Something in your document caught my eye:
" The Tiger release adds greatly enhanced support for smartcards. The
configuration required is much simpler than it was for previous releases,
and in fact, no client-specific customization is required on the clients."
Help me out here, in 10.3 wasn't this easier then current process of editing
config files by hand:
Install Common Access Viewer App
sudo cac_setup
sudo cac_addid username EDI
- Brian
On 5/9/05 2:45 PM, "Shawn Geddis" <email@hidden> wrote:
> Folks,
>
> As has been discussed a few times now on the list, some of you are
> experiencing difficulties in determining why "Login" is not working
> on your system. Others are new to the Smart Card support on Mac OS X
> 10.3.x/10.4.x. This message should address some of the missing
> information, but should also speak of even greater things to come.
>
> Smart Cards on "Panther" - 10.3.x
> ========================
> Many of you have already downloaded my 105-page Smart Card Setup and
> Configuration Guide for Mac OS X10.3.x. You walks you thru the whole
> process of what configuration changes you need/want to do as well as
> discuss the Smart Card Readers supported.
>
> Much of the Smart Card Services in 10.3 are largely reliant on direct
> PKCS#11 (direct hardware access) as many of you needed to configure
> the supplied PKCS#11 plugin to be used by your desired Netscape/
> Mozilla/Firefox/Thunderbird/... variant. 10.3.x does provide
> cryptographic login using the Smart Cards when you configure that
> system using the cac_setup & cac_addid commands within terminal.
>
>
> Smart Cards in "Tiger" - 10.4.x
> =====================
> Smart Cards (CAC, GSCIS, PIV, JPKI, BELPIC, ....) are all abstracted
> as keychains for access by any application utilizing Mac OS X's built
> in Cert/Key & Keychain APIs (i.e. Entourage 2004). The architecture
> has changed, but largely from the abstraction layers on top of what
> was already there before. Users and Sys Admins have far less to do
> or worry about than they did with 10.3.x.
>
> Smart Card Services Provided in "Tiger" -10.4.0
>
> * Cryptographic Login to local/network-based accounts (more
> info to follow below)
> * S/MIME -- Signing and Encrypting of Mail Messages
> Leading Applications supporting this
> -- Mail.App (Apple)
> -- Entourage 2004 (Microsoft)
> -- Netscape/Mozilla/... software train still
> works as well...
> * Secure Web Access / Client Side Authentication
> -- Safari (Apple)
> -- Netscape/Mozilla/... software train still
> works as well...
> * VPN (PPTP, L2TP, 802.1X, .... VPN On Demand)
> -- Internet Connect (Apple)
>
> ** Address Book
> Now also displays the "signing" check symbol just left of email
> addresses that the user has corresponding Public Cert in their
> keychain. The Cert is NOT stored in the keychain, but represents a
> relationship with one in one of the currently active keychains.
>
>
> "Common Access Card Viewer" functionality is largely now available
> since the Smart Cards appear as dynamic keychains. You can view the
> Certificate and Key information as well as change the PIN on the card
> by selecting the "Change Password for Keychain ...". If you still
> feel the need to run the Common Access Card Viewer Utility on Tiger,
> then you need to install it from the Tiger DVD.
>
> The installer for the Common Access Card Viewer Utility is located at:
>
> Mac OS X Install DVD
> /System/Installation/Packages/CommonAccessCard.pkg
>
>
> ** I also placed it on my personal iDisk as well. (see end
> of message)
>
>
>
> Tiger Smart Card Login Setup
> ======================
> ****** PLEASE DO NOT COPY OVER OR USE PANTHER CONFIGURATIONS ON TO
> YOUR TIGER SYSTEMS !!!!!
>
> Many of your are anxious to enable Smart Card cryptographic login
> right now on your Tiger systems. I have posted a zipped folder on my
> iDisk as well labeled: "TigerSmartcardSetup.zip" which has a Text
> document with initial instructions and examples as well as a 'diff'
> file with the modification for /etc/authorization.
>
> In short:
> *** /etc/authorization is modified for system.login.console
> *** Accounts are, by default, bound to Public Key Hash of the
> User's ID Private Key.
>
> As was the case in 10.3.x., those wanting/needing to use combination
> of other Card information (ie. UPN) can still configure the systems
> for your desired combination as well. With Tiger, you will need to
> setup and configure the file: /etc/cacloginconfig.plist
>
> Mac OS X 10.3.x utilized the cac_setup, cac_addid, cac_anchors
> commands and these have been superseded by "sc_auth" located in /
> usr/sbin/sc_auth.
>
> hostname# /usr/sbin/sc_auth -h
> Usage: sc_auth accept [-v] [-u user] [-k keyname] # by key
> on inserted card(s)
> sc_auth accept [-v] [-u user] -h hash # by known
> pubkey hash
> sc_auth remove [-v] [-u user] # remove all
> public keys for this user
> sc_auth hash [-k keyname] # print hashes for
> keys on inserted card(s)
>
>
> Once enabled, there is NO performance degradation if user's do not
> have or use Smart Cards. Many agency admins should probably
> consider, currently, making these mods to all systems and therefore
> enabling the use of Smart Cards on ALL systems.
>
> If enabled on a system running Tiger:
> * User inserts a Smart Card (at Login Panel)
> * Login Panel momentarily disappears and then reappears with
> - Smart Card User's Account Name
> - PIN field empty and waiting for entry by user logging in
> * User enters PIN
> * Login Cryptographically validates and unlocks the card
> * User Account is looked for / found in one of any of the
> configured DS Servers.
> * User is logged in.
>
>
>
> Outstanding Challenges for Federal Customers:
> ==============================
>
> 1) As of 10.4.0, the modifications for enabling Smart Card Login are
> not enabled by default
> -- A subsequent update to Mac OS X 10.4.x should include
> these by default
>
> 2) The DoD Intermediate CAs are not available to the Keychain List by
> default
> -- Federal Customers within DoD will need to add the
> "X509Certificates" to the list
>
> a) Launch Keychain Access
> b) Select "Edit -> Keychain List"
> c) Select "Show: Mac OS X (System)"
> d) Check "Shared" checkbox next to
> "X509Certificates" (/System/Library/Keychains)
> e) X509Certificates will now appear in the Keychains
> List and will be available for
> Intermediates for the whole trust path
> validation.
>
> 3) As of 10.4.0, Smart Card Login does not currently support the
> unlocking of FileVault protected Home Directories
> ---- You can create Encrypted Images for your folders inside your
> Home Directory and unlock them manually at login
>
>
>
> Shawn's Public iDisk Folder
> ======================
> My Public iDisk can be found at:
>
> 1) Within Mac OS X, select "Go -> iDisk -> "Other User's Public
> Folder..."
>
> geddis
>
> 2) http://homepage.mac.com/geddis/smartcards/FileSharing24.html
>
> Select folder: SmartCards
>
>
>
>
>
> I will be updating and providing my Setup and Configuration Guide for
> Mac OS X 10.4.x as soon as possible.
>
>
> -Shawn
> ___________________________________________
> Shawn Geddis
> Security Consulting Engineer
> Apple Computer - US Federal Government
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
> http://lists.apple.com/mailman/options/fed-talk/email@hidden
>
> This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/fed-talk/email@hidden
This email sent to email@hidden
