AppleMacGeniusVille

The Official Homepage of the United States Army now on the iPhone!

All of the news from Army.mil can now be carried with you. Read the latest articles, view the newest pictures, and watch the latest videos direct from your iPhone. Save your favorite stories to the phone for offline viewing. Share news with your friends via email, Twitter and Facebook.

Features:
- Test your skills with a challenging tile strategy game.
- Keep up to date with the latest Army Tweets and the US Army Facebook page.
- Download Army Podcasts direct to your device.
- Learn about Army Ranks, Equipment, Uniforms, and the Army song.
- Browse Stand-To! and the Army Live blog.
- Download and read Soldiers Magazine.
- Find a recruiter.

Customize the App so your favorite sections are always quickly available.

The US Army App works on both the iPhone and iPod touch and requires iPhone OS 3.0 or later.

written by AppleMacGenius \\ tags: AKO, App Store, Army, ATID, DOD, iPhone

These steps to enable Smart Card or in the DOD space Common Access Card or CAC  have been around since 10.4.  The steps that follow are for two different things.  The first is to Enable CAC login on your Macintosh.  The second set of steps is to enable a FileVaulted user with CAC.  You will be using the Termal for both of these so if you are not familiar with Terminal I suggest you do not use it.  It is safe to install a successfully modified /etc/authorization to enable smart card login on any client system, even those without smart card readers. If no reader or card is present, the user will continue to see the default login window, and there will be no performance impact.  To support login with a smart card on Mac OS X 10.5/10.6, the card must support signing with a public key. In addition, the card itself must have a plugin, known as a tokend, that can communicate with securityd and the card itself.

Smart cards and Directory Services

Part of the login process is to do a lookup for the expected user in a directory service such as Open Directory, LDAP, or Active Directory. The first and recommended method to link a smart card user with a record in a directory service is to add the hash of the public key to the user’s directory record. This is the most convenient and most secure way of identifying a smart card user.  The second method is to lookup the user based on values drawn from the email signing certificate as required for the US Federal Government smart card use.

A script is preinstalled to assist you in binding a smart card to a user’s local directory domain record. This is /usr/sbin/sc_auth:

myhostname#  /usr/sbin/sc_auth -h
Usage:  sc_auth accept [-v] [-u user] [-k keyname] # by key on inserted card(s)

sc_auth accept [-v] [-u user] -h hash # by known pubkey hash
sc_auth remove [-v] [-u user] # remove all public keys for this user
sc_auth hash [-k keyname] # print hashes for keys on inserted card(s)

An example of the output from this for a US Department of Defense Common Access Card is:

myhostname% sc_auth hash
01C2F20D8964BE7701B57B63B0A1795B8F2604C1 Identity Private Key
443F30C356E676F447CD4DA89F46CC0CCED19737 Email Signing Private Key
4845564C1F8C6B378C19B8F262CE422933CF1FD1 Email Encryption Private Key

To add a user to the local directory

myhostname% sudo sc_auth accept -u myuser -h 01C2F20D8964BE7701B57B63B0A1795B8F2604C1

…where “01C2F20D8964BE7701B57B63B0A1795B8F2604C1″ is the hash for the key associated with the Identity Private Key.  Refer to the script for further usage instructions. You will need to run this as a user authorized to modify the directory.  In this example, any of the hash entries listed could have been used for associating the card to the account.  If desired, more than one smart card can be associated with a single user account by running the script again with the hash from the additional card(s).

The script adds a field to the user’s authentication_authority property. For example, after executing the command above, the authentication_authority property for the user looks like:

myhostname% dscl . -read /Users/myuser
…
“authentication_authority” = ( “;ShadowHash;”, “;pubkeyhash;
01C2F20D8964BE7701B57B63B0A1795B8F2604C1″ );
…

One can immediately log in to a new session using the smart card.

Smart card login uses Open Directory for all of its user lookups, so any supported directory structure will function properly.

Enabling FileVault

1. Enable FileVault Master password

2. Use tokenadmin to create a FileVault User
$ tokenadmin create-fv-user -u <user> -l”<UserName.”-p <password>
(the  {-p <password>} is optional)

3. Display available public key hash(es) from Smart Card
$ sc_auth hash

4. Bind Smart card to user account with public key hash
$ sc_auth accept -u <user> -h <hash>

5. Mount FileVault image file
$ hdiutil attach /Users/<user>/<user>.sparsebundle

6. Set User’s login Keychain to unlock with Smart Card
$ systemkeychain -T /Volumes/<user>/Library/keychains/login.keychain

7.  Unmount FileVault image file
$ hdiutil unmount /Users/<user>

Note: Right now under Snow Leopard these steps fail.  I am working with Apple to figure out the solution.  Check back soon.

Caveats and Recommendations – Things to keep in mind when deploying

You Must:
Create a NEW FileVault account
Have a Smart Card with an Encryption Key

You Should:
Ensure access to system via a second Admin Account
Escrow the Encryption Key for recovery
Securely Erase FREE Space afterwards via Disk Utility or srm

written by AppleMacGenius \\ tags: Army, CAC, DOD, FileVault, Leopard, Mac OS X, Security, Smart Card, Snow Leopard

Mac OS X 10.5 has a lot of built in features that a lot of novice users are not aware of.  One in particular is creating a encrypted sparse bundle.  Before I get to the creation of a sparse bundle, you might be asking yourself what is a encrypted sparse bundle.  On the Macintosh operating system a bundle or image is like a container, a representation of a virtual storage hard drive.  In the Macintosh Finder it appears as a file usually with the naming convention, “file.img” or if it’s a sparse bundle image one that grows in size as needed it will be named with a “.sparsebundle” at the end.  Once you double click on it it mounts what looks like a hard drive icon on your desktop.  A lot of times you may see this when installing a program such as firefox.  You download firefox and it has the name “firefox.img” you double click on the file and it mounts a hard drive on your desktop.  you open this virtual hard drive and you have the program inside.  This is only one example and you can download firefox if you want to see how this works.  But what if you want to create your own image or sparse bundle.  Apple makes it real easy to do this.  Here is how.  

Step 3: in Disk Utility go to File->Blank Disk Image…
                    

Step 4: in “Save As” name your disk image

Step 5: you can also name your volume, this name will be used when the virtual disk is mounted.  Pick a Volume size and what format you want it to be.
 

**Step 5.5: If you are happy with the setting hit save and a disk image will be created.
 

But that last step will give you a image and not a Encrypted Sparse Bundle.  An encrypted Sparse Bundle is important to keep secure documents secured and to grow in size as needed.  If your laptop got stolen, no one would be able to get in to your image unless they had the password you set for the sparsebundle and it being encrypted gives it extra protection.  Let continue our steps…
 

Step 6: select “128-bit AES encryption or if you want to be extra secure, 256-bit AES encryption would work as well.
 
Step 7: also select what format you want.  Pick “sparse bundle disk Image”.  This will actually grow in size as needed. (you really only have to select this if you want it to grow.)
                    

Step 7.5: Click Save

Step 8: you will be asked to provide a password.  Make sure when deciding on a password you pick a strong password, numbers, letters, symbols, etc… It will actually tell you if your password is strong enough.                    

Weak password Example

knox-basics

Strong password Example

 Step 9: Now you can quit Disk Utility and you should see a virtual disk on your desktop. 
 
Every time you double click on the “.sparsebundle” or “.dmg” it will expand and ask you for your password. 

 

Here is another helpful hint.  Lets say you want to automate this.  There is a company that makes a product that does this.  The website is www.knoxformac.com.  They make a product called knox.  It gives you an interface to create encrypted sparse bundles and even organize them.  I highly recommend this product.  I use this daily.  I have included a short video of their product demo.  

 

October 3, 2008

I came across another really nice program called Espionage.  This program does the same thing but seems to be a little more seamless in it’s approach.  Instead of a menu bar icon it basically integrates in to the actual Mac OS.  It still uses the “Disk Image” technology but it hides it to the novice user and you never know you are using it.  You can go to www.taoeffect.com/espionage to check it out.  Click on the link below to see a video of the product.
 

written by AppleMacGenius \\ tags: Disk Utility, encrypt, Mac OS X, secure, sparse bundle