Re: [Fed-Talk] CAC Assistance
Re: [Fed-Talk] CAC Assistance
- Subject: Re: [Fed-Talk] CAC Assistance
- From: "Binet, Valere (NIH/NIA/IRP) [C]" <email@hidden>
- Date: Thu, 9 Dec 2010 14:33:22 -0500
- Acceptlanguage: en-US
- Thread-topic: [Fed-Talk] CAC Assistance
Sorry for the late answer, emails from this list are moved to a separate folder I've ignored for a while.
- Login screen to only allow CAC's?
Please read the "Require smart card login" conversation from mid October on this list. Hopefully you'll find there a solution that works for you.
- Enforce the screen saver when the CAC is removed?
System Preferences -> Security -> General
Under "Require password [ ] after sleep or screen saver begins", you should find "Turn on screen saver when login token is removed". Checking that should do the trick.
This is a per user setting so you'll have to do this for every ser on every Mac (unless you have a system mgt software that can push this for you).
To enforce the screen saver for future user accounts, you can modify the user template (basic knowledge of the vi editor necessary) :
>From an admin account open a terminal window
$ sudo /bin/bash
enter your password
# cd /System/Library/User\ Template/English.lproj/Library/Preferences
# vi com.apple.screensaver.plist
find
<key>tokenRemovalAction</key>
<integer>1</integer>
Make sure the value is 1. If you can't find them add these 2 lines before the </dict> line.
# exit
$
Hoping this helps.
Valère Binet, ACHDS
IT Security Administrator
Contractor, Kelly Services
NIH / NIA / IRP
Tel : 410 558 8013
mailto: email@hidden
On 12/1/10 3:58 PM, "Smith CIV Larry E" <email@hidden> wrote:
Michael - thanks for the info. This seems to work fine on mobile accounts on different clients. Two more questions: can you change the login screen to only allow CACs and can you enforce the screen saver or lock the client when the CAC is removed?
Thanks
Larry
Larry E. Smith II
Technical Director
USMC CDET
2300 A Louis Rd.
Quantico, VA 22134
703-784-5193 DSN 278
Bb 240-299-2226
-----Original Message-----
From: fed-talk-bounces+larry.e.smith=email@hidden [mailto:fed-talk-bounces+larry.e.smith=email@hidden] On Behalf Of Michael Winslow
Sent: Monday, November 29, 2010 11:45 PM
To: Niles, John B RET; email@hidden
Subject: Re: [Fed-Talk] CAC Assistance
Yes, it is pretty easy to setup CAC login on your Mac. I do not have CAC
authentication working with the Apple Mail app, but I do have my Webmail
working via Entourage for Mac (2008) via CAC.
To get CAC login to your Mac working, you simply need to link the CAC Cert
ID with your account on your machine. Apple built in a command line tool for
doing this. Step by step instructions would be as follows (for Snow Leopard
10.6). I am assuming that you have an administrative account on your machine
(if you don't some steps may change slightly).
1. Open a Terminal Window (Macintosh HD -> Applications -> Utilities ->
Terminal.app)
2. type in "sc_auth hash" without the quotes
3. Select the long hash code (Hexadecimal) number for your Identity Private
Key (Should be 40 characters long). Copy this Hexadecimal number.
4. You need to know your account's short name, if you do not know what it
is, you can simply type in "whoami" into terminal and it will tell you your
shortname.
5. Finally, map your certificate to your CAC by typing in the following
command "sudo sc_auth accept -u <SHORT_NAME> -h <CERT_HASH_NUMBER>"
replacing <SHORT_NAME> with your account's short name that you got in Step 4
and <CERT_HASH_NUMBER> that you copied in Step 3. You will be prompted to
type in your password as this requires privileged access to do.
Here is the supporting document that I used to come up with this...
http://support.apple.com/kb/TA24244?viewlocale=en_US
Thanks,
Michael Winslow
SPAWAR Systems Center Pacific
On 11/29/10 8:12 AM, "Niles, John B RET" <email@hidden> wrote:
> Fed-Talk,
>
> I have recently been informed that all computers on our network must be
> equipped to log in with a CAC card. No password logins will be allowed. The
> deadline is mid-December (I usually get these notices late).
>
> I am working with some of the IT people at my location regarding my Macs.
> There are some options. However, their contract does not cover Macs, so for
> the most part, I will have to figure something out, or I will be using PC's
> shortly.
>
> The best solution would be to modify my login to require a CAC. While I know
> this is possible, I do not know of a simple way to arrange this.
>
> Does someone have a cookbook solution for this problem suitable for someone
> who is not an IT type? Just a step by step route?
>
> Also, is there a cookbook solution for modifying Mail to login only with a
> CAC? This is not as important because I can always fall back to AKO CAC
> login, although it would be clunky.
>
> Regards,
>
> John Niles
> OGL Enterprises LLC
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden