Re: [Fed-Talk] Smart card login and unlocking login keychain
Re: [Fed-Talk] Smart card login and unlocking login keychain
- Subject: Re: [Fed-Talk] Smart card login and unlocking login keychain
- From: "Disiena, Ridley J. (GRC-VO00)[DB Consulting Group, Inc.]" <email@hidden>
- Date: Thu, 23 Jul 2009 10:11:20 -0500
- Acceptlanguage: en-US
- Thread-topic: [Fed-Talk] Smart card login and unlocking login keychain
I have a related question that I was wondering if someone could answer:
If using "tokenadmin create-fv-user", can that encrypted sparse image
can then ONLY be unlocked with that token / certificate that is on the
card? It does not appear to require any KEK OID on the certificate
from the token to use the feature, but it appears that only an
escrowed token / certificate can recover that user data if the
original token / certificate is damaged / lost. Trying to recover
with master password results in "Reset password failed;
CSSM_ERRCODE_INVALID_CSP_HANDLE", and claiming and trying to open the
sparsebundle without using the token results in Authentication error's
as well.
-Ridley
On Jul 22, 2009, at 3:50 PM, Paul Nelson wrote:
> There is a way to do it, but you have to create the account from
> scratch.
> Check out 'man tokenadmin'
>
> You might think about creating an account from scratch, then put the
> resulting keychain file in your own account to see how it works.
>
> Paul Nelson
> Thursby Software Systems, Inc.
>
>
>> From: "Levine, Jason (NIH/NCI) [E]" <email@hidden>
>> Date: Wed, 22 Jul 2009 15:01:05 -0400
>> To: Apple Fed Talk <email@hidden>
>> Subject: [Fed-Talk] Smart card login and unlocking login keychain
>>
>> Does anyone know if it's possible to have a user's login keychain
>> unlock
>> automatically as part of the user logging in via a smartcard?
>>
>> Now that I've been issued a PIV card at my federal agency, I'm
>> starting to
>> experiment with smartcard-based login on my OS X (10.5.7)
>> machines. I've
>> bound my local account to the hash key for my PIV card
>> authentication cert,
>> and that part works perfectly -- when I insert my PIV card, the
>> "Password"
>> prompt changes to a "PIN" prompt, and all is good.
>>
>> Unfortunately, logging in with my PIV card doesn't also unlock my
>> login
>> keychain -- whenever I log in, the first time I do something that
>> would
>> require data stored in my keychain, I'm prompted for the password
>> for the
>> keychain to unlock it.
>>
>> Is there a way to change this behavior?
>>
>> Thanks...
>> Jason Levine
>>
>>
>> _______________________________________________
>> Do not post admin requests to the list. They will be ignored.
>> Fed-talk mailing list (email@hidden)
>> Help/Unsubscribe/Update your Subscription:
>>
>> This email sent to email@hidden
>>
>
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden