Re: [Fed-Talk] Mandatory Smartcard Login / Login Keychain Password
Re: [Fed-Talk] Mandatory Smartcard Login / Login Keychain Password
- Subject: Re: [Fed-Talk] Mandatory Smartcard Login / Login Keychain Password
- From: "Miller, Timothy J." <email@hidden>
- Date: Fri, 11 Sep 2015 13:30:32 +0000
- Thread-topic: [Fed-Talk] Mandatory Smartcard Login / Login Keychain Password
Unfortunately not having the login keychain auto-unlock causes all kinds of headaches.
A better design would be to wrap the login keychain master key under a public key of one of the smartcard PKI credentials--preferably the encryption key--and use that for unlock, but programmers are known for expedience.
-- T
> -----Original Message-----
> From: fed-talk-bounces+tmiller=email@hidden [mailto:fed-talk-
> bounces+tmiller=email@hidden] On Behalf Of Rowe, Walter
> Sent: Thursday, September 10, 2015 12:38 PM
> To: Apple Fed-Talk List <email@hidden>
> Subject: Re: [Fed-Talk] Mandatory Smartcard Login / Login Keychain
> Password
>
> Thanks Tom. That is what I expected.
>
> The question then becomes whether there is a control in OS X to mandate
> that the keychain secret differ from the login password / PIN provided at
> login. The concern is that if a PIV PIN is 6 digits, then unlocking the keychain is
> as simple as a brute force rotation through 10^6 combinations of digits.
>
> Mandating that the keychain secret differ from the login password / PIN
> would improve the security of keychain. Alternatively, it would be great if the
> authentication and password policy for login was also applied to unlocking
> keychain.
>
> If your system only allows PIV to log in, then only allow PIV to unlock the
> keychain - real PIV complete with certificate verification, not just the PIN
> number. FileVault allows multiple authorized credentials to unlock a disk.
> Imagine you have a similar behavior with keychain where multiple methods
> can unlock the keychain - username/password OR smartcard.
>
> --
> Walter Rowe, Application Hosting
> Infrastructure Services / OISM / NIST
> US Department of Commerce
> Email: email@hidden <mailto:email@hidden>
> Office: 301.975.2885
>
>
> On Sep 10, 2015, at 12:26 PM, Burgin, Thomas (NIH/NIMH) [C]
> <email@hidden <mailto:email@hidden> > wrote:
>
> Hey Walter,
>
>
> When you login with a SmartCard on OS X, the SmartCard “PIN” is
> used as the “password” to create a new or unlock the Login and Local Items /
> iCloud keychain.
> From what I can tell, there is no changing this behavior.
> There are work arounds, but they are not very elegant. You can open
> Keychain Access and disable Login Keychain password sync. All this option
> does is disable the popup dialog that prompts a user when their Login
> Keychain and Login Password are out of sync. With this disabled you can set
> the Login Keychain to a static strong password. The user would then be
> prompted to unlock the Login Keychain every time they login…
>
> Tom Burgin [C]
> Mac Support Engineer
> (301) 443-3904
> NIMH | IRTMB
>
>
> From: "Rowe, Walter"
> Date: Thursday, September 10, 2015 at 11:37 AM
> To: Apple Fed-Talk List
> Subject: [Fed-Talk] Mandatory Smartcard Login / Login Keychain
> Password
>
>
> OS X typically keeps the user login password and secret to unlock the
> login keychain in sync. If you enforce a smartcard-only login where you log in
> with your smartcard and PIN, OS X will use your PIN as the secret to unlock
> your login keychain (do I understand this correctly?).
>
>
> Is there a control in OS X to prevent the login keychain secret being
> the same as the smartcard PIN when smartcard-only login enforced (i.e.
> Centrify, et al)?
> --
> Walter Rowe, Application Hosting
> Infrastructure Services / OISM / NIST
> US Department of Commerce
> Email: email@hidden <mailto:email@hidden>
> Office: 301.975.2885
>
>
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden