pipeman is currently certified at Journeyer level.

Name: Rasmus Sten
Member since: 2001-11-07 01:45:59
Last Login: 2014-08-31 19:33:34

FOAF RDF Share This

Homepage: http://dll.nu/

Projects

Recent blog entries by pipeman

Syndication: RSS 2.0
13 Aug 2014 (updated 16 Aug 2014 at 19:01 UTC) »
Configuring smart card login on OS X 10.9

Earlier I documented how to use a Finnish government issued ID card (FINeID) for SSH authentication. As my vacation ended and I had to dig the smart card reader out to SSH to a machine, I remembered that I never quite figured out how to get login authentication to work with the same card. It took a bit of detective work but it turns out the basic steps are not that complicated. I will only cover the most basic set-up, where you pair one specific smart card with a local account on your computer using the card's public key. It's possible to have more sophisticated setup for larger organisations.

First, check my previous post and follow the instructions for how to set up OpenSC and verify using pkcs15-tool -k that your card reader and card is working properly.

Then, in case you have Apple ID's associated with your user account, you need to work around a bug in authorizationhost: in System Preferences, go to Users & Groups and select the user you're setting up for smart cart login. Remove all associated Apple ID accounts by clicking on the "Change…" button next to "Apple ID:" and deleting any entries from the list (if any). Failure to do so may make it impossible to unlock the screen and unlock System Preferences panes. You can also manually do this with Directory Utility by removing all entries except the one containing the username from the user's RecordName property in the Users directory.


Once that is done, run the following to enable smart card support for logins:

sudo security authorizationdb smartcard enable

Make sure the card is inserted, and list the public key hashes using the OS X built-in command sc_auth:
sc_auth hash

It should output a list similar to this, but with slightly more random hashes:

01DEADBEEF00DEADBEEF00DEADBEEF00DEADBEEF todentamis- ja salausavain
02DEADBEEF00DEADBEEF00DEADBEEF00DEADBEEF allekirjoitusavain
03DEADBEEF00DEADBEEF00DEADBEEF00DEADBEEF com.apple.systemdefault
04DEADBEEF00DEADBEEF00DEADBEEF00DEADBEEF com.apple.kerberos.kdc
05DEADBEEF00DEADBEEF00DEADBEEF00DEADBEEF com.apple.systemdefault
06DEADBEEF00DEADBEEF00DEADBEEF00DEADBEEF com.apple.kerberos.kdc
07DEADBEEF00DEADBEEF00DEADBEEF00DEADBEEF Imported Private Key


Again, it's the todentamis- ja salausavain we're interested in. Now use sc_auth to associate that public key with a user account:

sudo sc_auth accept -u USERNAME -h 01DEADBEEF00DEADBEEF00DEADBEEF00DEADBEEF


This should be it - when the smart cart is initialised, the corresponding user will automatically be selected in the login screen, and instead of prompting for a password it will prompt you for the card's PIN. Note that typically the card PIN defaults to a 4-digit number but it can be changed to (in the case of a FINeID card) any 4-8 character alphanumeric string using e.g. pkcs15-tool --change-pin. For other cards you can inspect the PIN code constraints using pkcs15-tool --list-pins.

When logging in using a smart card rather than a password, OS X will not be able to unlock your login keychain, as it by default is encrypted using your login password. You can choose to either manually unlock the keychain or change the keychain to use your smart card for unlocking rather than a password. If you do that, it means that your keychain is effectively encrypted with your smart card, so if you lose your smart card, you will lose access to your login keychain. It seems that Keychain migration uses your smartcard PIN as your new keychain password, so beware that you may actually lower the keychain encryption key entropy if your smartcard PIN is simpler than your regular password.

If you have FileVault full disk encryption enabled (and you should) OS X will automatically log you in using the password supplied at the FileVault login screen. If you have followed the instructions above, your account will still have a valid password (it's possible to disable password login entirely by deleting the "ShadowHash" entry in the AuthenticationAuthority record of your user account using Directory Utility - note that this will also effectively disable sudo for that user) and you will be automatically logged in, but the system will not be able to unlock your keychain with that password. To prevent automatic login with FileVault, you can run:


sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES


More information in HT5989.

If you know French, this blog post contains some more details on configuring smart card authentication on Mavericks.
2 Jul 2014 (updated 7 Jul 2014 at 12:24 UTC) »

SSH authentication using the Finnish electronic ID card (FINEID) on OS X

The government of Finland provides smart card-enabled ID cards to all residents under the FINeID program run by the Population Register Centre (Väestörekisterikeskus). The chip provided is, according to the spec, based on ISO/IEC 7816-15 (also known as PKCS#15), 7816-4 and 7816-8. The open source project OpenSC makes it possible to interact with PKCS#15 cards on a variety of operating systems, including OS X, Linux and Windows.

When I renewed my ID card I became interested in the possibilities provided by this, so I ordered a card reader known to work with Mac and installed version 0.13. The latest version is 0.14.0 but there are no pre-compiled binaries for OS X, and my own attempts at building it failed quite early.

After installing OpenSC, you'll see something similar to the following message in the system log when inserting the card reader and the card:

2014-07-02 20:11:38,774 com.apple.SecurityServer[17]: reader SCR35xx Smart Card Reader 00 00 inserted token "HENKILOKORTTI" (088f5dfb29f6672f9435db333fc0539bc64f2769) subservice 2 using driver com.apple.tokend.opensc

You can then use the pkcs15-tool command to list available private keys stored on the card:

$ pkcs15-tool -k
Using reader with a card: SCR35xx Smart Card Reader 00 00
Private RSA Key [todentamis- ja salausavain]
Object Flags : [0x1], private
Usage : [0x26], decrypt, sign, unwrap
Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local
Access Rules : execute:01;
ModLength : 2048
Key ref : 0 (0x0)
Native : yes
Path : 3f004b01
Auth ID : 01
ID : 45

Private RSA Key [allekirjoitusavain]
Object Flags : [0x1], private
Usage : [0x200], nonRepudiation
Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local
Access Rules : execute:02;
ModLength : 2048
Key ref : 0 (0x0)
Native : yes
Path : 3f0050164b02
Auth ID : 02
ID : 46

Your FINeID card provides you with two certificates and corresponding keys; one for signing and one for authentication and encryption. However, for the purpose of SSH authentication the certificates (and their stated purpose) don't matter; we just care about the corresponding RSA public and private keys, so we can pick either one. You need to know which one you're using because they're protected with different PIN codes, provided to you by mail. Above, we can see that the first key, labelled todentamis- ja salausavain has ID 45 on the card - let's pick that. It happens to be the authentication/encryption key and is protected with PIN1. We then simply need to retrieve its corresponding public key in a format suitable for an OpenSSH authorized_keys file. Luckily pkcs15-tool provides exactly that - just tell it you want the key with ID 45 and pipe it to pbcopy to place it into your pasteboard.

$ pkcs15-tool --read-ssh-key 45|pbcopy
Using reader with a card: SCR35xx Smart Card Reader 00 00


Open ~/.ssh/authorized_keys on the target computer and paste the contents of your pasteboard into its own line.

Next you need to tell your SSH client to defer authentication to your smart card. This is done by using the -I option to ssh to specify the OpenSC PKCS#11 library, like this:

$ ssh -I /usr/lib/opensc-pkcs11.so karin.local
Enter PIN for 'HENKILOKORTTI (perustunnusluku)':
Last login: Wed Jul 2 21:06:33 2014 from otter.local
karin:~ rasmus$

You will be prompted for your PIN - enter PIN1 here provided that you picked the "todentamis- ja salausavain" key earlier and you will be logged in. To have ssh always query your ID card, add the following to ~/.ssh/config (add a "Host" section above to apply it to one or more specific remote hosts):

PKCS11Provider /usr/lib/opensc-pkcs11.so

That's it! You can now use your Finnish ID card as a hardware authentication token for your SSH logins.

Update: you can apparently also do this using ssh-agent. I haven't tried this yet myself but will update the blog post once I have. Following those instructions seem to put launchd in a very bad state on OS X 10.9.4. I'll investigate a bit more but until then I recommend against trying ssh-agent with the OpenSC PKCS#11 support.

30 Aug 2012 (updated 30 Aug 2012 at 13:02 UTC) »
Disabling Java in Safari for all users on a Mac

There are a lot of instructions on how to disable Java applets in different web browsers. However, none of the instructions I've seen have tackled my situation: in my home we each have one account, and even though I administer the computer I don't know the password of the other accounts hence I can't login as all the other users and manually uncheck the "Enable Java" check box in the Safari security preferences. Because of that I was looking for a way to do it automatically for all users, and this is what I came up with:



# become root
sudo -s

# exit all instances of Safari
killall Safari

# wait for Safari to exit
while ps axc|grep -q Safari ; do echo "waiting..." ; done

# for all users that have a Safari prefs file, set the appropriate keys to "false"
# paste the following all in one go
dscl . -list /Users home | while read username homedir ; do \
file="${homedir}/Library/Preferences/com.apple.Safari" ; \
if [ -f "${file}.plist" ] ; then echo "Disabling Safari's Java for user $username" ; \
for prop in com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled WebKitJavaEnabled ; do \
defaults write "$file" $prop false ; chown $username "${file}.plist" ; \
done; \
fi ; \
done



That's it!

Caveats:
  • This will only change Safari's preferences (we use Safari at home, with Firefox reserved for sites that require Java or Flash)
  • This will only change Safari's preferences if the user has launched Safari at least once
  • While I have tested this in Mountain Lion (10.8.1) and Lion (10.7.4), I can't make any guarantees as to whether it'll work in your particular environment. Worst case it may reset your Safari preferences to default. Always have backups. :-)

If you want to disable all plug-ins as well as Java, something I recommend, run this instead for the last step:


dscl . -list /Users home | while read username homedir ; do \
file="${homedir}/Library/Preferences/com.apple.Safari" ; \
if [ -f "${file}.plist" ] ; then echo "Disabling Safari's Java and all plug-ins for user $username" ; \
for prop in com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled WebKitJavaEnabled \
WebKitPluginsEnabled com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled ; do \
defaults write "$file" $prop false ; chown $username "${file}.plist" ; \
done; \
fi ; \
done



Top shell commands in my home computer as of today:


$ history|awk '{a[$2]++ } END{for(i in a){print a[i] " " i}}'|sort -rn|head
88 git
76 cd
74 ls
34 sudo
21 ssh
18 du
14 cat
13 ps
13 mdfind
12 open
Retesting

Almost five years ago I took this test, and it classified me as Amiga OS - now I took the same test again and came up as OS X. It would be interesting to see what has changed in more detail; I couldn't figure out any questions that I definitely would have answered differently five years ago.

You are OS X. You tend to be fashionable and clever despite 
being a bit transparent.  Now that you've reached some stability you're 
expecting greater popularity.
Which OS are You?

What has changed in the last five years, however, is that run OS X on most of my computers. Back then, I had Windows 2000 on my desktop computer (with coLinux for development), and Windows XP (I think) on my laptop. I do have a W2K VM on my home Mac (mostly used for getting dissapointed at SF Anytime, a local video-on-demand service that requires Windows (and lately, newer Windows than Windows 2000)), and at work I keep a spare hard disk that I plug in when I need to do things that requires Windows (some of the bureaucracy tools require IE, among other this), but about 80% if my time is spent in OS X and 19% in Linux (although it depends on how you count; I'm pretty much always logged-in to my home Linux server (a small fanless VIA x86 with a flash disk), for example, and similarly always using a handful of Linux servers at work where, among other things, our testing infrastructure is largely Linux- based, even the parts that runs automated tests on Mac OS X (which in itself is an interesting topic for another talk or blog post).

47 older entries...

 

pipeman certified others as follows:

  • pipeman certified pipeman as Apprentice
  • pipeman certified pawal as Apprentice
  • pipeman certified alan as Master
  • pipeman certified chalst as Journeyer
  • pipeman certified raph as Master
  • pipeman certified Bram as Master
  • pipeman certified esr as Master
  • pipeman certified Akira as Journeyer
  • pipeman certified e8johan as Journeyer
  • pipeman certified titus as Journeyer
  • pipeman certified robey as Master

Others have certified pipeman as follows:

  • pipeman certified pipeman as Apprentice
  • lerdsuwa certified pipeman as Apprentice
  • derupe certified pipeman as Apprentice
  • freax certified pipeman as Apprentice
  • pvanhoof certified pipeman as Apprentice
  • titus certified pipeman as Journeyer
  • icherevko certified pipeman as Master

[ Certification disabled because you're not logged in. ]

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!

X
Share this page