Folks,
As has been discussed a few times now on the list, some of you
are
experiencing difficulties in determining why "Login" is not
working
on your system. Others are new to the Smart Card support on Mac
OS X
10.3.x/10.4.x. This message should address some of the missing
information, but should also speak of even greater things to
come.
Smart Cards on "Panther" - 10.3.x
========================
Many of you have already downloaded my 105-page Smart Card Setup
and
Configuration Guide for Mac OS X10.3.x. You walks you thru the
whole
process of what configuration changes you need/want to do as
well as
discuss the Smart Card Readers supported.
Much of the Smart Card Services in 10.3 are largely reliant on
direct
PKCS#11 (direct hardware access) as many of you needed to
configure
the supplied PKCS#11 plugin to be used by your desired Netscape/
Mozilla/Firefox/Thunderbird/... variant. 10.3.x does provide
cryptographic login using the Smart Cards when you configure that
system using the cac_setup & cac_addid commands within terminal.
Smart Cards in "Tiger" - 10.4.x
=====================
Smart Cards (CAC, GSCIS, PIV, JPKI, BELPIC, ....) are all
abstracted
as keychains for access by any application utilizing Mac OS X's
built
in Cert/Key & Keychain APIs (i.e. Entourage 2004). The
architecture
has changed, but largely from the abstraction layers on top of
what
was already there before. Users and Sys Admins have far less
to do
or worry about than they did with 10.3.x.
Smart Card Services Provided in "Tiger" -10.4.0
* Cryptographic Login to local/network-based accounts
(more
info to follow below)
* S/MIME -- Signing and Encrypting of Mail Messages
Leading Applications supporting this
-- Mail.App (Apple)
-- Entourage 2004 (Microsoft)
-- Netscape/Mozilla/... software train still
works as well...
* Secure Web Access / Client Side Authentication
-- Safari (Apple)
-- Netscape/Mozilla/... software train still
works as well...
* VPN (PPTP, L2TP, 802.1X, .... VPN On Demand)
-- Internet Connect (Apple)
** Address Book
Now also displays the "signing" check symbol just left of email
addresses that the user has corresponding Public Cert in their
keychain. The Cert is NOT stored in the keychain, but
represents a
relationship with one in one of the currently active keychains.
"Common Access Card Viewer" functionality is largely now
available
since the Smart Cards appear as dynamic keychains. You can view
the
Certificate and Key information as well as change the PIN on the
card
by selecting the "Change Password for Keychain ...". If you
still
feel the need to run the Common Access Card Viewer Utility on
Tiger,
then you need to install it from the Tiger DVD.
The installer for the Common Access Card Viewer Utility is
located
at:
Mac OS X Install DVD
/System/Installation/Packages/CommonAccessCard.pkg
** I also placed it on my personal iDisk as well. (see
end
of message)
Tiger Smart Card Login Setup
======================
****** PLEASE DO NOT COPY OVER OR USE PANTHER CONFIGURATIONS
ON TO
YOUR TIGER SYSTEMS !!!!!
Many of your are anxious to enable Smart Card cryptographic login
right now on your Tiger systems. I have posted a zipped folder
on my
iDisk as well labeled: "TigerSmartcardSetup.zip" which has a
Text
document with initial instructions and examples as well as a
'diff'
file with the modification for /etc/authorization.
In short:
*** /etc/authorization is modified for
system.login.console
*** Accounts are, by default, bound to Public Key Hash
of the
User's ID Private Key.
As was the case in 10.3.x., those wanting/needing to use
combination
of other Card information (ie. UPN) can still configure the
systems
for your desired combination as well. With Tiger, you will
need to
setup and configure the file: /etc/cacloginconfig.plist
Mac OS X 10.3.x utilized the cac_setup, cac_addid, cac_anchors
commands and these have been superseded by "sc_auth" located
in /
usr/sbin/sc_auth.
hostname# /usr/sbin/sc_auth -h
Usage: sc_auth accept [-v] [-u user] [-k keyname] #
by key
on inserted card(s)
sc_auth accept [-v] [-u user] -h hash # by
known
pubkey hash
sc_auth remove [-v] [-u user] # remove all
public keys for this user
sc_auth hash [-k keyname] # print hashes for
keys on inserted card(s)
Once enabled, there is NO performance degradation if user's do
not
have or use Smart Cards. Many agency admins should probably
consider, currently, making these mods to all systems and
therefore
enabling the use of Smart Cards on ALL systems.
If enabled on a system running Tiger:
* User inserts a Smart Card (at Login Panel)
* Login Panel momentarily disappears and then reappears with
- Smart Card User's Account Name
- PIN field empty and waiting for entry by user
logging in
* User enters PIN
* Login Cryptographically validates and unlocks the card
* User Account is looked for / found in one of any of the
configured DS Servers.
* User is logged in.
Outstanding Challenges for Federal Customers:
==============================
1) As of 10.4.0, the modifications for enabling Smart Card Login
are
not enabled by default
-- A subsequent update to Mac OS X 10.4.x should include
these by default
2) The DoD Intermediate CAs are not available to the Keychain
List by
default
-- Federal Customers within DoD will need to add the
"X509Certificates" to the list
a) Launch Keychain Access
b) Select "Edit -> Keychain List"
c) Select "Show: Mac OS X (System)"
d) Check "Shared" checkbox next to
"X509Certificates" (/System/Library/Keychains)
e) X509Certificates will now appear in the Keychains
List and will be available for
Intermediates for the whole trust path
validation.
3) As of 10.4.0, Smart Card Login does not currently support the
unlocking of FileVault protected Home Directories
---- You can create Encrypted Images for your folders inside your
Home Directory and unlock them manually at login
Shawn's Public iDisk Folder
======================
My Public iDisk can be found at:
1) Within Mac OS X, select "Go -> iDisk -> "Other User's Public
Folder..."
geddis
2) http://homepage.mac.com/geddis/smartcards/FileSharing24.html
Select folder: SmartCards
I will be updating and providing my Setup and Configuration
Guide for
Mac OS X 10.4.x as soon as possible.
-Shawn
___________________________________________
Shawn Geddis
Security Consulting Engineer
Apple Computer - US Federal Government
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
40dataline.com
This email sent to email@hidden