Re: [Fed-Talk] Smart card login and unlocking login keychain
Re: [Fed-Talk] Smart card login and unlocking login keychain
- Subject: Re: [Fed-Talk] Smart card login and unlocking login keychain
- From: "Disiena, Ridley J. (GRC-VO00)[DB Consulting Group, Inc.]" <email@hidden>
- Date: Wed, 22 Jul 2009 23:11:21 -0500
- Acceptlanguage: en-US
- Thread-topic: [Fed-Talk] Smart card login and unlocking login keychain
Native authentication does attempt an unlock of the login keychain
using the smartcard PIN you typed in for the password; so if the login
keychain password was the PIN, then it would unlock on that attempt.
Although a PIN as just a password and not a part of a two-factor
authentication mechanism is very week strength password so I would not
recommend using it to protect other passwords and data by itself.
If that login keychain was inside an encrypted filevault sparse image
that was cryptographically bound to the private keys on the card it
would be better, but even with that, there is no certificate
validation or revocation checking of your PIV certificate at login.
-Ridley
On Jul 22, 2009, at 3:01 PM, Levine, Jason (NIH/NCI) [E] wrote:
> Does anyone know if it's possible to have a user's login keychain
> unlock
> automatically as part of the user logging in via a smartcard?
>
> Now that I've been issued a PIV card at my federal agency, I'm
> starting to
> experiment with smartcard-based login on my OS X (10.5.7) machines.
> I've
> bound my local account to the hash key for my PIV card
> authentication cert,
> and that part works perfectly -- when I insert my PIV card, the
> "Password"
> prompt changes to a "PIN" prompt, and all is good.
>
> Unfortunately, logging in with my PIV card doesn't also unlock my
> login
> keychain -- whenever I log in, the first time I do something that
> would
> require data stored in my keychain, I'm prompted for the password
> for the
> keychain to unlock it.
>
> Is there a way to change this behavior?
>
> Thanks...
> Jason Levine
>
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden