Re: [Fed-Talk] CAC-enabled login OS X10.7 & 10.8
Re: [Fed-Talk] CAC-enabled login OS X10.7 & 10.8
- Subject: Re: [Fed-Talk] CAC-enabled login OS X10.7 & 10.8
- From: Michael Kluskens <email@hidden>
- Date: Tue, 19 Feb 2013 13:40:35 -0500
I'm well aware of the sc_auth command and on previous versions of OS X I had CAC login enabled. However, in testing an OS X Lion and an OS X Mt. Lion system, inserting the CAC card has no effect. Both systems otherwise have full CAC functionality and I used the Identity Private Key.
I have not yet tried this on a clean system with no security configuration (disabling suid's binaries, etc.) so it is possible that both systems have been broken with regards to CAC login.
I was hoping someone could actually confirm what setup works on OS X 10.7 & 10.8 because at present the discussed information has not worked for me.
Looking at /etc/authorization under system.login I see:
builtin:policy-banner
loginwindow:login
builtin:reset-password,privileged
builtin:forward-login,privileged
builtin:auto-login,privileged
builtin:authenticate,privileged
PKINITMechanism:auth,privileged
loginwindow:success
HomeDirMechanism:login,privileged
HomeDirMechanism:status
MCXMechanism:login
loginwindow:done
and under authenticate I see:
builtin:authenticate
builtin:reset-password,privileged
builtin:authenticate,privileged
PKINITMechanism:auth,privileged
Comparing against 10.4 references these seem to indicate that smart card login is already enabled, besides the name change from smartcard-sniffer to PKINITMechanism.
Michael
> From: "Danberry, Michael J Mr ARMY GUEST USA" <email@hidden>
> The specific location for this information is at: http://militarycac.com/errors2.htm#OTHER_QUESTIONS. Question 2
> From: "Bomar, Matt W ERDC-RDE-ITL-MS Contractor" <email@hidden>
>
> Have you looked at the "sc_auth" command? It should allow you to associate
> a certificate with a local user account for CAC login. It's still present
> in 10.8.
>
> On 2/14/13 4:30 PM, "Michael Kluskens" <email@hidden> wrote:
>
>> What are the choices for CAC enabled login on OS X 10.7 & 10.8.
>>
>> I'm looking at OS X systems which may not have access to a MS Domain
>> Server, i.e. isolated network. Some would have access and some would not
>> have access all the time.
>>
>> I thought maybe some changes to /etc/authorization might reenable
>> CAC-login but I haven't started an attempt yet.
>>
>> Unfortunately Apple dropped support and now it is a requirement in many
>> places, all places that supply Windows-software for this but if you use
>> OS X you have to find your own solution.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden