Re: [Fed-Talk] [Smart Cards] Tiger Login - DRAFT
Re: [Fed-Talk] [Smart Cards] Tiger Login - DRAFT
- Subject: Re: [Fed-Talk] [Smart Cards] Tiger Login - DRAFT
- From: Brian Cadwell <email@hidden>
- Date: Mon, 23 May 2005 16:39:47 -0400
We have noticed a few of our "flashed" ActivCard readers won't work in 10.4
but the same hardware did work in 10.3. We didn't look into it very deeply,
it seems to be hit and miss. We did install the ActivCard drivers from
Shawn's idisk, and all the "unflashed" ActivCard readers we tried work fine.
The drivers a re probably a red herring, but I mention it for completeness.
Anyone else notice this? On my iMac G5 I can use either my flashed or
unflashed card reader.
Also remember, if you try to use the card reader program (installable from
the DVD) and it crashes, you'll need to reset your card reader for anything
to work after that. Just unplug it and reinsert it.
I can't get Entourage to use my CAC however... It sees the certificate but
errors out with the ever popular "unknown error" when I try to send a signed
message.
bc
On 5/23/05 3:59 PM, "Brian Raymond" <email@hidden> wrote:
> Shawn et al,
>
> I wanted to send this out to the list since it seems there are some problems
> with getting CAC cards working in 10.4. More so then logging in, Web Site
> access is important for myself and other because of the new PKI only
> policies for some public sites.
>
> Have you run into any problems or are things smooth for the most part?
>
> Details of our problems below..
>
> I'm running a SCM 331 reader (CCID firmware), which works fine on 10.3
>
> - Brian
>
>
> On 5/23/05 10:10 AM, "Michael Kluskens" <email@hidden>
> wrote:
>
>> I was able to sign email using Mozilla. That's all I have working.
>> Could be that I got that because I imported my files and settings
>> from my firewire backup.
>>
>> I have not edited any CAC related setting files and that keychain
>> setting for X509 won't stick for me, even without closing the program.
>>
>> I hope nothing bad got imported from my firewire backup.
>>
>> Like you, I can no longer visit CAC restricted web sites using
>> Mozilla (or Safari).
>>
>> Michael
>>
>> ps. I had formatted my disk case-sensitive so I needed to import my
>> files rather then do a simple upgrade.
>>
>> On May 23, 2005, at 9:22 AM, Brian Raymond wrote:
>>
>>> Interesting you mention the web site access.
>>>
>>> I can't get web site access with my CAC to work either in 10.4. It
>>> works
>>> fine in 10.3 with Safari and Firefox but so far I get it to hang for a
>>> couple of minutes before throwing an error. Along with that
>>> Keychain hangs
>>> when trying to access my smart card.
>>>
>>> Another exciting side effect, if I leave my smart card in I can't
>>> go to any
>>> SSL web sites without the browser choking while trying to negotiate
>>> the SSL
>>> connection.
>>>
>>>
>>>
>>> - Brian
>>>
>>> On 5/23/05 8:29 AM, "Michael Kluskens" <email@hidden>
>>> wrote:
>>>
>>>
>>>> I think he is referring that you only have to do all the fancy stuff
>>>> if you want to enable login via the CAC cards (which is not required
>>>> for a PC users anyway so I'm not worrying about enabling it for the
>>>> Mac users).
>>>>
>>>> Web site CAC access just works, insert card and go to a web site
>>>> using Safari.
>>>>
>>>> EXCEPT for the simple fact that I get "The client certificate has
>>>> been revoked" instead, nice.
>>>>
>>>> Also, I see no way to sign mail in OS X Mail.
>>>>
>>>> Could be side effect of having a boot disk that is case-sensitive,
>>>> the only reason I upgraded to 10.4 (also the only reason I upgraded
>>>> our OS X server to 10.3)
>>>>
>>>> Michael
>>>>
>>>>
>>>> On May 22, 2005, at 10:02 PM, Brian Raymond wrote:
>>>>
>>>>
>>>>> Something in your document caught my eye:
>>>>>
>>>>> " The Tiger release adds greatly enhanced support for smartcards.
>>>>> The
>>>>> configuration required is much simpler than it was for previous
>>>>> releases,
>>>>> and in fact, no client-specific customization is required on the
>>>>> clients."
>>>>>
>>>>> Help me out here, in 10.3 wasn't this easier then current process
>>>>> of editing
>>>>> config files by hand:
>>>>>
>>>>> Install Common Access Viewer App
>>>>>
>>>>> sudo cac_setup
>>>>> sudo cac_addid username EDI
>>>>>
>>>>> - Brian
>>>>>
>>>>>
>>>>> On 5/9/05 2:45 PM, "Shawn Geddis" <email@hidden> wrote:
>>>>>
>>>>>
>>>>>
>>>>>> Folks,
>>>>>>
>>>>>> As has been discussed a few times now on the list, some of you are
>>>>>> experiencing difficulties in determining why "Login" is not working
>>>>>> on your system. Others are new to the Smart Card support on Mac
>>>>>> OS X
>>>>>> 10.3.x/10.4.x. This message should address some of the missing
>>>>>> information, but should also speak of even greater things to come.
>>>>>>
>>>>>> Smart Cards on "Panther" - 10.3.x
>>>>>> ========================
>>>>>> Many of you have already downloaded my 105-page Smart Card Setup
>>>>>> and
>>>>>> Configuration Guide for Mac OS X10.3.x. You walks you thru the
>>>>>> whole
>>>>>> process of what configuration changes you need/want to do as
>>>>>> well as
>>>>>> discuss the Smart Card Readers supported.
>>>>>>
>>>>>> Much of the Smart Card Services in 10.3 are largely reliant on
>>>>>> direct
>>>>>> PKCS#11 (direct hardware access) as many of you needed to configure
>>>>>> the supplied PKCS#11 plugin to be used by your desired Netscape/
>>>>>> Mozilla/Firefox/Thunderbird/... variant. 10.3.x does provide
>>>>>> cryptographic login using the Smart Cards when you configure that
>>>>>> system using the cac_setup & cac_addid commands within terminal.
>>>>>>
>>>>>>
>>>>>> Smart Cards in "Tiger" - 10.4.x
>>>>>> =====================
>>>>>> Smart Cards (CAC, GSCIS, PIV, JPKI, BELPIC, ....) are all
>>>>>> abstracted
>>>>>> as keychains for access by any application utilizing Mac OS X's
>>>>>> built
>>>>>> in Cert/Key & Keychain APIs (i.e. Entourage 2004). The
>>>>>> architecture
>>>>>> has changed, but largely from the abstraction layers on top of what
>>>>>> was already there before. Users and Sys Admins have far less to do
>>>>>> or worry about than they did with 10.3.x.
>>>>>>
>>>>>> Smart Card Services Provided in "Tiger" -10.4.0
>>>>>>
>>>>>> * Cryptographic Login to local/network-based accounts (more
>>>>>> info to follow below)
>>>>>> * S/MIME -- Signing and Encrypting of Mail Messages
>>>>>> Leading Applications supporting this
>>>>>> -- Mail.App (Apple)
>>>>>> -- Entourage 2004 (Microsoft)
>>>>>> -- Netscape/Mozilla/... software train still
>>>>>> works as well...
>>>>>> * Secure Web Access / Client Side Authentication
>>>>>> -- Safari (Apple)
>>>>>> -- Netscape/Mozilla/... software train still
>>>>>> works as well...
>>>>>> * VPN (PPTP, L2TP, 802.1X, .... VPN On Demand)
>>>>>> -- Internet Connect (Apple)
>>>>>>
>>>>>> ** Address Book
>>>>>> Now also displays the "signing" check symbol just left of email
>>>>>> addresses that the user has corresponding Public Cert in their
>>>>>> keychain. The Cert is NOT stored in the keychain, but represents a
>>>>>> relationship with one in one of the currently active keychains.
>>>>>>
>>>>>>
>>>>>> "Common Access Card Viewer" functionality is largely now available
>>>>>> since the Smart Cards appear as dynamic keychains. You can view
>>>>>> the
>>>>>> Certificate and Key information as well as change the PIN on the
>>>>>> card
>>>>>> by selecting the "Change Password for Keychain ...". If you still
>>>>>> feel the need to run the Common Access Card Viewer Utility on
>>>>>> Tiger,
>>>>>> then you need to install it from the Tiger DVD.
>>>>>>
>>>>>> The installer for the Common Access Card Viewer Utility is located
>>>>>> at:
>>>>>>
>>>>>> Mac OS X Install DVD
>>>>>> /System/Installation/Packages/CommonAccessCard.pkg
>>>>>>
>>>>>>
>>>>>> ** I also placed it on my personal iDisk as well. (see
>>>>>> end
>>>>>> of message)
>>>>>>
>>>>>>
>>>>>>
>>>>>> Tiger Smart Card Login Setup
>>>>>> ======================
>>>>>> ****** PLEASE DO NOT COPY OVER OR USE PANTHER CONFIGURATIONS ON TO
>>>>>> YOUR TIGER SYSTEMS !!!!!
>>>>>>
>>>>>> Many of your are anxious to enable Smart Card cryptographic login
>>>>>> right now on your Tiger systems. I have posted a zipped folder
>>>>>> on my
>>>>>> iDisk as well labeled: "TigerSmartcardSetup.zip" which has a Text
>>>>>> document with initial instructions and examples as well as a 'diff'
>>>>>> file with the modification for /etc/authorization.
>>>>>>
>>>>>> In short:
>>>>>> *** /etc/authorization is modified for system.login.console
>>>>>> *** Accounts are, by default, bound to Public Key Hash of the
>>>>>> User's ID Private Key.
>>>>>>
>>>>>> As was the case in 10.3.x., those wanting/needing to use
>>>>>> combination
>>>>>> of other Card information (ie. UPN) can still configure the systems
>>>>>> for your desired combination as well. With Tiger, you will need to
>>>>>> setup and configure the file: /etc/cacloginconfig.plist
>>>>>>
>>>>>> Mac OS X 10.3.x utilized the cac_setup, cac_addid, cac_anchors
>>>>>> commands and these have been superseded by "sc_auth" located
>>>>>> in /
>>>>>> usr/sbin/sc_auth.
>>>>>>
>>>>>> hostname# /usr/sbin/sc_auth -h
>>>>>> Usage: sc_auth accept [-v] [-u user] [-k keyname] # by key
>>>>>> on inserted card(s)
>>>>>> sc_auth accept [-v] [-u user] -h hash # by
>>>>>> known
>>>>>> pubkey hash
>>>>>> sc_auth remove [-v] [-u user] # remove all
>>>>>> public keys for this user
>>>>>> sc_auth hash [-k keyname] # print hashes for
>>>>>> keys on inserted card(s)
>>>>>>
>>>>>>
>>>>>> Once enabled, there is NO performance degradation if user's do not
>>>>>> have or use Smart Cards. Many agency admins should probably
>>>>>> consider, currently, making these mods to all systems and therefore
>>>>>> enabling the use of Smart Cards on ALL systems.
>>>>>>
>>>>>> If enabled on a system running Tiger:
>>>>>> * User inserts a Smart Card (at Login Panel)
>>>>>> * Login Panel momentarily disappears and then reappears with
>>>>>> - Smart Card User's Account Name
>>>>>> - PIN field empty and waiting for entry by user
>>>>>> logging in
>>>>>> * User enters PIN
>>>>>> * Login Cryptographically validates and unlocks the card
>>>>>> * User Account is looked for / found in one of any of the
>>>>>> configured DS Servers.
>>>>>> * User is logged in.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Outstanding Challenges for Federal Customers:
>>>>>> ==============================
>>>>>>
>>>>>> 1) As of 10.4.0, the modifications for enabling Smart Card Login
>>>>>> are
>>>>>> not enabled by default
>>>>>> -- A subsequent update to Mac OS X 10.4.x should include
>>>>>> these by default
>>>>>>
>>>>>> 2) The DoD Intermediate CAs are not available to the Keychain
>>>>>> List by
>>>>>> default
>>>>>> -- Federal Customers within DoD will need to add the
>>>>>> "X509Certificates" to the list
>>>>>>
>>>>>> a) Launch Keychain Access
>>>>>> b) Select "Edit -> Keychain List"
>>>>>> c) Select "Show: Mac OS X (System)"
>>>>>> d) Check "Shared" checkbox next to
>>>>>> "X509Certificates" (/System/Library/Keychains)
>>>>>> e) X509Certificates will now appear in the Keychains
>>>>>> List and will be available for
>>>>>> Intermediates for the whole trust path
>>>>>> validation.
>>>>>>
>>>>>> 3) As of 10.4.0, Smart Card Login does not currently support the
>>>>>> unlocking of FileVault protected Home Directories
>>>>>> ---- You can create Encrypted Images for your folders inside your
>>>>>> Home Directory and unlock them manually at login
>>>>>>
>>>>>>
>>>>>>
>>>>>> Shawn's Public iDisk Folder
>>>>>> ======================
>>>>>> My Public iDisk can be found at:
>>>>>>
>>>>>> 1) Within Mac OS X, select "Go -> iDisk -> "Other User's Public
>>>>>> Folder..."
>>>>>>
>>>>>> geddis
>>>>>>
>>>>>> 2) http://homepage.mac.com/geddis/smartcards/FileSharing24.html
>>>>>>
>>>>>> Select folder: SmartCards
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> I will be updating and providing my Setup and Configuration
>>>>>> Guide for
>>>>>> Mac OS X 10.4.x as soon as possible.
>>>>>>
>>>>>>
>>>>>> -Shawn
>>>>>> ___________________________________________
>>>>>> Shawn Geddis
>>>>>> Security Consulting Engineer
>>>>>> Apple Computer - US Federal Government
>>>>>>
>>>>>> _______________________________________________
>>>>>> Do not post admin requests to the list. They will be ignored.
>>>>>> Fed-talk mailing list (email@hidden)
>>>>>> Help/Unsubscribe/Update your Subscription:
>>>>>> 40dataline.com
>>>>>>
>>>>>> This email sent to email@hidden
>>>>>>
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Do not post admin requests to the list. They will be ignored.
>>>>> Fed-talk mailing list (email@hidden)
>>>>> Help/Unsubscribe/Update your Subscription:
>>>>> 40nrl.navy.mil
>>>>>
>>>>> This email sent to email@hidden
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
>
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden