![]() ![]() Because OS X does not ask for the password a second time after the FileVault prompt, there is no opportunity to use smart-card in this scenario. New variant operates at a much lower level. FileVault II full-disk encryption still requires typing in the password to unlock the disk.** Interestingly, its predecessor the original FileVault did support smart-cards because it was decrypting a container in the file-system after enough of the OS had been loaded to support tokend. The boot/reboot process remains unchanged. ![]() So what does the user experience look like once the mapping is configured? Initial loginįirst the bad news: don’t throw away your password just yet. ![]() sc_auth list will display all currently trusted public-key hashes for a specified user: $ sc_auth list -u Alice 67081F01CB1AAA07EF2B19648D0FD5A89F5FAFB8įinally sc_auth remove deletes all certificates currently mapped to a local user account: $ sudo sc_auth remove -u Alice Smart-card user experience on OS X More than one certificate can be mapped to a single account by repeating that process. There is another option to specify the key using its hash: $ sudo sc_auth accept -u Alice -h 67081F01CB1AAA07EF2B19648D0FD5A89F5FAFB8 This instructs the system to accept the PIV certificate on presently connected smart-card for authenticating local user Alice. To convince OS X into accepting that certificate for local logon, sc_auth accept must be invoked with root privileges. (Keep in mind that key names such “PIV AUTH key” above are manufactured by the tokend middleware your mileage may vary when using different one.) The displayed value is a SHA1 hash derived from the public-key. For example to get PIV authentication key out of a PIV card when using OpenSC tokend modules: $ sc_auth hash -k "PIV" 67081F01CB1AAA07EF2B19648D0FD5A89F5FAFB8 PIV AUTH key It can be scoped to specific key by passing an identifier. sc_auth hash purports to display keys on currently present smart-cards, but in fact outputs a kitchen sink of certificates including those coming from the local keychain. As described by several sources, sc_auth command in OS X- which is just a Bash script- is used to manage that mapping via various sub-commands. Decide based on hash of the public-key in the certificateįor local login on stand-alone computers without Active Directory or equivalent, only the second, very basic option is available.Perform look-up in enterprise directory.OS X supports two options for mapping a certificate to a local user account: Managing the mapping for smart-card logon ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |