These steps to enable Smart Card or in the DOD space Common Access Card or CAC have been around since 10.4. The steps that follow are for two different things. The first is to Enable CAC login on your Macintosh. The second set of steps is to enable a FileVaulted user with CAC. You will be using the Termal for both of these so if you are not familiar with Terminal I suggest you do not use it. It is safe to install a successfully modified /etc/authorization to enable smart card login on any client system, even those without smart card readers. If no reader or card is present, the user will continue to see the default login window, and there will be no performance impact. To support login with a smart card on Mac OS X 10.5/10.6, the card must support signing with a public key. In addition, the card itself must have a plugin, known as a tokend, that can communicate with securityd and the card itself.
Smart cards and Directory Services
Part of the login process is to do a lookup for the expected user in a directory service such as Open Directory, LDAP, or Active Directory. The first and recommended method to link a smart card user with a record in a directory service is to add the hash of the public key to the user’s directory record. This is the most convenient and most secure way of identifying a smart card user. The second method is to lookup the user based on values drawn from the email signing certificate as required for the US Federal Government smart card use.
A script is preinstalled to assist you in binding a smart card to a user’s local directory domain record. This is /usr/sbin/sc_auth:
myhostname# /usr/sbin/sc_auth -h
Usage: sc_auth accept [-v] [-u user] [-k keyname] # by key on inserted card(s)
sc_auth accept [-v] [-u user] -h hash # by known pubkey hash
sc_auth remove [-v] [-u user] # remove all public keys for this user
sc_auth hash [-k keyname] # print hashes for keys on inserted card(s)
An example of the output from this for a US Department of Defense Common Access Card is:
myhostname% sc_auth hash
01C2F20D8964BE7701B57B63B0A1795B8F2604C1 Identity Private Key
443F30C356E676F447CD4DA89F46CC0CCED19737 Email Signing Private Key
4845564C1F8C6B378C19B8F262CE422933CF1FD1 Email Encryption Private Key
To add a user to the local directory
myhostname% sudo sc_auth accept -u myuser -h 01C2F20D8964BE7701B57B63B0A1795B8F2604C1
…where “01C2F20D8964BE7701B57B63B0A1795B8F2604C1″ is the hash for the key associated with the Identity Private Key. Refer to the script for further usage instructions. You will need to run this as a user authorized to modify the directory. In this example, any of the hash entries listed could have been used for associating the card to the account. If desired, more than one smart card can be associated with a single user account by running the script again with the hash from the additional card(s).
The script adds a field to the user’s authentication_authority property. For example, after executing the command above, the authentication_authority property for the user looks like:
myhostname% dscl . -read /Users/myuser
…
“authentication_authority” = ( “;ShadowHash;”, “;pubkeyhash;
01C2F20D8964BE7701B57B63B0A1795B8F2604C1″ );
…
One can immediately log in to a new session using the smart card.
Smart card login uses Open Directory for all of its user lookups, so any supported directory structure will function properly.
Enabling FileVault
1. Enable FileVault Master password
2. Use tokenadmin to create a FileVault User
$ tokenadmin create-fv-user -u <user> -l”<UserName.”-p <password>
(the {-p <password>} is optional)
3. Display available public key hash(es) from Smart Card
$ sc_auth hash
4. Bind Smart card to user account with public key hash
$ sc_auth accept -u <user> -h <hash>
5. Mount FileVault image file
$ hdiutil attach /Users/<user>/<user>.sparsebundle
6. Set User’s login Keychain to unlock with Smart Card
$ systemkeychain -T /Volumes/<user>/Library/keychains/login.keychain
7. Unmount FileVault image file
$ hdiutil unmount /Users/<user>
Note: Right now under Snow Leopard these steps fail. I am working with Apple to figure out the solution. Check back soon.
Caveats and Recommendations – Things to keep in mind when deploying
You Must:
Create a NEW FileVault account
Have a Smart Card with an Encryption Key
You Should:
Ensure access to system via a second Admin Account
Escrow the Encryption Key for recovery
Securely Erase FREE Space afterwards via Disk Utility or srm
To support login with a smart card on Mac OS X 10.4, the card must support signing with a public key. In addition, the card itself must have a plugin, known as a tokend, that can communicate with securityd and the card itself.
written by AppleMacGenius
\\ tags: Army, CAC, DOD, FileVault, Leopard, Mac OS X, Security, Smart Card, Snow Leopard
According to iLounge, Apple has begun to allow Made For iPodand Works With iPhone-certified developers to include automatic application download prompts. If the devices are connected to the Internet via Wifi, the user can just plug in the accessory, then it will startup the App Store to download the necessary software to get the devices to work.
Loading ...
