RE: [Fed-Talk] [Smart Cards] Tiger Login - DRAFT
RE: [Fed-Talk] [Smart Cards] Tiger Login - DRAFT
- Subject: RE: [Fed-Talk] [Smart Cards] Tiger Login - DRAFT
- From: "Townsend, Trent W ERDC-ITL-MS" <email@hidden>
- Date: Tue, 24 May 2005 13:50:40 -0500
- Thread-topic: [Fed-Talk] [Smart Cards] Tiger Login - DRAFT
As it has been pointed out, a regular user can access the Disk Utility. This
user said he could not, and I went to try and fix it. I actually didn't
check to see if he indeed could or could not run this program before
explicitly allowing it using limitations. However, there are other areas
where this limitation functionality could be useful in securing a machine.
That being said, the issue still remains. Has anyone else seen this?
Trent Townsend
ERDC Major Shared Resource Center
email@hidden
601.634.4051
-----Original Message-----
From: fed-talk-bounces+trent.w.townsend=email@hidden
[mailto:fed-talk-bounces+trent.w.townsend=email@hidden
] On Behalf Of Townsend, Trent W ERDC-ITL-MS
Sent: Tuesday, May 24, 2005 1:21 PM
To: Fedtalk List
Subject: RE: [Fed-Talk] [Smart Cards] Tiger Login - DRAFT
Concerning the actual login process using a CAC on Tiger, has anyone tried
this when trying to login to an account imposed w/ limits. I have a user
that needs to access the Disk Utility app, but we do not want him to have
admin. When I restricted what he could open and allowed access to Disk
Utility, his login using the CAC failed. In an attempt to get it to work,
everything available in the limitation menu was checked (list of things he
had permission to execute.) Still, Tiger "shook its head" at him after
entering his pin. When the user account was returned to no limits,
everything resumed working properly. I assume these limitations aren't
allowing the login process to run something it needs to, but I do not know
what that would be. Anyone ran into this?
Trent Townsend
ERDC Major Shared Resource Center
email@hidden
601.634.4051
-----Original Message-----
From: fed-talk-bounces+trent.w.townsend=email@hidden
[mailto:fed-talk-bounces+trent.w.townsend=email@hidden
] On Behalf Of Michael Chute
Sent: Tuesday, May 24, 2005 11:16 AM
To: Michael Kluskens
Cc: Fedtalk List
Subject: Re: [Fed-Talk] [Smart Cards] Tiger Login - DRAFT
My CAC is working fine on my 10.4 installs. I have run into one issue where
the X509 Certs were not in the keychain access I just copied them in to solve
that problem. You said the only thing you tried is the keychain stuff that
shawn gave instructions for. I have not done that alone. I also do the easy
modifications to turn on the cryptographic login (changing the authorization
file and such) its not hard and maybe you need to do this to get full
functionality. My CAC shows up in the keychains window of keychain access as
Smart Card #2. I wonder given the "access restricted" message if this is due
to you not altering the authorization file as explained in the enabling steps
that shawn stated. The only thing I noted is that the path to the dif file
is wrong as written, i just wrote the command up to that point then dragged
the file in to get the correct path and it worked. In order to see the
keychains in keychain access you need to click the "show keychains button on
the bottom left of the keychain
access window. Your CAC should then show up in the keychain panel.
I too have the library keychain which is shared and the X509 anchors which is
not. I think that is the normal set. I am not using a flashed activ card
reader I am using the activcard reader with he activcard v2 driver. I am
having no issues with it.
On May 24, 2005, at 10:57 AM, Michael Kluskens wrote:
> I'm having some issues with CAC and 10.4
>
> I've done testing on OS X 10.4.1 on a standard journaled file system
> and on a case-sensitive, journaled file system, with no apparent
> difference between them.
>
> The only configuration setup I attempted is in Keychain Access and
> that configuration step refuses to "stick" on my machine. (I also
> tried sc_auth accept but I get "Access Restricted" and I don't know
> what that means).
>
> OS X Mail works with encryption, decryption, and signing with no
> additional configuration.
>
> Safari responds with "The client certificate has been revoked" when I
> visit a local PKI enabled site (it's optional for this site hopefully
> that is not the cause of the problem). Mozilla also can not access
> that site under 10.4 if the CAC is in.
>
> My CAC card reader is a ActivCard reader that was flashed to work with
> 10.3 and I have to assume it is working fine since OS X Mail is fully
> operational in CAC functions. sc_hash gives the hashes for all three
> keys on the CAC.
>
> On May 9, 2005, at 2:45 PM, Shawn Geddis wrote:
>
>> Smart Cards in "Tiger" - 10.4.x
>> =====================
>> Smart Cards (CAC, GSCIS, PIV, JPKI, BELPIC, ....) are all abstracted
>> as keychains
>>
>
> Can the Smart Card keychain be seen in the "Keychain Access"
> application and where? On my machine, the sections labeled "keys"
> and "My certificates" are empty.
>
>
>> ** Address Book
>> Now also displays the "signing" check symbol just left of email
>> addresses that the user has corresponding Public Cert in their
>> keychain. The Cert is NOT stored in the keychain, but represents a
>> relationship with one in one of the currently active keychains.
>>
>
> This works, but I think there is a wording error here, the Cert is
> stored in the keychain, it is NOT stored in the Address Book.
>
>
>> "Common Access Card Viewer" functionality is largely now available
>> since the Smart Cards appear as dynamic keychains. You can view the
>> Certificate and Key information as well as change the PIN on the card
>> by selecting the "Change Password for Keychain ...".
>>
>
> This does not work at all for me, the only keychain I have is my
> regular software keychain, I see no evidence of the CAC card in
> Keychain Access.
>
>
>> 2) The DoD Intermediate CAs are not available to the Keychain List by
>> default
>> -- Federal Customers within DoD will need to add the
>> "X509Certificates" to the list
>>
>> a) Launch Keychain Access
>> b) Select "Edit -> Keychain List"
>> c) Select "Show: Mac OS X (System)"
>> d) Check "Shared" checkbox next to
>> "X509Certificates" (/System/Library/Keychains)
>> e) X509Certificates will now appear in the Keychains List
>> and will be available for
>> Intermediates for the whole trust path
>> validation.
>>
>
> This is what totally fails on my system. First off the check mark
> is not there if I immediately or any time afterwards go back into
> this menu. Also, I note that I also have System /Library/Keychains
> which is shared and X509Anchors /System/Library/Keychains which is
> not shared (and not shareable just like X509Certificates). Under
> User I also have System /Library/Keychains which is shared.
>
> I created a brand new account and the problems existed there as well.
>
> Michael
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
>
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
.army.mil
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
.army.mil
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden