserved.