Re: [Fed-Talk] Mandatory Smartcard Login / Login Keychain Password
Re: [Fed-Talk] Mandatory Smartcard Login / Login Keychain Password
- Subject: Re: [Fed-Talk] Mandatory Smartcard Login / Login Keychain Password
- From: Ron Colvin <email@hidden>
- Date: Fri, 11 Sep 2015 09:51:08 -0400
I disagree Ridley. The reason that the current CIS Benchmarks do not
recommend a distinct password for the login keychain is the
Operating System has become less friendly to maintaining distinct
passwords. Even auto-locking features for sleep and timeouts are
painful to users when the same password is used, let alone multiple
ones. The prose in the Benchmark definitely mentions it can be done
but it is not recommended.
The 10.6 Benchmark was released 5 years ago, with 10.11 due in less
than a month I do not see that as authoritative guidance for OS X.
If there was more common use of smartcards on OS X for console
authentication I would be glad to include information on handling
the login keychain differently. The challenges are that the keychain
does need to be locked periodically and the users will justifiably
rebel if there main activity seems to be unlocking keychain dialogue
boxes.
On 9/10/15 2:21 PM, Disiena, Ridley
(MSFC-IS60)[EAST] wrote:
I believe this Apple / NSA guidance in absence of USGCB or other
related security baseline for OS X, might be the most recent
pertinent guidance on the subject. There are CIS benchmark and
other guides for more recent versions of OS X but they do not
address the issue of the login keychain being the same as the
Login credential. No guidance exists with regards to smartcard
PINs and the login keychain password specifically that I am
aware of, but it is clear in this NSA / Apple guidance that the
login keychain should not automatically be unlocked and that to
do this it must be set to something different than what was used
to login with. I interpret this as the login keychain password
should not be the system login password, Filevault 2 password,
nor the smartcard PIN.
--
********************************************************
Ron Colvin CISSP, CAP, CEH
Certified Security Analyst
NASA - Goddard Space Flight Center
<email@hidden>
Direct phone 301-286-2451
NASA Jabber (email@hidden) AIM rcolvin13
NASA LCS (email@hidden)
********************************************************
|
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden