RE: [Fed-Talk] bug in SmartCard implementation
RE: [Fed-Talk] bug in SmartCard implementation
- Subject: RE: [Fed-Talk] bug in SmartCard implementation
- From: "Hopfner, Philip (Phil) (CIV)" <email@hidden>
- Date: Fri, 26 Sep 2008 09:31:34 -0700
- Thread-topic: [Fed-Talk] bug in SmartCard implementation
I agree. Even though my "CAC on a Mac" writeup is getting a little long
in the tooth (http://cisr.nps.edu/downloads/nps_cs_06_009.pdf), I have a
procedure for removing the cached credentials on Page 7 of the writeup
as I ran into the same problem. You do need SU powers - but the
procedure works.
As far as the bug is concerned, I too noticed this and I filed a report
bug report (#14662550) back on 3/1/2006 titled "Cached CAC credentials
persist if CAC card is changed". The reply I got from Apple Product
Security was "... After examining your report we do not believe that the
issue is security related". And that's where it ended....
-Phil
-----Original Message-----
From: fed-talk-bounces+phopfner=email@hidden
[mailto:fed-talk-bounces+phopfner=email@hidden] On Behalf Of
Boyd Fletcher
Sent: Friday, September 26, 2008 8:51 AM
To: Apple Fed Talk
Subject: [Fed-Talk] bug in SmartCard implementation
Apple Folks:
apparently there is a nasty bug in Tiger and Leopard related to the way
smartcard tokens are cached. Apparently the cache is persistent through
reboots. Its my understanding that if you provide a SmartCard that the
tokens are cached in /var/db/TokenCache/tokens and it requires root to
delete them. This is a big problem in DOD when a user changes the email
address on their CAC. The new certs are not processed by MacOS. We have
experienced this problem with a bunch of users lately and its is very
frustrating.
I can somewhat see the value in some caching, but caches like that
should
never persistent through reboots and probably not through logon/logoff
cycles.
This really should be fixed. Requiring root to clean the cache this is a
bad
thing.
boyd
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden