Monday, January 16, 2017

macOS Sierra and (legacy) smart card login

It is easy to configure a user account to use a smartcard to login with macOS Sierra. Some steps are not easy to guess so I wrote this documentation for me to remember.

System configuration

Enable smart card login

$ sudo security authorizationdb smartcard enable
YES (0)

Check configuration

$ sudo security authorizationdb smartcard status
Current smartcard login state: enabled (system.login.console enabled, authentication rule enabled)
YES (0)

Note: you will also get the "YES (0)" result if the smartcard login is disabled. You must check the "enabled" in the output.

User configuration

You need to generate a key pair and a certificate in your smartcard. I used Cacert.org as it is a free CA.



The tokend system is read only so you can't enrol with Safari. You need to use Firefox and the smartcard PKCS#11 library to enrol your card.

After that your smartcard should be visible in the Keychain Access application:

List the possible hashes

$ sc_auth hash
4AB9854A2FFFCFC18EDA76B10B2A7EDCB028300C CAcert WoT User
9F050FD8D4781472FA56AC599BF952052E5EDA65 com.apple.systemdefault
9B6CCF907A02C78774AEEEC7D2501165FB98231A com.apple.kerberos.kdc
9F050FD8D4781472FA56AC599BF952052E5EDA65 com.apple.systemdefault
9B6CCF907A02C78774AEEEC7D2501165FB98231A com.apple.kerberos.kdc

I want to use the CAcert certificate and key.

Configure the hash

$ sudo sc_auth accept -u lroussea -h 4AB9854A2FFFCFC18EDA76B10B2A7EDCB028300C

Check it worked:
$ sc_auth list 
Hash (legacy): 4AB9854A2FFFCFC18EDA76B10B2A7EDCB028300C

Certification Authority configuration

One major problem with CAcert is that this CA is not recognised as trusted by (major) operating systems and (major) web browsers. That is why you get a red warning "This certificate was signed by an unknown authority" in the Keychain Access application.


You need to import and trust the CAcert root certificate. You can get CAcert root certificate from https://www.cacert.org/index.php?id=3. I fetched the root certificate in PEM format and saved it as root.cer.

Import CAcert root certificate

You can import the CACert root certificate using the Keychain Access application but the certificate would not get the needed trust level. You need to use the command line (I got the command from Adding new trusted root certificates to System.keychain):
$ sudo security add-trusted-cert -d -r trustAsRoot -k "/Library/Keychains/System.keychain" root.cer

Note: I had to use -r trustAsRoot instead of -r trustRoot as in the Adding new trusted root certificates to System.keychain web page. Maybe the CAcert root certificate is not considered as a real root certificate.

The CAcert root certificate should be trusted and should not display any blue mark.

Bad:
Good:

User certificate validity

Check your certificate in the smartcard is now considered as valid (with no special blue mark on it):

The certificate must be valid for any user, not just yourself. A good way to check that is to verify the certificate is also valid from another user account. The certificate must be valid before the user is logged so must not have a special (trust) configuration for a particular user.

You can get more details by evaluating the certificate from Keychain Access application.
  1. Control-click on the certificate
  2. Select "Evaluate ..." from the popup menu

  3. Click "Continue" in the next dialog box
  4. Check the certificate status

Enjoy

You can now logout to go back to the login screen. After inserting your smartcard your user should be selected and the prompt should display "PIN code:" instead of the classic "Password:".

You may want to update your default keychain password to be the same as your PIN code so can access your saved password automatically after login using the smartcard.

Conclusion

Using a smartcard to login in macOS Sierra is easy to configure. But you have to take great care about the certificate chain between the CA and your certificate.

I used and described the legacy smart card authentication system. macOS Sierra introduced a new "smart card token" mechanism to replace tokend. That is for another blog article.