Re: [Fed-Talk] [Smart Cards] Tiger Login - DRAFT
Re: [Fed-Talk] [Smart Cards] Tiger Login - DRAFT
- Subject: Re: [Fed-Talk] [Smart Cards] Tiger Login - DRAFT
- From: Shawn Geddis <email@hidden>
- Date: Tue, 14 Feb 2006 08:12:58 -0500
Brian,
The "flashing" was not for 10.3, but rather specifically to take
advantage of the more robust and maintained CCID Class Driver
provided in 10.4. The other reader drivers (SCR331 & ActivCard)
should be removed. OS X 10.3 did not have CCID Class support in it
at all - that is 10.4 feature only.
-Shawn
On May 23, 2005, at 5:26 PM, Brian Raymond wrote:
The "flashed" ActivCard readers might be the common theme, I should
have
been more clear in my first post that it's a flashed ActivCard
reader and
not actually an SCM reader I use. It would be interesting if the
process of
flashing used to make them work with 10.3 initially is now causing
us pain
in 10.4.
- Brian
On 5/23/05 4:39 PM, "Brian Cadwell" <email@hidden>
wrote:
We have noticed a few of our "flashed" ActivCard readers won't
work in 10.4
but the same hardware did work in 10.3. We didn't look into it
very deeply,
it seems to be hit and miss. We did install the ActivCard drivers
from
Shawn's idisk, and all the "unflashed" ActivCard readers we tried
work fine.
The drivers a re probably a red herring, but I mention it for
completeness.
Anyone else notice this? On my iMac G5 I can use either my flashed or
unflashed card reader.
Also remember, if you try to use the card reader program
(installable from
the DVD) and it crashes, you'll need to reset your card reader for
anything
to work after that. Just unplug it and reinsert it.
I can't get Entourage to use my CAC however... It sees the
certificate but
errors out with the ever popular "unknown error" when I try to
send a signed
message.
bc
On 5/23/05 3:59 PM, "Brian Raymond" <email@hidden>
wrote:
Shawn et al,
I wanted to send this out to the list since it seems there are
some problems
with getting CAC cards working in 10.4. More so then logging in,
Web Site
access is important for myself and other because of the new PKI only
policies for some public sites.
Have you run into any problems or are things smooth for the most
part?
Details of our problems below..
I'm running a SCM 331 reader (CCID firmware), which works fine on
10.3
- Brian
On 5/23/05 10:10 AM, "Michael Kluskens"
<email@hidden>
wrote:
I was able to sign email using Mozilla. That's all I have working.
Could be that I got that because I imported my files and settings
from my firewire backup.
I have not edited any CAC related setting files and that keychain
setting for X509 won't stick for me, even without closing the
program.
I hope nothing bad got imported from my firewire backup.
Like you, I can no longer visit CAC restricted web sites using
Mozilla (or Safari).
Michael
ps. I had formatted my disk case-sensitive so I needed to import my
files rather then do a simple upgrade.
On May 23, 2005, at 9:22 AM, Brian Raymond wrote:
Interesting you mention the web site access.
I can't get web site access with my CAC to work either in 10.4. It
works
fine in 10.3 with Safari and Firefox but so far I get it to
hang for a
couple of minutes before throwing an error. Along with that
Keychain hangs
when trying to access my smart card.
Another exciting side effect, if I leave my smart card in I can't
go to any
SSL web sites without the browser choking while trying to
negotiate
the SSL
connection.
- Brian
On 5/23/05 8:29 AM, "Michael Kluskens"
<email@hidden>
wrote:
I think he is referring that you only have to do all the fancy
stuff
if you want to enable login via the CAC cards (which is not
required
for a PC users anyway so I'm not worrying about enabling it
for the
Mac users).
Web site CAC access just works, insert card and go to a web site
using Safari.
EXCEPT for the simple fact that I get "The client certificate has
been revoked" instead, nice.
Also, I see no way to sign mail in OS X Mail.
Could be side effect of having a boot disk that is case-
sensitive,
the only reason I upgraded to 10.4 (also the only reason I
upgraded
our OS X server to 10.3)
Michael
On May 22, 2005, at 10:02 PM, Brian Raymond wrote:
Something in your document caught my eye:
" The Tiger release adds greatly enhanced support for
smartcards.
The
configuration required is much simpler than it was for previous
releases,
and in fact, no client-specific customization is required on the
clients."
Help me out here, in 10.3 wasn't this easier then current
process
of editing
config files by hand:
Install Common Access Viewer App
sudo cac_setup
sudo cac_addid username EDI
- Brian
On 5/9/05 2:45 PM, "Shawn Geddis" <email@hidden> wrote:
Folks,
As has been discussed a few times now on the list, some of
you are
experiencing difficulties in determining why "Login" is not
working
on your system. Others are new to the Smart Card support on
Mac
OS X
10.3.x/10.4.x. This message should address some of the missing
information, but should also speak of even greater things to
come.
Smart Cards on "Panther" - 10.3.x
========================
Many of you have already downloaded my 105-page Smart Card
Setup
and
Configuration Guide for Mac OS X10.3.x. You walks you thru the
whole
process of what configuration changes you need/want to do as
well as
discuss the Smart Card Readers supported.
Much of the Smart Card Services in 10.3 are largely reliant on
direct
PKCS#11 (direct hardware access) as many of you needed to
configure
the supplied PKCS#11 plugin to be used by your desired
Netscape/
Mozilla/Firefox/Thunderbird/... variant. 10.3.x does provide
cryptographic login using the Smart Cards when you configure
that
system using the cac_setup & cac_addid commands within
terminal.
Smart Cards in "Tiger" - 10.4.x
=====================
Smart Cards (CAC, GSCIS, PIV, JPKI, BELPIC, ....) are all
abstracted
as keychains for access by any application utilizing Mac OS X's
built
in Cert/Key & Keychain APIs (i.e. Entourage 2004). The
architecture
has changed, but largely from the abstraction layers on top
of what
was already there before. Users and Sys Admins have far
less to do
or worry about than they did with 10.3.x.
Smart Card Services Provided in "Tiger" -10.4.0
* Cryptographic Login to local/network-based
accounts (more
info to follow below)
* S/MIME -- Signing and Encrypting of Mail Messages
Leading Applications supporting this
-- Mail.App (Apple)
-- Entourage 2004 (Microsoft)
-- Netscape/Mozilla/... software train
still
works as well...
* Secure Web Access / Client Side Authentication
-- Safari (Apple)
-- Netscape/Mozilla/... software train
still
works as well...
* VPN (PPTP, L2TP, 802.1X, .... VPN On Demand)
-- Internet Connect (Apple)
** Address Book
Now also displays the "signing" check symbol just left of email
addresses that the user has corresponding Public Cert in their
keychain. The Cert is NOT stored in the keychain, but
represents a
relationship with one in one of the currently active keychains.
"Common Access Card Viewer" functionality is largely now
available
since the Smart Cards appear as dynamic keychains. You can
view
the
Certificate and Key information as well as change the PIN on
the
card
by selecting the "Change Password for Keychain ...". If
you still
feel the need to run the Common Access Card Viewer Utility on
Tiger,
then you need to install it from the Tiger DVD.
The installer for the Common Access Card Viewer Utility is
located
at:
Mac OS X Install DVD
/System/Installation/Packages/CommonAccessCard.pkg
** I also placed it on my personal iDisk as well.
(see
end
of message)
Tiger Smart Card Login Setup
======================
****** PLEASE DO NOT COPY OVER OR USE PANTHER CONFIGURATIONS
ON TO
YOUR TIGER SYSTEMS !!!!!
Many of your are anxious to enable Smart Card cryptographic
login
right now on your Tiger systems. I have posted a zipped folder
on my
iDisk as well labeled: "TigerSmartcardSetup.zip" which has
a Text
document with initial instructions and examples as well as a
'diff'
file with the modification for /etc/authorization.
In short:
*** /etc/authorization is modified for
system.login.console
*** Accounts are, by default, bound to Public Key Hash
of the
User's ID Private Key.
As was the case in 10.3.x., those wanting/needing to use
combination
of other Card information (ie. UPN) can still configure the
systems
for your desired combination as well. With Tiger, you will
need to
setup and configure the file: /etc/cacloginconfig.plist
Mac OS X 10.3.x utilized the cac_setup, cac_addid, cac_anchors
commands and these have been superseded by "sc_auth" located
in /
usr/sbin/sc_auth.
hostname# /usr/sbin/sc_auth -h
Usage: sc_auth accept [-v] [-u user] [-k keyname] #
by key
on inserted card(s)
sc_auth accept [-v] [-u user] -h hash # by
known
pubkey hash
sc_auth remove [-v] [-u user] # remove all
public keys for this user
sc_auth hash [-k keyname] # print
hashes for
keys on inserted card(s)
Once enabled, there is NO performance degradation if user's
do not
have or use Smart Cards. Many agency admins should probably
consider, currently, making these mods to all systems and
therefore
enabling the use of Smart Cards on ALL systems.
If enabled on a system running Tiger:
* User inserts a Smart Card (at Login Panel)
* Login Panel momentarily disappears and then reappears
with
- Smart Card User's Account Name
- PIN field empty and waiting for entry by user
logging in
* User enters PIN
* Login Cryptographically validates and unlocks the card
* User Account is looked for / found in one of any of the
configured DS Servers.
* User is logged in.
Outstanding Challenges for Federal Customers:
==============================
1) As of 10.4.0, the modifications for enabling Smart Card
Login
are
not enabled by default
-- A subsequent update to Mac OS X 10.4.x should
include
these by default
2) The DoD Intermediate CAs are not available to the Keychain
List by
default
-- Federal Customers within DoD will need to add the
"X509Certificates" to the list
a) Launch Keychain Access
b) Select "Edit -> Keychain List"
c) Select "Show: Mac OS X (System)"
d) Check "Shared" checkbox next to
"X509Certificates" (/System/Library/Keychains)
e) X509Certificates will now appear in the
Keychains
List and will be available for
Intermediates for the whole trust path
validation.
3) As of 10.4.0, Smart Card Login does not currently
support the
unlocking of FileVault protected Home Directories
---- You can create Encrypted Images for your folders inside
your
Home Directory and unlock them manually at login
Shawn's Public iDisk Folder
======================
My Public iDisk can be found at:
1) Within Mac OS X, select "Go -> iDisk -> "Other User's
Public
Folder..."
geddis
2) http://homepage.mac.com/geddis/smartcards/
FileSharing24.html
Select folder: SmartCards
I will be updating and providing my Setup and Configuration
Guide for
Mac OS X 10.4.x as soon as possible.
-Shawn
___________________________________________
Shawn Geddis
Security Consulting Engineer
Apple Computer - US Federal Government
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
40dataline.com
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
michael.kluskens%
40nrl.navy.mil
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
40nrl.navy.mil
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
- Shawn
___________________________________________
Shawn Geddis
Security Consulting Engineer
Apple Enterprise Division (Public & Private Sector)
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden