Enabling CAC login and creating FileVault CAC user in 10.5

CacLoginThese steps to enable Smart Card or in the DOD space Common Access Card or CAC  have been around since 10.4.  The steps that follow are for two different things.  The first is to Enable CAC login on your Macintosh.  The second set of steps is to enable a FileVaulted user with CAC.  You will be using the Termal for both of these so if you are not familiar with Terminal I suggest you do not use it.  It is safe to install a successfully modified /etc/authorization to enable smart card login on any client system, even those without smart card readers. If no reader or card is present, the user will continue to see the default login window, and there will be no performance impact.  To support login with a smart card on Mac OS X 10.5/10.6, the card must support signing with a public key. In addition, the card itself must have a plugin, known as a tokend, that can communicate with securityd and the card itself.

Smart cards and Directory Services

Part of the login process is to do a lookup for the expected user in a directory service such as Open Directory, LDAP, or Active Directory. The first and recommended method to link a smart card user with a record in a directory service is to add the hash of the public key to the user’s directory record. This is the most convenient and most secure way of identifying a smart card user.  The second method is to lookup the user based on values drawn from the email signing certificate as required for the US Federal Government smart card use.

A script is preinstalled to assist you in binding a smart card to a user’s local directory domain record. This is /usr/sbin/sc_auth:

myhostname#  /usr/sbin/sc_auth -h
Usage:  sc_auth accept [-v] [-u user] [-k keyname] # by key on inserted card(s)

sc_auth accept [-v] [-u user] -h hash # by known pubkey hash
sc_auth remove [-v] [-u user] # remove all public keys for this user
sc_auth hash [-k keyname] # print hashes for keys on inserted card(s)

An example of the output from this for a US Department of Defense Common Access Card is:

myhostname% sc_auth hash
01C2F20D8964BE7701B57B63B0A1795B8F2604C1 Identity Private Key
443F30C356E676F447CD4DA89F46CC0CCED19737 Email Signing Private Key
4845564C1F8C6B378C19B8F262CE422933CF1FD1 Email Encryption Private Key

To add a user to the local directory

myhostname% sudo sc_auth accept -u myuser -h 01C2F20D8964BE7701B57B63B0A1795B8F2604C1

…where “01C2F20D8964BE7701B57B63B0A1795B8F2604C1” is the hash for the key associated with the Identity Private Key.  Refer to the script for further usage instructions. You will need to run this as a user authorized to modify the directory.  In this example, any of the hash entries listed could have been used for associating the card to the account.  If desired, more than one smart card can be associated with a single user account by running the script again with the hash from the additional card(s).

The script adds a field to the user’s authentication_authority property. For example, after executing the command above, the authentication_authority property for the user looks like:

myhostname% dscl . -read /Users/myuser

“authentication_authority” = ( “;ShadowHash;”, “;pubkeyhash;
01C2F20D8964BE7701B57B63B0A1795B8F2604C1” );

One can immediately log in to a new session using the smart card.

Smart card login uses Open Directory for all of its user lookups, so any supported directory structure will function properly.

Enabling FileVault

1. Enable FileVault Master password

2. Use tokenadmin to create a FileVault User
$ tokenadmin create-fv-user -u <user> -l”<UserName.”-p <password>
(the  {-p <password>} is optional)

3. Display available public key hash(es) from Smart Card
$ sc_auth hash

4. Bind Smart card to user account with public key hash
$ sc_auth accept -u <user> -h <hash>

5. Mount FileVault image file
$ hdiutil attach /Users/<user>/<user>.sparsebundle

6. Set User’s login Keychain to unlock with Smart Card
$ systemkeychain -T /Volumes/<user>/Library/keychains/login.keychain

7.  Unmount FileVault image file
$ hdiutil unmount /Users/<user>

Note: Right now under Snow Leopard these steps fail.  I am working with Apple to figure out the solution.  Check back soon.

Caveats and Recommendations – Things to keep in mind when deploying

You Must:
Create a NEW FileVault account
Have a Smart Card with an Encryption Key

You Should:
Ensure access to system via a second Admin Account
Escrow the Encryption Key for recovery
Securely Erase FREE Space afterwards via Disk Utility or srm

To support login with a smart card on Mac OS X 10.4, the card must support signing with a public key. In addition, the card itself must have a plugin, known as a tokend, that can communicate with securityd and the card itself.

6 thoughts on “Enabling CAC login and creating FileVault CAC user in 10.5”

  1. Hi,

    I am using a PIV profiled card to login to my mac. I am using Snow Leopard 10.6.2 and have successfully used the card to login to the machine and do signed and encrypted emails. Every login I get prompted after smart card login for the password for my sparsebundle (I had been using filevault prior to introducing the card) and even though I tick the “save password” option I still am prompted on each login. Do you know if there is any way to associate my smartcard login with an existing sparsebundle? Also, is there any way to force the machine to use a smart card login only (i.e. remove the password option)?

    Many thanks


  2. I don’t believe FileVault is fully supported in 10.6.2 with CAC login… I will look in to it.

  3. Native support works for some cards, some OS versions, for some functions – may be enough for home use – but probably not enough for a Mac directly connected to a Government network.

    If you’ve a newer card like CAC-NG, or require professional level support, encryption etc., may need to look to third parties like Thursby and Winmagic that focus on 100% supporting particular functionality.

Leave a Reply