Forgot your password?
typodupeerror
OS X Businesses Operating Systems Security Apple

Smartcard Support for Panther? 29

Posted by Cliff
from the smart-cats-with-smarter-cards dept.
poemofatic asks: "I use a Powerbook to connect to my work's VPN server. Recently, my sysadmin has been setting up smart card support for VPN authentication, and I'd like to know if anyone in the Slashdot crowd has managed to use smart cards on Panther to successfully connect to a Microsoft VPN server. Also, it'd be nice to hear if anyone has used either the Schlumberger or Gemplus cards successfully, and whether they've tried the USB tokens."
This discussion has been archived. No new comments can be posted.

Smartcard Support for Panther?

Comments Filter:
  • Smart Cards (Score:5, Informative)

    by spamtrap (84490) on Wednesday June 02, 2004 @01:37PM (#9316795) Homepage
    Security [apple.com] is where you want to look.

    There are smart card PC/SC links on that page that mention the kind of cards that should work.

    Chuck
  • by daveschroeder (516195) * on Wednesday June 02, 2004 @02:17PM (#9317296)
    Developer - Mac OS X Security [apple.com]

    Apple Federal Smart Card Package Manual [apple.com]

    "To use FSCP, you need the following:

    A Macintosh computer with Mac OS X v10.2.3 installed
    A Department of Defense Common Access Card issued since 2001
    An SCM Microsystems SCR331 USB High Speed EMV Reader [scmmicro.com]

    You can also use one of these smart card readers, but you must download and install driver software from the manufacturer's website:

    Gemplus GemPC430 USB Smart Card Reader [gemplus.com]
    OMNIKEY CardMan Desktop USB 2020 [omnikey.com]
    Schlumberger Sema Reflex USB v.2 Reader [axalto.com] or Reflex USB Lite Reader [axalto.com]


    Smart Card Services (PC/SC) SDK [apple.com]

    "The PC/SC Workgroup is a collaborative effort of leading international personal computer and smart card companies, united to integrate their technologies under common standards. Apple is a Core Member of the PC/SC Workgroup along with Bull Personal Transaction Systems, Gemplus, Hewlett-Packard, Infineon, Intel, Microsoft, Schlumberger, Sun Microsystems and Toshiba.

    PC/SC is a standard that builds upon existing industry smart card standards - ISO7816 and EMV - and complements them by defining low-level device interfaces and device-independent application APIs as well as resource management, to allow multiple applications to share smart card devices attached to a system.

    The Smart Card Services SDK enables developers to write PC/SC-compliant applications and drivers on MacOSX starting with MacOSX 10.0.2.

    The Smart Card Services SDK is available from Apple's Open Source repository. Access requires agreeing to the Apple Public Source License."
  • by babbage (61057) <cdevers.cis@usouthal@edu> on Wednesday June 02, 2004 @02:17PM (#9317298) Homepage Journal

    OSX just uses Linux-PAM [apple.com] for authentication, so if you can get these cards working on Linux, the exact same procedure should work on your Macs. Further, any documentation [google.com] describing how to get these cards working on Linux should also apply to OSX.

  • Re:PCMCIA? (Score:5, Informative)

    by Cthefuture (665326) on Wednesday June 02, 2004 @03:11PM (#9317835)
    Currently these [musclecard.com] are the main drivers that I know of. There are some PCMCIA Linux drivers with source here [musclecard.com] if you're willing to do some porting work.

    Even better than that are the USB smartcards (like the Schlumberger e-Gate series; Java and Cryptoflex). You can just plug the smartcard itself into the USB slot. PC/SC drivers exist for at least the Schlumberger cards but I don't know if they have been made publicly available (maybe they come with OS X now?). No reader required.
  • No. It doesn't. (Score:5, Informative)

    by netsrek (76063) on Wednesday June 02, 2004 @04:19PM (#9318541) Homepage
    No, PAM isn't as pervasive in OS X as it can be under Linux.

    You cannot authenticate from the loginwindow against PAM. Try it. You cannot authenticate against the AFP server.

    This is a case of the left hand not knowing what the right hand is doing...

    I believe this is because loginwindow consults SecurityServer
    directly and PAM sits on top of SecurityServer.
  • by Cerebus (10185) on Wednesday June 02, 2004 @05:00PM (#9319119) Homepage
    Apple SmartCard support is built with the DoD Common Access Card (CAC) in mind. To work with another PKI you'll need to make modifications.

    Pather already includes the Apple Federal SmartCard Package, but you should download and read the docs from Apple Suport. It's essentially MUSCLE with tweaks. Enable it via 'sudo cac_setup' and disable it with 'sudo cac_setup -off'. The details are in /etc/authorization.cac.

    Generally, the framework validates the private key on the card, then reads attributes from the card (by default, the DoD EDI-PI from the Demographics container) and maps this attribute against Open Directory accounts. It's pretty flexible, and it shouldn't take a lot of work to make it work with another PKI.
  • by Orpheus Liar (157914) * on Wednesday June 02, 2004 @05:40PM (#9319613)
    Odd that you've been told they'll provide no client as iPass makes an OSX client [ipass.com] and Cisco makes an OSX version of its VPN client [cisco.com] which I have running on my AlBook right now (I believe you must have an account with Cisco to get it from their site, but Google shows many hits with the download).
  • by netsrek (76063) on Wednesday June 02, 2004 @05:51PM (#9319727) Homepage
    My point was that it doesn't actually use it for authentication in very many contexts. yes, it is the same PAM as we're used to under Linux, but my point was that your statement "OSX just uses Linux-PAM [apple.com] for authentication" is kind of misleading.

    The majority of authentications under OS X that people actually use do not touch PAM.
  • Contivity? (Score:4, Informative)

    by petard (117521) * on Wednesday June 02, 2004 @06:25PM (#9320044) Homepage
    According to Nortel's documentation they support X.509 certificates. That's probably what you mean by "emulate Windows Digital Certificate functionality" :-) Check with your documentation for how to configure certificate-based authentication. It's usually pretty easy.
  • Re:PCMCIA? (Score:3, Informative)

    by PygmySurfer (442860) on Thursday June 03, 2004 @07:59AM (#9324144)
    SCM has a variety of readers [scmmicro.com] that work under OS X.
  • by petard (117521) * on Friday June 04, 2004 @12:46AM (#9332366) Homepage
    is that its USB support just isn't up to snuff.

    The only smartcard readers you want to use with a mac recent enough to run Virtual PC well are USB readers, and I haven't had any luck getting them to work in any recent version of Virtual PC. I've had some luck with other USB devices, but for some reason, the (gemplus GemCore-based) readers I've tried have been non-starters.

    The last version I tried was 6.0.something. I could occasionally get the driver to properly detect the reader, but never managed to get it to work with even the simplest test applications, let alone VPN support. I think the poster will have more luck with Mac native solutions, as OS X's smartcard support is actually decent.

1 Mole = 25 Cagey Bees

Working...