Context Navigation

SmartCard logon and authentication

With this modification, the normal logon screen asking the username/password is replaced by an other screen asking for the PIN of you smartcard to log on your system, if a smartcard is inserted in the reader.

And also when the system asks for an authentication (software installation...), you can replace the password with a smardcard/PIN.

OpenSC.Tokend must be installed (which is the default in SCA installer). You need to modify /etc/authorization, which is a critical file in MacOSX. You may be locked out from your system if you make some typos! Keep a backup copy of that file before any modification:

$ sudo cp /etc/authorization /etc/authorization.orig

An other Mac and a firewire cable is something useful in case of mistakes (target mode), or a bootable external disk. You can also boot on the Tiger Installation DVD, which contains the Terminal application.

You have be warned''

The easiest way to edit this file is to use TextEdit started by this command in a Terminal.

$ sudo /Applications/TextEdit.app/Contents/MacOS/TextEdit /etc/authorization

Search for this key in the file:

<key>system.login.console</key>

Under this key, there is a mechanisms list. You need to obtain this:

                        <key>mechanisms</key>
                        <array>
                                <string>builtin:auto-login,privileged</string>
                                <string>builtin:smartcard-sniffer,privileged</string>
                                <string>loginwindow_builtin:login</string>
                                <string>builtin:reset-password,privileged</string>
                                <string>builtin:authenticate,privileged</string>
                                <string>builtin:getuserinfo,privileged</string>
                                <string>builtin:sso,privileged</string>
                                <string>HomeDirMechanism:login,privileged</string>
                                <string>HomeDirMechanism:status</string>
                                <string>MCXMechanism:login</string>
                                <string>loginwindow_builtin:success</string>
                                <string>loginwindow_builtin:done</string>
                        </array>

You have to replace one line and add an other line.

In the same manner, you need to edit the mechanisms list under this key:

<key>authenticate</key>

To obtain finally this:

                        <key>mechanisms</key>
                        <array>
                                <string>builtin:smartcard-sniffer,privileged</string>
                                <string>builtin:authenticate</string>
                                <string>builtin:authenticate,privileged</string>
                        </array>

Save your modifications, and quit TextEdit.

Then put your smartcard in the reader, and type this command in a Terminal:

$ sc_auth hash

You get a hash and the key label for all the keys on your smartcard. For example:

E1D9B68DC101AB296EE1B3CECC3B12993BA4A37E JPS - Thawte

PS: on MacIntel until 10.4.9, /usr/sbin/sc_auth uses security(1), which has a few endianness issues. It is a bash script, and you need to replace /^{0x00000001/ by /} 0x01000000/ and /^{0x00000006/ by /} 0x06000000/ in it until Apple fixes the issue.

To make the link between your key on the smartcard and your login name:

$ sudo sc_auth accept -u your_login_name -h E1D9B68DC101AB296EE1B3CECC3B12993BA4A37E

You can link more than one key with a login.

No need to reboot, just close the session...

Without the card, the login window is the normal one. Put your smartcard, wait a few seconds, and enjoy...

To unlink the keys and the login, you need to do a:

$ sudo sc_auth remove -u your_login_name

To see which key hashes are linked to a user account:

$ nidump -r /users/your_login_name .

Download in other formats:

Plain Text