Re: [Fed-Talk] PIV-II usage on Macs
Re: [Fed-Talk] PIV-II usage on Macs
- Subject: Re: [Fed-Talk] PIV-II usage on Macs
- From: Paul Nelson <email@hidden>
- Date: Thu, 12 Feb 2009 19:20:40 -0600
- Thread-topic: [Fed-Talk] PIV-II usage on Macs
The Apple software has the limitation that you cannot obtain Kerberos
credentials at login time when you log in with a PIV card. Other than that,
you should be able to get the PIV to "authenticate" your logon so you don't
need a password.
Since the whole process of setting this up for Active Directory is part of
Apple's product, I would expect Apple to be able to help you out with that
pretty easily. Be aware that thorough testing will be needed so you can
prove you have trust points configured properly and that you don't end up
allowing a spoofed smartcard to be used for login.
As for the Kerberos part, this is where you get a Kerberos ticket at login,
and can use that ticket to handle subsequent authorization tasks. Stuff
like Entourage's Kerberized authentication to access Exchange, or mounting
volumes from Windows servers using the cifs/smb protocol. Even accessing
web servers on your intranet can be handled with Kerberos. Having the
Kerberos ticket is what gives you the true "single sign-on" capability.
When you log in with a smartcard, an extra Kerberos protocol known as PKINIT
is needed to get the initial ticket. PKINIT is short for "Public Key
Cryptography for Initial Authentication in Kerberos"
Apple's software does not include the ability to use PKINIT when logging in
with a smartcard.
Thursby's ADmitMac for CAC (AFC) does include software that handles the
PKINIT protocol and gets a Kerberos ticket when you log in. It also
configures the Mac to recognize that a given smartcard is associated with a
particular account in Active Directory. Another important thing that AFC
does is configure trust points so that ONLY trusted domain controllers are
used to log in a user. All of the PKI stuff has been certified by the
Defense Information Systems Agency (DISA) Joint Interoperability Test Center
(JITC) to prove that ADmitMac for CAC meets the DoD requirements for Public
Key Infrastructure.
We are currently testing our PIV card support. We have written our own
"tokend" or middleware for the PIV and now have the capability to log in to
Active Directory and obtain Kerberos credentials. We will be determining
what federal certifications are necessary and how best to deliver PIV
support to federal government customers. We are also working on our Snow
Leopard version with native 64 bit file system kernel extensions.
There are many other issues that you will encounter once you have gotten
your first login to work using a smartcard. Here are some things to keep in
mind:
1) Configuring certificates in the GAL so other users can send you encrypted
e-mail. You'll want to be able to do this without needing a PC!
2) Off-network authentication with the smartcard (when you're mobile)
3) What you want to happen when the smartcard is removed - screensaver, etc.
4) OCSP support for responders like Tumbleweed
5) Distributed file system (Dfs) support
6) Rights elevation (like the windows runas or Apple's sudo) with only a
smartcard (no password)
7) What changes to your Active Directory schema or servers will be required
8) How you plan to configure those dreaded "Identity Preferences" for
accessing a web site.
9) How will your Kerberos credentials (ticket) get refreshed? (they time
out)
10) Desktop management. Stuff like Workgroup Manager settings and group
policies.
Thursby's strategy is to do all the work on the Macintosh with no changes
needed on the AD domains. We are also trying to make everything work from
the Mac so you don't need to find a PC to log into (like registering your
certs with AD).
Paul Nelson
Chief Technology Officer (I write code too)
Thursby Software Systems, Inc.
> From: "Gillett, Thomas J. (CMS/CTR)" <email@hidden>
> Date: Thu, 12 Feb 2009 18:01:26 -0500
> To: David McNeely <email@hidden>, Apple Fed Talk
> <email@hidden>
> Subject: RE: [Fed-Talk] PIV-II usage on Macs
>
> "Undo all that. That was for older versions. All you need to do is:"
> Yes I figured those were old instructions- :)
>
>
> We are trying to do this with an Active Directory Back end (The mac is a
> member of the domain and is authenticating to AD). I believe this method
> would use the "attribute Lookup method" not Public key hash since this
> is for US Federal PIV cards and also this method seems closer to what we
> have already implemented for our windows PC's on the same network.
>
> - It seems that there are two third party options thursby/ centrify but
> we are first trying to do this without third party software If possible.
> Is it possible
> For the macs to use Piv-II cards for authentication without a third
> party solution ?( IE: - like in windows)
>
> -----Original Message-----
> From: fed-talk-bounces+thomas.gillett=email@hidden
> [mailto:fed-talk-bounces+thomas.gillett=email@hidden] On
> Behalf Of David McNeely
> Sent: Thursday, February 12, 2009 4:30 PM
> To: email@hidden
> Subject: Re: [Fed-Talk] PIV-II usage on Macs
>
> Alternatively, You could install DirectControl for Mac along with
> ActivIdentity's robust PIV middleware, join Active Directory and then
> you have PIV login to AD providing both PKI certs and Kerberos Tickets
> for SSO to most services.
>
> Part of the join process and smartcard enablement with DirectControl
> causes the Group Policy enforcement that DirectControl provides to
> also import the trusted Root Certificate Authorities setup in Active
> Directory to the local Keychain enabling OS X to trust the same CAs
> that the AD Domain Controllers and other Windows clients trust.
>
> -David
> --
> David McNeely
> Director of Product Management
> Centrify Corporation
> +1 (408) 542-7518 office
> +1 (408) 910-4203 mobile
> email@hidden
> www.centrify.com
>
> On Feb 12, 2009, at 2/12/09 1:15 PM, Timothy J. Miller wrote:
>
>> Gillett, Thomas J. (CMS/CTR) wrote:
>>> I have been following the "Smart card set up guide" from apple in
>>> an attempt to Set up our Macs (10.5.6) for PIV-II access. In
>>> order to Enable the smart card login I have edited the /etc/
>>> authorization file as directed. But when a card is inserted the
>>> login window does not change to one requesting a PIN , all accounts
>>> still ask for a user/password. The card reader appears to be
>>> functioning I can read the certs on the card and unlock it from
>>> keychain but inserting the card does not affect login behavior.
>>> Any Ideas?
>>
>> Undo all that. That was for older versions. All you need to do is:
>>
>> $ sc_auth hash
>>
>> This lists the certs on the card and their hashes.
>>
>> $ sudo sc_auth accept -u username -h hashvalue
>>
>> And you're done.
>>
>> If anyone knows how to make FileVault play nice with a smartcard
>> enabled account, I'd like to know.
>>
>> -- Tim
>>
>>
>> _______________________________________________
>> Do not post admin requests to the list. They will be ignored.
>> Fed-talk mailing list (email@hidden)
>> Help/Unsubscribe/Update your Subscription:
>>
>> This email sent to email@hidden
>
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
> .gov
>
> This email sent to email@hidden
>
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
>
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden