Re: [Fed-Talk] [Smart Cards] Tiger Login - DRAFT
Re: [Fed-Talk] [Smart Cards] Tiger Login - DRAFT
- Subject: Re: [Fed-Talk] [Smart Cards] Tiger Login - DRAFT
- From: Shawn Geddis <email@hidden>
- Date: Tue, 14 Feb 2006 09:09:28 -0500
Michael,
On May 24, 2005, at 12:15 PM, Michael Chute wrote:
My CAC is working fine on my 10.4 installs. I have run into one
issue where the X509 Certs were not in the keychain access I just
copied them in to solve that problem.
What certificates are you referring to ? Are you referring to the
DoD Intermediates ? Sound like you just added the intermediates to
one of your personal keychains -- which is perfectly fine since
Intermediate certificates are not required to be in any specific
keychain. Apple provided the X509Certificates keychain for
convenience, but there is no reason that your system, would not work
if you had all of those certificates loaded into another one of your
personal keychains. your call! :)
You said the only thing you tried is the keychain stuff that
shawn gave instructions for. I have not done that alone. I also
do the easy modifications to turn on the cryptographic login
(changing the authorization file and such) its not hard and maybe
you need to do this to get full functionality.
The modifications to /etc/authorization are for any "authorization" /
"authentication" that takes place on the machine as in OS privileges
-- not for applications like mail - SMIME. I have had several folks
that ONLY wanted to do SMIME and not Smart Card login, so they only
made sure things worked with Mail.App or Entourage and never did the
modifications to /etc/authorization.
The nice thing about Mac OS X is that you could still modify the /etc/
authorization and use both User/Pass and/or SmartCard Authentication
if you wanted. There is no performance hit or ill affect if you do so.
My CAC shows up in the keychains window of keychain access as Smart
Card #2. I wonder given the "access restricted" message if this is
due to you not altering the authorization file as explained in the
enabling steps that shawn stated. The only thing I noted is that
the path to the dif file is wrong as written, i just wrote the
command up to that point then dragged the file in to get the
correct path and it worked.
The path to the diff file in the 'original' draft I put up was just a
'reference', but since then I have found that there are quite a
number of folks using terminal that do not understand paths and
various unix commands -- could be dangerous, but we realize there are
some of you like that out there. SO, I have altered the DRAFT
document to reflect that - replacing the old path with "<apth to
diffs file>"
patch -u -o /tmp/authorization.smartcard authorization.orig <path to
diffs file>
I also corrected (as I noted this morning a previous email) the
attribute names used in the cacloginconfig.plist setup for those
using that approach.
What is posted is now updated.
In order to see the keychains in keychain access you need to click
the "show keychains button on the bottom left of the keychain
access window. Your CAC should then show up in the keychain
panel. I too have the library keychain which is shared and the
X509 anchors which is not.
As noted above, the X509Anchors Keychain is a special one, since it
is the Trusted Root CA Certificate Store and hence it does not
actually matter if the "shared" box is checked for it or not.
Unfortunate side-affect of the UI and the intent and use of that
keychain.
I think that is the normal set. I am not using a flashed activ
card reader I am using the activcard reader with he activcard v2
driver. I am having no issues with it.
Great!
- Shawn
___________________________________________
Shawn Geddis
Security Consulting Engineer
Apple Enterprise Division (Public & Private Sector)
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden