Re: Resend: [Fed-Talk] Re: lock a system on CAC removal
Re: Resend: [Fed-Talk] Re: lock a system on CAC removal
- Subject: Re: Resend: [Fed-Talk] Re: lock a system on CAC removal
- From: "Shawn A. Geddis" <email@hidden>
- Date: Sun, 29 Mar 2009 21:58:11 -0400
**Resending without signature for those on the Digest list....**
Walter,
• Lock system on smart card removal. You can configure your Mac to automatically lock the system whenever you remove your smart card.”
System Preference -> Security -> General
You will see an option to check "[ ] Activate screen saver when login token is removed" *after* you have configured your account for authentication with a Smart Card.
sc_auth accept -u <UserShortName> -h <PubKeyHash from Smart Card>
(i.e. just execute "sc_auth" by itself and you will see the usage / options)
Usage: sc_auth accept [-v] [-u user] [-d domain] [-k keyname] # by key on inserted card(s) sc_auth accept [-v] [-u user] [-d domain] -h hash # by known pubkey hash sc_auth remove [-v] [-u user] [-d domain] # remove all public keys for this user sc_auth hash [-k keyname] # print hashes for keys on inserted card(s) sc_auth list [-v] [-u user] [-d domain] # list pubkey hashes that can authenticate this user This will add a value to your AuthenticationAuthority attribute in the specified Directory Service (by default local DS unless you specify a different one on the sc_auth command).
This reference is to when you have a smart card configured for login to your account. The system would trigger Screen Saver lock when you remove the Smart Card you used for Login. This allows you to have multiple smart cards inserted and removal of non-login smart cards would not generate an undesirably triggering of the screen lock. This would also not display an unnecessary option in the Preference Panel for those not using a Smart Card.
- Shawn _____________________________________________________ Shawn Geddis - Security Consulting Engineer - Apple Enterprise On Mar 28, 2009, at 10:59 PM, "Adams, Walter CTR CNIC HQ, N61" < email@hidden> wrote:
Folks,
The following excerpt from a 2007 Apple document talks about using a CAC to lock a system on CAC removal – presumably unlock on inserting with a PIN. I can see no evidence in the interface or through a search of the security guides of how to do this. Any one have any help?
A Technology Brief
Mac OS X: Security
“Smart cards. Smart cards enable you to carry your digital certificates with you. Mac
OS X allows you to use your smart card whenever an authentication dialog is presented.
This robust, two-factor authentication mechanism complies with Department of
Defense Common Access Card, U.S. PIV, Belgium National Identification Card, Japanese
government PKI, and Java Card 2.1 standards. Similar to an ATM card and a PIN code,
two-factor authentication relies on something you have and something you know. If
your smart card is lost or stolen, it cannot be used unless your PIN is also known.
Mac OS X has additional functionality for smart card use such as:
• Lock system on smart card removal. You can configure your Mac to automatically
lock the system whenever you remove your smart card.”
|
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden