Re: [Fed-Talk] [Smart Cards] Tiger Login - DRAFT
Re: [Fed-Talk] [Smart Cards] Tiger Login - DRAFT
- Subject: Re: [Fed-Talk] [Smart Cards] Tiger Login - DRAFT
- From: Brian Raymond <email@hidden>
- Date: Mon, 23 May 2005 16:31:30 -0400
I followed Shawn's instructions as well, the only difference I can see from
your configuration is you are using the ActivCard driver. maybe there is an
issue with the SCM driver?
Is anyone using a SCM 331 successfully?
- Brian
On 5/23/05 4:08 PM, "Michael Chute" <email@hidden> wrote:
> Brian;
>
> I haven't had any trouble getting it to work. I can visit PKI sites
> ( I have only visited infosec, but it works fine) I can sign and
> encrypt using mail or entourage. I followed Shawns instructions for
> enabling login to update the authorization file and such which wasn't
> hard to do. I am running an activcard reader using the activcard v2
> driver. I do know that you must not have any of the activcard
> software except the driver on the machine. Did you enable the X509
> certificates through keychain access?
>
> Mike
>
>> Shawn et al,
>>
>> I wanted to send this out to the list since it seems there are some
>> problems
>> with getting CAC cards working in 10.4. More so then logging in,
>> Web Site
>> access is important for myself and other because of the new PKI only
>> policies for some public sites.
>>
>> Have you run into any problems or are things smooth for the most part?
>>
>> Details of our problems below..
>>
>> I'm running a SCM 331 reader (CCID firmware), which works fine on 10.3
>>
>> - Brian
>>
>>
>> On 5/23/05 10:10 AM, "Michael Kluskens"
>> <email@hidden>
>> wrote:
>>
>>
>>> I was able to sign email using Mozilla. That's all I have working.
>>> Could be that I got that because I imported my files and settings
>>> from my firewire backup.
>>>
>>> I have not edited any CAC related setting files and that keychain
>>> setting for X509 won't stick for me, even without closing the
>>> program.
>>>
>>> I hope nothing bad got imported from my firewire backup.
>>>
>>> Like you, I can no longer visit CAC restricted web sites using
>>> Mozilla (or Safari).
>>>
>>> Michael
>>>
>>> ps. I had formatted my disk case-sensitive so I needed to import my
>>> files rather then do a simple upgrade.
>>>
>>> On May 23, 2005, at 9:22 AM, Brian Raymond wrote:
>>>
>>>
>>>> Interesting you mention the web site access.
>>>>
>>>> I can't get web site access with my CAC to work either in 10.4. It
>>>> works
>>>> fine in 10.3 with Safari and Firefox but so far I get it to hang
>>>> for a
>>>> couple of minutes before throwing an error. Along with that
>>>> Keychain hangs
>>>> when trying to access my smart card.
>>>>
>>>> Another exciting side effect, if I leave my smart card in I can't
>>>> go to any
>>>> SSL web sites without the browser choking while trying to negotiate
>>>> the SSL
>>>> connection.
>>>>
>>>>
>>>>
>>>> - Brian
>>>>
>>>> On 5/23/05 8:29 AM, "Michael Kluskens"
>>>> <email@hidden>
>>>> wrote:
>>>>
>>>>
>>>>
>>>>> I think he is referring that you only have to do all the fancy
>>>>> stuff
>>>>> if you want to enable login via the CAC cards (which is not
>>>>> required
>>>>> for a PC users anyway so I'm not worrying about enabling it for the
>>>>> Mac users).
>>>>>
>>>>> Web site CAC access just works, insert card and go to a web site
>>>>> using Safari.
>>>>>
>>>>> EXCEPT for the simple fact that I get "The client certificate has
>>>>> been revoked" instead, nice.
>>>>>
>>>>> Also, I see no way to sign mail in OS X Mail.
>>>>>
>>>>> Could be side effect of having a boot disk that is case-sensitive,
>>>>> the only reason I upgraded to 10.4 (also the only reason I upgraded
>>>>> our OS X server to 10.3)
>>>>>
>>>>> Michael
>>>>>
>>>>>
>>>>> On May 22, 2005, at 10:02 PM, Brian Raymond wrote:
>>>>>
>>>>>
>>>>>
>>>>>> Something in your document caught my eye:
>>>>>>
>>>>>> " The Tiger release adds greatly enhanced support for smartcards.
>>>>>> The
>>>>>> configuration required is much simpler than it was for previous
>>>>>> releases,
>>>>>> and in fact, no client-specific customization is required on the
>>>>>> clients."
>>>>>>
>>>>>> Help me out here, in 10.3 wasn't this easier then current process
>>>>>> of editing
>>>>>> config files by hand:
>>>>>>
>>>>>> Install Common Access Viewer App
>>>>>>
>>>>>> sudo cac_setup
>>>>>> sudo cac_addid username EDI
>>>>>>
>>>>>> - Brian
>>>>>>
>>>>>>
>>>>>> On 5/9/05 2:45 PM, "Shawn Geddis" <email@hidden> wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> Folks,
>>>>>>>
>>>>>>> As has been discussed a few times now on the list, some of you
>>>>>>> are
>>>>>>> experiencing difficulties in determining why "Login" is not
>>>>>>> working
>>>>>>> on your system. Others are new to the Smart Card support on Mac
>>>>>>> OS X
>>>>>>> 10.3.x/10.4.x. This message should address some of the missing
>>>>>>> information, but should also speak of even greater things to
>>>>>>> come.
>>>>>>>
>>>>>>> Smart Cards on "Panther" - 10.3.x
>>>>>>> ========================
>>>>>>> Many of you have already downloaded my 105-page Smart Card Setup
>>>>>>> and
>>>>>>> Configuration Guide for Mac OS X10.3.x. You walks you thru the
>>>>>>> whole
>>>>>>> process of what configuration changes you need/want to do as
>>>>>>> well as
>>>>>>> discuss the Smart Card Readers supported.
>>>>>>>
>>>>>>> Much of the Smart Card Services in 10.3 are largely reliant on
>>>>>>> direct
>>>>>>> PKCS#11 (direct hardware access) as many of you needed to
>>>>>>> configure
>>>>>>> the supplied PKCS#11 plugin to be used by your desired Netscape/
>>>>>>> Mozilla/Firefox/Thunderbird/... variant. 10.3.x does provide
>>>>>>> cryptographic login using the Smart Cards when you configure that
>>>>>>> system using the cac_setup & cac_addid commands within terminal.
>>>>>>>
>>>>>>>
>>>>>>> Smart Cards in "Tiger" - 10.4.x
>>>>>>> =====================
>>>>>>> Smart Cards (CAC, GSCIS, PIV, JPKI, BELPIC, ....) are all
>>>>>>> abstracted
>>>>>>> as keychains for access by any application utilizing Mac OS X's
>>>>>>> built
>>>>>>> in Cert/Key & Keychain APIs (i.e. Entourage 2004). The
>>>>>>> architecture
>>>>>>> has changed, but largely from the abstraction layers on top of
>>>>>>> what
>>>>>>> was already there before. Users and Sys Admins have far less
>>>>>>> to do
>>>>>>> or worry about than they did with 10.3.x.
>>>>>>>
>>>>>>> Smart Card Services Provided in "Tiger" -10.4.0
>>>>>>>
>>>>>>> * Cryptographic Login to local/network-based accounts
>>>>>>> (more
>>>>>>> info to follow below)
>>>>>>> * S/MIME -- Signing and Encrypting of Mail Messages
>>>>>>> Leading Applications supporting this
>>>>>>> -- Mail.App (Apple)
>>>>>>> -- Entourage 2004 (Microsoft)
>>>>>>> -- Netscape/Mozilla/... software train still
>>>>>>> works as well...
>>>>>>> * Secure Web Access / Client Side Authentication
>>>>>>> -- Safari (Apple)
>>>>>>> -- Netscape/Mozilla/... software train still
>>>>>>> works as well...
>>>>>>> * VPN (PPTP, L2TP, 802.1X, .... VPN On Demand)
>>>>>>> -- Internet Connect (Apple)
>>>>>>>
>>>>>>> ** Address Book
>>>>>>> Now also displays the "signing" check symbol just left of email
>>>>>>> addresses that the user has corresponding Public Cert in their
>>>>>>> keychain. The Cert is NOT stored in the keychain, but
>>>>>>> represents a
>>>>>>> relationship with one in one of the currently active keychains.
>>>>>>>
>>>>>>>
>>>>>>> "Common Access Card Viewer" functionality is largely now
>>>>>>> available
>>>>>>> since the Smart Cards appear as dynamic keychains. You can view
>>>>>>> the
>>>>>>> Certificate and Key information as well as change the PIN on the
>>>>>>> card
>>>>>>> by selecting the "Change Password for Keychain ...". If you
>>>>>>> still
>>>>>>> feel the need to run the Common Access Card Viewer Utility on
>>>>>>> Tiger,
>>>>>>> then you need to install it from the Tiger DVD.
>>>>>>>
>>>>>>> The installer for the Common Access Card Viewer Utility is
>>>>>>> located
>>>>>>> at:
>>>>>>>
>>>>>>> Mac OS X Install DVD
>>>>>>> /System/Installation/Packages/CommonAccessCard.pkg
>>>>>>>
>>>>>>>
>>>>>>> ** I also placed it on my personal iDisk as well. (see
>>>>>>> end
>>>>>>> of message)
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Tiger Smart Card Login Setup
>>>>>>> ======================
>>>>>>> ****** PLEASE DO NOT COPY OVER OR USE PANTHER CONFIGURATIONS
>>>>>>> ON TO
>>>>>>> YOUR TIGER SYSTEMS !!!!!
>>>>>>>
>>>>>>> Many of your are anxious to enable Smart Card cryptographic login
>>>>>>> right now on your Tiger systems. I have posted a zipped folder
>>>>>>> on my
>>>>>>> iDisk as well labeled: "TigerSmartcardSetup.zip" which has a
>>>>>>> Text
>>>>>>> document with initial instructions and examples as well as a
>>>>>>> 'diff'
>>>>>>> file with the modification for /etc/authorization.
>>>>>>>
>>>>>>> In short:
>>>>>>> *** /etc/authorization is modified for
>>>>>>> system.login.console
>>>>>>> *** Accounts are, by default, bound to Public Key Hash
>>>>>>> of the
>>>>>>> User's ID Private Key.
>>>>>>>
>>>>>>> As was the case in 10.3.x., those wanting/needing to use
>>>>>>> combination
>>>>>>> of other Card information (ie. UPN) can still configure the
>>>>>>> systems
>>>>>>> for your desired combination as well. With Tiger, you will
>>>>>>> need to
>>>>>>> setup and configure the file: /etc/cacloginconfig.plist
>>>>>>>
>>>>>>> Mac OS X 10.3.x utilized the cac_setup, cac_addid, cac_anchors
>>>>>>> commands and these have been superseded by "sc_auth" located
>>>>>>> in /
>>>>>>> usr/sbin/sc_auth.
>>>>>>>
>>>>>>> hostname# /usr/sbin/sc_auth -h
>>>>>>> Usage: sc_auth accept [-v] [-u user] [-k keyname] #
>>>>>>> by key
>>>>>>> on inserted card(s)
>>>>>>> sc_auth accept [-v] [-u user] -h hash # by
>>>>>>> known
>>>>>>> pubkey hash
>>>>>>> sc_auth remove [-v] [-u user] # remove all
>>>>>>> public keys for this user
>>>>>>> sc_auth hash [-k keyname] # print hashes for
>>>>>>> keys on inserted card(s)
>>>>>>>
>>>>>>>
>>>>>>> Once enabled, there is NO performance degradation if user's do
>>>>>>> not
>>>>>>> have or use Smart Cards. Many agency admins should probably
>>>>>>> consider, currently, making these mods to all systems and
>>>>>>> therefore
>>>>>>> enabling the use of Smart Cards on ALL systems.
>>>>>>>
>>>>>>> If enabled on a system running Tiger:
>>>>>>> * User inserts a Smart Card (at Login Panel)
>>>>>>> * Login Panel momentarily disappears and then reappears with
>>>>>>> - Smart Card User's Account Name
>>>>>>> - PIN field empty and waiting for entry by user
>>>>>>> logging in
>>>>>>> * User enters PIN
>>>>>>> * Login Cryptographically validates and unlocks the card
>>>>>>> * User Account is looked for / found in one of any of the
>>>>>>> configured DS Servers.
>>>>>>> * User is logged in.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Outstanding Challenges for Federal Customers:
>>>>>>> ==============================
>>>>>>>
>>>>>>> 1) As of 10.4.0, the modifications for enabling Smart Card Login
>>>>>>> are
>>>>>>> not enabled by default
>>>>>>> -- A subsequent update to Mac OS X 10.4.x should include
>>>>>>> these by default
>>>>>>>
>>>>>>> 2) The DoD Intermediate CAs are not available to the Keychain
>>>>>>> List by
>>>>>>> default
>>>>>>> -- Federal Customers within DoD will need to add the
>>>>>>> "X509Certificates" to the list
>>>>>>>
>>>>>>> a) Launch Keychain Access
>>>>>>> b) Select "Edit -> Keychain List"
>>>>>>> c) Select "Show: Mac OS X (System)"
>>>>>>> d) Check "Shared" checkbox next to
>>>>>>> "X509Certificates" (/System/Library/Keychains)
>>>>>>> e) X509Certificates will now appear in the Keychains
>>>>>>> List and will be available for
>>>>>>> Intermediates for the whole trust path
>>>>>>> validation.
>>>>>>>
>>>>>>> 3) As of 10.4.0, Smart Card Login does not currently support the
>>>>>>> unlocking of FileVault protected Home Directories
>>>>>>> ---- You can create Encrypted Images for your folders inside your
>>>>>>> Home Directory and unlock them manually at login
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Shawn's Public iDisk Folder
>>>>>>> ======================
>>>>>>> My Public iDisk can be found at:
>>>>>>>
>>>>>>> 1) Within Mac OS X, select "Go -> iDisk -> "Other User's Public
>>>>>>> Folder..."
>>>>>>>
>>>>>>> geddis
>>>>>>>
>>>>>>> 2) http://homepage.mac.com/geddis/smartcards/FileSharing24.html
>>>>>>>
>>>>>>> Select folder: SmartCards
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> I will be updating and providing my Setup and Configuration
>>>>>>> Guide for
>>>>>>> Mac OS X 10.4.x as soon as possible.
>>>>>>>
>>>>>>>
>>>>>>> -Shawn
>>>>>>> ___________________________________________
>>>>>>> Shawn Geddis
>>>>>>> Security Consulting Engineer
>>>>>>> Apple Computer - US Federal Government
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Do not post admin requests to the list. They will be ignored.
>>>>>>> Fed-talk mailing list (email@hidden)
>>>>>>> Help/Unsubscribe/Update your Subscription:
>>>>>>> 40dataline.com
>>>>>>>
>>>>>>> This email sent to email@hidden
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Do not post admin requests to the list. They will be ignored.
>>>>>> Fed-talk mailing list (email@hidden)
>>>>>> Help/Unsubscribe/Update your Subscription:
>>>>>> 40nrl.navy.mil
>>>>>>
>>>>>> This email sent to email@hidden
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>
>> _______________________________________________
>> Do not post admin requests to the list. They will be ignored.
>> Fed-talk mailing list (email@hidden)
>> Help/Unsubscribe/Update your Subscription:
>>
>> This email sent to email@hidden
>>
>
>
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden