As many of you know, I have been 'unavailable' for quite sometime and am behind in followup to messages relating to Security / Smart Cards / ... on this list. I did, however, need to quickly jump in this conversation and try to clear this up a bit for everyone. I will grab a few clips from my upcoming Mac OS X 10.4 Smart Card Integration Guide.... the one many of you have been waiting for...
Mac OS X 10.4.x already ships with drivers for the following PC Card Smart Card Readers:
* CRYPTOCard (see note below)
* OMNIKey (CardMan 4040)
* SCM (SCR24X ==> SCR241 / SCR243)
*Note*
If you have or want to use the CRYPTOCard PC Card Reader, you will need to verify/do the following:
* If you have a relatively recent reader, it should be a "CardMan 4040" mechanism and just works as expected
* If you have one of the older versions of the reader (PC-1), make sure you retrieve the updated driver available
from CRYPTOCard as noted by Judy.
For right now, if you plan on using any PC Card reader, you will also need to do the following steps:
Supporting PC Card Smart Card Readers
* As of Mac OS X 10.4.3, there are two modifications to a system required to use the supported PC Card Readers.
To ensure the PC Card readers fully function (due to a current bug being fixed) perform the following two steps to always have pcscd launch with no conflicts.
(1) Set securityd to launch pcscd at startup time
By default, the pcscd process is started when a Smart Card Reader is connected or identified on the system. There is a current issue (as of Mac OS X 10.4.3) which prevents this dynamic process launching to take place when a PC Card reader is in use.
To have pcscd run at startup time, edit the /private/etc/mach_init.d/securityd.plist so that the "Command" key is:
<key>Command</key>
<string>/usr/sbin/securityd -s on</string>
The default plist for securityd is:
hurljo3% cat /etc/mach_init.d/securityd.plist
<?xml version="1.0" encoding="UTF-8"?>
<plist version="1.0">
<dict>
<key>ServiceName</key>
<string>com.apple.securityd</string>
<key>Command</key>
<string>/usr/sbin/securityd</string>
<key>OnDemand</key>
<false/>
</dict>
</plist>
(2) Move aside the CCID Class Driver from the Smart Card Services.
By default, the Smart Card services detects and supports all CCID compliant readers. There is a current issue (as of Mac OS X 10.4.3) which causes the CCID Class Driver to conflict with the communication to a PC Card-based Smart Card Reader. The Class Driver (bundle) must be moved aside to prevent this conflict. Retention of this CCID Class Driver bundle is highly suggested for when this issue has been resolved.
# mv /usr/libexec/SmartCardServices/drivers/CCIDClassDriver.bundle /usr/libexec/SmartCardServices/
** This will move it outside the driver directory and into the high-level SmartCardServices directory.
(3) Removing Smart Card Services Startup Item on machines that have been upgraded from 10.3x-10.4.x
# rm -r /System/Library/Startupitems/SmartCardServices/
To clarify about the securityd ==> pcscd process control:
Under normal conditions, once pcscd is dynamically launched (when a reader is connected to/detected on an OS X 10.4 system) Securityd will verify that there is a Smart Card Reader present and attempt to match the reader to a driver (CCID Class driver covers ALL CCID Compliant readers). Once launched, after 2 minutes with no Smart Card Reader present, securityd will kill pcscd (reduce resource overhead) and wait for another event causing it to dynamically launch pcscd again (when a card reader is reattached). Now, since we are modifying securityd.plist ("securityd -s on") to always signal securityd to launch pcscd at startup and not to kill it after 2 minutes the normal process has been short circuited.
I have all of this handled with shell scripts, but will release that at the time the guide is ready and will make it perfectly clear that they are from me 'personally' and Apple is not responsible for supporting them.
- Shawn
___________________________________________
Shawn Geddis T (703) 264-5103
Security Consulting Engineer C (703) 623-9329
Apple Computer, Inc.
1892 Preston White Drive T (703) 264-5100
Reston, VA 20191