Re: [Fed-Talk] [Smart Cards] Tiger Login

mike

Michael D. Chute

BSL-3 Lab Manager

Naval Medical Research Center

Biological Defense Research Directorate

Suite 1N29

503 Robert Grant Ave

Silver Spring, MD 20910

Voice: 301-319-7529

Fax: 301-319-7513

On May 23, 2005, at 5:26 PM, Brian Raymond wrote:

The "flashed" ActivCard readers might be the common theme, I should have
been more clear in my first post that it's a flashed ActivCard reader and
not actually an SCM reader I use. It would be interesting if the process of
flashing used to make them work with 10.3 initially is now causing us pain
in 10.4.

- Brian

On 5/23/05 4:39 PM, "Brian Cadwell" <email@hidden> wrote:

We have noticed a few of our "flashed" ActivCard readers won't work in 10.4
but the same hardware did work in 10.3. We didn't look into it very deeply,
it seems to be hit and miss. We did install the ActivCard drivers from
Shawn's idisk, and all the "unflashed" ActivCard readers we tried work fine.
The drivers a re probably a red herring, but I mention it for completeness.
Anyone else notice this? On my iMac G5 I can use either my flashed or
unflashed card reader.

Also remember, if you try to use the card reader program (installable from
the DVD) and it crashes, you'll need to reset your card reader for anything
to work after that. Just unplug it and reinsert it.

I can't get Entourage to use my CAC however... It sees the certificate but
errors out with the ever popular "unknown error" when I try to send a signed
message.

bc

On 5/23/05 3:59 PM, "Brian Raymond" <email@hidden> wrote:

Shawn et al,

I wanted to send this out to the list since it seems there are some problems
with getting CAC cards working in 10.4. More so then logging in, Web Site
access is important for myself and other because of the new PKI only
policies for some public sites.

Have you run into any problems or are things smooth for the most part?

Details of our problems below..

I'm running a SCM 331 reader (CCID firmware), which works fine on 10.3

- Brian

On 5/23/05 10:10 AM, "Michael Kluskens" <email@hidden>
wrote:

I was able to sign email using Mozilla. That's all I have working.
Could be that I got that because I imported my files and settings
from my firewire backup.

I have not edited any CAC related setting files and that keychain
setting for X509 won't stick for me, even without closing the program.

I hope nothing bad got imported from my firewire backup.

Like you, I can no longer visit CAC restricted web sites using
Mozilla (or Safari).

Michael

ps. I had formatted my disk case-sensitive so I needed to import my
files rather then do a simple upgrade.

On May 23, 2005, at 9:22 AM, Brian Raymond wrote:

Interesting you mention the web site access.

I can't get web site access with my CAC to work either in 10.4. It
works
fine in 10.3 with Safari and Firefox but so far I get it to hang for a
couple of minutes before throwing an error. Along with that
Keychain hangs
when trying to access my smart card.

Another exciting side effect, if I leave my smart card in I can't
go to any
SSL web sites without the browser choking while trying to negotiate
the SSL
connection.

- Brian

On 5/23/05 8:29 AM, "Michael Kluskens" <email@hidden>
wrote:

I think he is referring that you only have to do all the fancy stuff
if you want to enable login via the CAC cards (which is not required
for a PC users anyway so I'm not worrying about enabling it for the
Mac users).

Web site CAC access just works, insert card and go to a web site
using Safari.

EXCEPT for the simple fact that I get "The client certificate has
been revoked" instead, nice.

Also, I see no way to sign mail in OS X Mail.

Could be side effect of having a boot disk that is case-sensitive,
the only reason I upgraded to 10.4 (also the only reason I upgraded
our OS X server to 10.3)

Michael

On May 22, 2005, at 10:02 PM, Brian Raymond wrote:

Something in your document caught my eye:

" The Tiger release adds greatly enhanced support for smartcards.
The
configuration required is much simpler than it was for previous
releases,
and in fact, no client-specific customization is required on the
clients."

Help me out here, in 10.3 wasn't this easier then current process
of editing
config files by hand:

Install Common Access Viewer App

sudo cac_setup
sudo cac_addid username EDI

- Brian

On 5/9/05 2:45 PM, "Shawn Geddis" <email@hidden> wrote:

Folks,

As has been discussed a few times now on the list, some of you are
experiencing difficulties in determining why "Login" is not working
on your system. Others are new to the Smart Card support on Mac
OS X
10.3.x/10.4.x. This message should address some of the missing
information, but should also speak of even greater things to come.

Smart Cards on "Panther" - 10.3.x
========================
Many of you have already downloaded my 105-page Smart Card Setup
and
Configuration Guide for Mac OS X10.3.x. You walks you thru the
whole
process of what configuration changes you need/want to do as
well as
discuss the Smart Card Readers supported.

Much of the Smart Card Services in 10.3 are largely reliant on
direct
PKCS#11 (direct hardware access) as many of you needed to configure
the supplied PKCS#11 plugin to be used by your desired Netscape/
Mozilla/Firefox/Thunderbird/... variant. 10.3.x does provide
cryptographic login using the Smart Cards when you configure that
system using the cac_setup & cac_addid commands within terminal.

Smart Cards in "Tiger" - 10.4.x
=====================
Smart Cards (CAC, GSCIS, PIV, JPKI, BELPIC, ....) are all
abstracted
as keychains for access by any application utilizing Mac OS X's
built
in Cert/Key & Keychain APIs (i.e. Entourage 2004). The
architecture
has changed, but largely from the abstraction layers on top of what
was already there before. Users and Sys Admins have far less to do
or worry about than they did with 10.3.x.

Smart Card Services Provided in "Tiger" -10.4.0

   * Cryptographic Login to local/network-based accounts (more
info to follow below)
   * S/MIME -- Signing and Encrypting of Mail Messages
   Leading Applications supporting this
   -- Mail.App (Apple)
   -- Entourage 2004 (Microsoft)
   -- Netscape/Mozilla/... software train still
works as well...
   * Secure Web Access / Client Side Authentication
   -- Safari (Apple)
   -- Netscape/Mozilla/... software train still
works as well...
   * VPN (PPTP, L2TP, 802.1X, .... VPN On Demand)
   -- Internet Connect (Apple)

** Address Book
Now also displays the "signing" check symbol just left of email
addresses that the user has corresponding Public Cert in their
keychain. The Cert is NOT stored in the keychain, but represents a
relationship with one in one of the currently active keychains.

"Common Access Card Viewer" functionality is largely now available
since the Smart Cards appear as dynamic keychains. You can view
the
Certificate and Key information as well as change the PIN on the
card
by selecting the "Change Password for Keychain ...". If you still
feel the need to run the Common Access Card Viewer Utility on
Tiger,
then you need to install it from the Tiger DVD.

The installer for the Common Access Card Viewer Utility is located
at:

   Mac OS X Install DVD
   /System/Installation/Packages/CommonAccessCard.pkg

   ** I also placed it on my personal iDisk as well. (see
end
of message)

Tiger Smart Card Login Setup
======================
****** PLEASE DO NOT COPY OVER OR USE PANTHER CONFIGURATIONS ON TO
YOUR TIGER SYSTEMS !!!!!

Many of your are anxious to enable Smart Card cryptographic login
right now on your Tiger systems. I have posted a zipped folder
on my
iDisk as well labeled: "TigerSmartcardSetup.zip" which has a Text
document with initial instructions and examples as well as a 'diff'
file with the modification for /etc/authorization.

In short:
   *** /etc/authorization is modified for system.login.console
   *** Accounts are, by default, bound to Public Key Hash of the
User's ID Private Key.

As was the case in 10.3.x., those wanting/needing to use
combination
of other Card information (ie. UPN) can still configure the systems
for your desired combination as well. With Tiger, you will need to
setup and configure the file: /etc/cacloginconfig.plist

Mac OS X 10.3.x utilized the cac_setup, cac_addid, cac_anchors
commands and these have been superseded by "sc_auth" located
in /
usr/sbin/sc_auth.

hostname# /usr/sbin/sc_auth -h
   Usage: sc_auth accept [-v] [-u user] [-k keyname] # by key
on inserted card(s)
   sc_auth accept [-v] [-u user] -h hash # by
known
pubkey hash
   sc_auth remove [-v] [-u user] # remove all
public keys for this user
   sc_auth hash [-k keyname] # print hashes for
keys on inserted card(s)

Once enabled, there is NO performance degradation if user's do not
have or use Smart Cards. Many agency admins should probably
consider, currently, making these mods to all systems and therefore
enabling the use of Smart Cards on ALL systems.

If enabled on a system running Tiger:
   * User inserts a Smart Card (at Login Panel)
   * Login Panel momentarily disappears and then reappears with
   - Smart Card User's Account Name
   - PIN field empty and waiting for entry by user
logging in
   * User enters PIN
   * Login Cryptographically validates and unlocks the card
   * User Account is looked for / found in one of any of the
configured DS Servers.
   * User is logged in.

Outstanding Challenges for Federal Customers:
==============================

1) As of 10.4.0, the modifications for enabling Smart Card Login
are
not enabled by default
   -- A subsequent update to Mac OS X 10.4.x should include
these by default

2) The DoD Intermediate CAs are not available to the Keychain
List by
default
   -- Federal Customers within DoD will need to add the
"X509Certificates" to the list

   a) Launch Keychain Access
   b) Select "Edit -> Keychain List"
   c) Select "Show: Mac OS X (System)"
   d) Check "Shared" checkbox next to
"X509Certificates" (/System/Library/Keychains)
   e) X509Certificates will now appear in the Keychains
List and will be available for
   Intermediates for the whole trust path
validation.

3) As of 10.4.0, Smart Card Login does not currently support the
unlocking of FileVault protected Home Directories
---- You can create Encrypted Images for your folders inside your
Home Directory and unlock them manually at login

Shawn's Public iDisk Folder
======================
My Public iDisk can be found at:

1) Within Mac OS X, select "Go -> iDisk -> "Other User's Public
Folder..."

geddis

2) http://homepage.mac.com/geddis/smartcards/FileSharing24.html

   Select folder: SmartCards

I will be updating and providing my Setup and Configuration
Guide for
Mac OS X 10.4.x as soon as possible.

-Shawn
___________________________________________
Shawn Geddis
Security Consulting Engineer
Apple Computer - US Federal Government

_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/fed-talk/brian.raymond%
40dataline.com

This email sent to email@hidden

_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/fed-talk/michael.kluskens%
40nrl.navy.mil

This email sent to email@hidden

_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/fed-talk/email@hidden

This email sent to email@hidden

_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/fed-talk/email@hidden

This email sent to email@hidden

References:
	>Re: [Fed-Talk] [Smart Cards] Tiger Login - DRAFT (From: Brian Raymond <email@hidden>)

Re: [Fed-Talk] [Smart Cards] Tiger Login - DRAFT