Re: Resend: [Fed-Talk] Re: lock a system on CAC removal
Re: Resend: [Fed-Talk] Re: lock a system on CAC removal
- Subject: Re: Resend: [Fed-Talk] Re: lock a system on CAC removal
- From: "Downin, David M CIV NSWCCD W. Bethesda, 5104" <email@hidden>
- Date: Mon, 30 Mar 2009 08:21:22 -0400
- Thread-topic: Resend: [Fed-Talk] Re: lock a system on CAC removal
Title: Re: Resend: [Fed-Talk] Re: lock a system on CAC removal
Shawn,
I have my system set up and working with CAC login (login works, wake from screensaver works), however I do not see the option you mentioned in my Security preferences and there is no “General” option. I’m on a PPC running 10.4.11 (I suspect this is for Leopard only). Can this be done under Tiger?
On 3/29/09 9:58 PM, "Shawn A. Geddis" <email@hidden> wrote:
**Resending without signature for those on the Digest list....**
Walter,
• Lock system on smart card removal. You can configure your Mac to automatically
lock the system whenever you remove your smart card.”
System Preference -> Security -> General
You will see an option to check "[ ] Activate screen saver when login token is removed" *after* you have configured your account for authentication with a Smart Card.
sc_auth accept -u <UserShortName> -h <PubKeyHash from Smart Card>
(i.e. just execute "sc_auth" by itself and you will see the usage / options)
Usage: sc_auth accept [-v] [-u user] [-d domain] [-k keyname] # by key on inserted card(s)
sc_auth accept [-v] [-u user] [-d domain] -h hash # by known pubkey hash
sc_auth remove [-v] [-u user] [-d domain] # remove all public keys for this user
sc_auth hash [-k keyname] # print hashes for keys on inserted card(s)
sc_auth list [-v] [-u user] [-d domain] # list pubkey hashes that can authenticate this user
This will add a value to your AuthenticationAuthority attribute in the specified Directory Service (by default local DS unless you specify a different one on the sc_auth command).
This reference is to when you have a smart card configured for login to your account. The system would trigger Screen Saver lock when you remove the Smart Card you used for Login. This allows you to have multiple smart cards inserted and removal of non-login smart cards would not generate an undesirably triggering of the screen lock. This would also not display an unnecessary option in the Preference Panel for those not using a Smart Card.
- Shawn
_____________________________________________________
Shawn Geddis - Security Consulting Engineer - Apple Enterprise
On Mar 28, 2009, at 10:59 PM, "Adams, Walter CTR CNIC HQ, N61" <email@hidden> wrote:
Folks,
The following excerpt from a 2007 Apple document talks about using a CAC to lock a system on CAC removal – presumably unlock on inserting with a PIN. I can see no evidence in the interface or through a search of the security guides of how to do this. Any one have any help?
A Technology Brief
Mac OS X: Security
“Smart cards. Smart cards enable you to carry your digital certificates with you. Mac
OS X allows you to use your smart card whenever an authentication dialog is presented.
This robust, two-factor authentication mechanism complies with Department of
Defense Common Access Card, U.S. PIV, Belgium National Identification Card, Japanese
government PKI, and Java Card 2.1 standards. Similar to an ATM card and a PIN code,
two-factor authentication relies on something you have and something you know. If
your smart card is lost or stolen, it cannot be used unless your PIN is also known.
Mac OS X has additional functionality for smart card use such as:
• Lock system on smart card removal. You can configure your Mac to automatically
lock the system whenever you remove your smart card.”
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
_______________________________________________________
Dave Downin
NSWC Carderock
Facility Engineering and Operations Department / Code 5104
9500 MacArthur Blvd.
West Bethesda, MD 20817-5000
(301) 227-4873 / Work
(301) 247-3520 / Cell
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden