13 Aug 2014 pipeman   » (Journeyer)

Configuring smart card login on OS X 10.9

Earlier I documented how to use a Finnish government issued ID card (FINeID) for SSH authentication. As my vacation ended and I had to dig the smart card reader out to SSH to a machine, I remembered that I never quite figured out how to get login authentication to work with the same card. It took a bit of detective work but it turns out the basic steps are not that complicated. I will only cover the most basic set-up, where you pair one specific smart card with a local account on your computer using the card's public key. It's possible to have more sophisticated setup for larger organisations.

First, check my previous post and follow the instructions for how to set up OpenSC and verify using pkcs15-tool -k that your card reader and card is working properly.

Then, in case you have Apple ID's associated with your user account, you need to work around a bug in authorizationhost: in System Preferences, go to Users & Groups and select the user you're setting up for smart cart login. Remove all associated Apple ID accounts by clicking on the "Changeā€¦" button next to "Apple ID:" and deleting any entries from the list (if any). Failure to do so may make it impossible to unlock the screen and unlock System Preferences panes. You can also manually do this with Directory Utility by removing all entries except the one containing the username from the user's RecordName property in the Users directory.


Once that is done, run the following to enable smart card support for logins:

sudo security authorizationdb smartcard enable

Make sure the card is inserted, and list the public key hashes using the OS X built-in command sc_auth:
sc_auth hash

It should output a list similar to this, but with slightly more random hashes:

01DEADBEEF00DEADBEEF00DEADBEEF00DEADBEEF todentamis- ja salausavain
02DEADBEEF00DEADBEEF00DEADBEEF00DEADBEEF allekirjoitusavain
03DEADBEEF00DEADBEEF00DEADBEEF00DEADBEEF com.apple.systemdefault
04DEADBEEF00DEADBEEF00DEADBEEF00DEADBEEF com.apple.kerberos.kdc
05DEADBEEF00DEADBEEF00DEADBEEF00DEADBEEF com.apple.systemdefault
06DEADBEEF00DEADBEEF00DEADBEEF00DEADBEEF com.apple.kerberos.kdc
07DEADBEEF00DEADBEEF00DEADBEEF00DEADBEEF Imported Private Key


Again, it's the todentamis- ja salausavain we're interested in. Now use sc_auth to associate that public key with a user account:

sudo sc_auth accept -u USERNAME -h 01DEADBEEF00DEADBEEF00DEADBEEF00DEADBEEF


This should be it - when the smart cart is initialised, the corresponding user will automatically be selected in the login screen, and instead of prompting for a password it will prompt you for the card's PIN. Note that typically the card PIN defaults to a 4-digit number but it can be changed to (in the case of a FINeID card) any 4-8 character alphanumeric string using e.g. pkcs15-tool --change-pin. For other cards you can inspect the PIN code constraints using pkcs15-tool --list-pins.

When logging in using a smart card rather than a password, OS X will not be able to unlock your login keychain, as it by default is encrypted using your login password. You can choose to either manually unlock the keychain or change the keychain to use your smart card for unlocking rather than a password. If you do that, it means that your keychain is effectively encrypted with your smart card, so if you lose your smart card, you will lose access to your login keychain. It seems that Keychain migration uses your smartcard PIN as your new keychain password, so beware that you may actually lower the keychain encryption key entropy if your smartcard PIN is simpler than your regular password.

If you have FileVault full disk encryption enabled (and you should) OS X will automatically log you in using the password supplied at the FileVault login screen. If you have followed the instructions above, your account will still have a valid password (it's possible to disable password login entirely by deleting the "ShadowHash" entry in the AuthenticationAuthority record of your user account using Directory Utility - note that this will also effectively disable sudo for that user) and you will be automatically logged in, but the system will not be able to unlock your keychain with that password. To prevent automatic login with FileVault, you can run:


sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES


More information in HT5989.

If you know French, this blog post contains some more details on configuring smart card authentication on Mavericks.

Latest blog entries     Older blog entries

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!