You are hereBelgian eID to login on Mac OS X
Belgian eID to login on Mac OS X
This short howto explains how to use the Belgian eID to login on your Mac OS X machine. In this document I assume your cardreader is detected/installed and you are administrator of your machine. I am using Mac OS X 10.4.11.
Enable SmartCard authentication (only Mac OS X 10.4)
The happy owners of Leopard, Mac OS X 10.5, shouldn't change anything in their configuration file. Just jump to the part about access permissions.
Probably for performance reasons Apple didn't activate SmartCard login by default. So we will need to change a few configuration files to enable it. This procedure is explained on this page. Here's my own documentation with the examples for the Belgian eID.
The instructions in this part should be exactly the same on your system.
$ sudo -s Password: $ cd /etc/ $ cp authorization authorization.20080707.orig $ cp authorization /tmp/authorization.mod
Now edit the temporary file using your favorite editor or by using the graphical editor if you prefer.
$ vi /tmp/authorization.mod $ open -a "Property List Editor" /tmp/authorization.mod
Make the following changes to the mechanisms Array inside the system.login.console rights (Line 452):
After the string <string>builtin:auto-login,privileged</string> add the string <string>builtin:smartcard-sniffer,privileged</string>.
After the string <string>builtin:reset-password,privileged</string> remove the string <string>authinternal</string> then add string <string>builtin:authenticate,privileged</string>
Make the following changes to the "mechanisms" Array inside the "authenticate" rules (Line 649):
Add the following string to the beginning of the array <string>builtin:smartcard-sniffer,privileged</string>
After the string <string>builtin:authenticate</string> remove the string <string>authinternal</string> then add the string <string>builtin:authenticate,privileged</string>
Now copy the file to the right place on your system:
$ cp /tmp/authorization.mod /etc/authorization
You can check the differences here or download the original and modified file (Mac OS X 10.4.11)
$ diff -uN /etc/authorization /tmp/authorization.mod
--- /etc/authorization 2008-03-23 17:53:36.000000000 +0100
+++ /tmp/authorization.mod 2008-07-07 11:19:05.000000000 +0200
@@ -449,9 +449,10 @@
<key>mechanisms</key>
<array>
<string>builtin:auto-login,privileged</string>
+ <string>builtin:smartcard-sniffer,privileged</string>
<string>loginwindow_builtin:login</string>
<string>builtin:reset-password,privileged</string>
- <string>authinternal</string>
+ <string>builtin:authenticate,privileged</string>
<string>builtin:getuserinfo,privileged</string>
<string>builtin:sso,privileged</string>
<string>HomeDirMechanism:login,privileged</string>
@@ -645,8 +646,9 @@
<string>evaluate-mechanisms</string>
<key>mechanisms</key>
<array>
+ <string>builtin:smartcard-sniffer,privileged</string>
<string>builtin:authenticate</string>
- <string>authinternal</string>
+ <string>builtin:authenticate,privileged</string>
</array>
</dict>
<key>authenticate-admin</key>
Access permissions (everyone)
We now enabled SmartCard authentication. The question that remains open is: Who owns what SmartCard?
On the eID card there are two private keys present. One for signing purposes and one for authentication. We will use the authentication key of course.
Go back to your Terminal that was logged in as root and type the following command. This will list the hashes of the keys.
$ sc_auth hash 3F5C816C10AB60926E2E8A3CD9096C1F8AF34C9C PrK#2 (authentication) 35BDB8600FA219204D28FAD856380F6E06123B62 PrK#3 (signature) $ sc_auth accept -u chri -h 3F5C816C10AB60926E2E8A3CD9096C1F8AF34C9C
If desired, more than one smart card can be associated with a single user account by running the script again with the hash from the additional card(s).
We can check if it's OK:
$ dscl . -read /Users/chri ... AuthenticationAuthority: ;ShadowHash;HASHLIST:<SALTED-SHA1,SMB-NT,SMB-LAN-MANAGER> ;pubkeyhash;3F5C816C10AB60926E2E8A3CD9096C1F8AF34C9C ...
Test your configuration
That's it. Save all your open files, log out of the system and connect your SmartCard. You should see the Enter PIN when your card is connected:
Debug info
When entering the cardreader in /var/log/secure.log (open using Console). If you don't see these messages check that your cardreader is configured correctly on the system.
com.apple.SecurityServer: Token reader CCID Smart Card Reader 0 0 inserted into system com.apple.SecurityServer: token inserted into reader CCID Smart Card Reader 0 0 com.apple.SecurityServer: reader CCID Smart Card Reader 0 0 inserted token "BELPIC-534C494E336600296CFF2491AB111E14" (BELPIC-534C494E336600296CFF2491AB111E14) subservice 2 using driver com.apple.tokend.belpic
After a successfull login see these messages:
SecurityAgent[1994]: Showing Login Window SecurityAgent[1994]: User Authenticated: continue login process com.apple.SecurityServer: Succeeded authorizing right system.login.console by process /System/Library/CoreServices/loginwindow.app for authorization created by /System/Library/CoreServices/loginwindow.app. com.apple.SecurityServer: Succeeded authorizing right system.login.done by process /System/Library/CoreServices/loginwindow.app for authorization created by /System/Library/CoreServices/loginwindow.app.
Links
Apple Smart Card Setup GuideMac OS X 10.4: Enabling smart card login
Hey,
I'll try this right away.
Can't see any other use for my eID card anyway....
Hey, thanks for the info :-)
Note that the authorization file is already correct in OSX 1.5
At first I blindly started modifying the file until I realized the lines were already present.
I'm going to test this now :-)
on mac OSX 1.5, the authorization file is already correctly configured :-)
I tried this and it works fine. However it only applies for login, so if a program tries to access the keychain, for instance, you'll still be asked to give your password rather than your pin, which is a bit silly IMHO.
I tried this with a specimen eID card and it works as well.
Thanks for the info :-)
Great, I updated the document to reflect this.Thanks for informing me !
From what I read of the technical documents it is currently not possible, but it should be feasible in the future. (I can't really find pages that contain all the information, but here are some links.)
Each item stored in your keychain is individually encrypted with its own unique key. Furthermore, these individual keys are themselves encrypted with a master key, which is in turn encrypted with a key derived from your passphrase.
The thing they should do is make the master key also accessible using the certificate from your smartcard. But it looks like it's not implemented yet...