You are hereBelgian eID to login on Mac OS X / Reply to comment
Reply to comment
Belgian eID to login on Mac OS X
This short howto explains how to use the Belgian eID to login on your Mac OS X machine. In this document I assume your cardreader is detected/installed and you are administrator of your machine. I am using Mac OS X 10.4.11.
Enable SmartCard authentication (only Mac OS X 10.4)
The happy owners of Leopard, Mac OS X 10.5, shouldn't change anything in their configuration file. Just jump to the part about access permissions.
Probably for performance reasons Apple didn't activate SmartCard login by default. So we will need to change a few configuration files to enable it. This procedure is explained on this page. Here's my own documentation with the examples for the Belgian eID.
The instructions in this part should be exactly the same on your system.
$ sudo -s Password: $ cd /etc/ $ cp authorization authorization.20080707.orig $ cp authorization /tmp/authorization.mod
Now edit the temporary file using your favorite editor or by using the graphical editor if you prefer.
$ vi /tmp/authorization.mod $ open -a "Property List Editor" /tmp/authorization.mod
Make the following changes to the mechanisms Array inside the system.login.console rights (Line 452):
After the string <string>builtin:auto-login,privileged</string> add the string <string>builtin:smartcard-sniffer,privileged</string>.
After the string <string>builtin:reset-password,privileged</string> remove the string <string>authinternal</string> then add string <string>builtin:authenticate,privileged</string>
Make the following changes to the "mechanisms" Array inside the "authenticate" rules (Line 649):
Add the following string to the beginning of the array <string>builtin:smartcard-sniffer,privileged</string>
After the string <string>builtin:authenticate</string> remove the string <string>authinternal</string> then add the string <string>builtin:authenticate,privileged</string>
Now copy the file to the right place on your system:
$ cp /tmp/authorization.mod /etc/authorization
You can check the differences here or download the original and modified file (Mac OS X 10.4.11)
$ diff -uN /etc/authorization /tmp/authorization.mod
--- /etc/authorization 2008-03-23 17:53:36.000000000 +0100
+++ /tmp/authorization.mod 2008-07-07 11:19:05.000000000 +0200
@@ -449,9 +449,10 @@
<key>mechanisms</key>
<array>
<string>builtin:auto-login,privileged</string>
+ <string>builtin:smartcard-sniffer,privileged</string>
<string>loginwindow_builtin:login</string>
<string>builtin:reset-password,privileged</string>
- <string>authinternal</string>
+ <string>builtin:authenticate,privileged</string>
<string>builtin:getuserinfo,privileged</string>
<string>builtin:sso,privileged</string>
<string>HomeDirMechanism:login,privileged</string>
@@ -645,8 +646,9 @@
<string>evaluate-mechanisms</string>
<key>mechanisms</key>
<array>
+ <string>builtin:smartcard-sniffer,privileged</string>
<string>builtin:authenticate</string>
- <string>authinternal</string>
+ <string>builtin:authenticate,privileged</string>
</array>
</dict>
<key>authenticate-admin</key>
Access permissions (everyone)
We now enabled SmartCard authentication. The question that remains open is: Who owns what SmartCard?
On the eID card there are two private keys present. One for signing purposes and one for authentication. We will use the authentication key of course.
Go back to your Terminal that was logged in as root and type the following command. This will list the hashes of the keys.
$ sc_auth hash 3F5C816C10AB60926E2E8A3CD9096C1F8AF34C9C PrK#2 (authentication) 35BDB8600FA219204D28FAD856380F6E06123B62 PrK#3 (signature) $ sc_auth accept -u chri -h 3F5C816C10AB60926E2E8A3CD9096C1F8AF34C9C
If desired, more than one smart card can be associated with a single user account by running the script again with the hash from the additional card(s).
We can check if it's OK:
$ dscl . -read /Users/chri ... AuthenticationAuthority: ;ShadowHash;HASHLIST:<SALTED-SHA1,SMB-NT,SMB-LAN-MANAGER> ;pubkeyhash;3F5C816C10AB60926E2E8A3CD9096C1F8AF34C9C ...
Test your configuration
That's it. Save all your open files, log out of the system and connect your SmartCard. You should see the Enter PIN when your card is connected:
Debug info
When entering the cardreader in /var/log/secure.log (open using Console). If you don't see these messages check that your cardreader is configured correctly on the system.
com.apple.SecurityServer: Token reader CCID Smart Card Reader 0 0 inserted into system com.apple.SecurityServer: token inserted into reader CCID Smart Card Reader 0 0 com.apple.SecurityServer: reader CCID Smart Card Reader 0 0 inserted token "BELPIC-534C494E336600296CFF2491AB111E14" (BELPIC-534C494E336600296CFF2491AB111E14) subservice 2 using driver com.apple.tokend.belpic
After a successfull login see these messages:
SecurityAgent[1994]: Showing Login Window SecurityAgent[1994]: User Authenticated: continue login process com.apple.SecurityServer: Succeeded authorizing right system.login.console by process /System/Library/CoreServices/loginwindow.app for authorization created by /System/Library/CoreServices/loginwindow.app. com.apple.SecurityServer: Succeeded authorizing right system.login.done by process /System/Library/CoreServices/loginwindow.app for authorization created by /System/Library/CoreServices/loginwindow.app.
Links
Apple Smart Card Setup GuideMac OS X 10.4: Enabling smart card login
