Smartcard Support for Panther? 29
poemofatic asks: "I use a Powerbook to connect to my work's VPN server. Recently, my sysadmin has been setting up smart card support for VPN authentication, and I'd like to know if anyone in the Slashdot crowd has managed to use smart cards on Panther to successfully connect to a Microsoft VPN server. Also, it'd be nice to hear if anyone has used either the Schlumberger or Gemplus cards successfully, and whether they've tried the USB tokens."
Smart Cards (Score:5, Informative)
There are smart card PC/SC links on that page that mention the kind of cards that should work.
Chuck
Apple smart card information (Score:5, Informative)
Apple Federal Smart Card Package Manual [apple.com]
"To use FSCP, you need the following:
A Macintosh computer with Mac OS X v10.2.3 installed
A Department of Defense Common Access Card issued since 2001
An SCM Microsystems SCR331 USB High Speed EMV Reader [scmmicro.com]
You can also use one of these smart card readers, but you must download and install driver software from the manufacturer's website:
Gemplus GemPC430 USB Smart Card Reader [gemplus.com]
OMNIKEY CardMan Desktop USB 2020 [omnikey.com]
Schlumberger Sema Reflex USB v.2 Reader [axalto.com] or Reflex USB Lite Reader [axalto.com]
Smart Card Services (PC/SC) SDK [apple.com]
"The PC/SC Workgroup is a collaborative effort of leading international personal computer and smart card companies, united to integrate their technologies under common standards. Apple is a Core Member of the PC/SC Workgroup along with Bull Personal Transaction Systems, Gemplus, Hewlett-Packard, Infineon, Intel, Microsoft, Schlumberger, Sun Microsystems and Toshiba.
PC/SC is a standard that builds upon existing industry smart card standards - ISO7816 and EMV - and complements them by defining low-level device interfaces and device-independent application APIs as well as resource management, to allow multiple applications to share smart card devices attached to a system.
The Smart Card Services SDK enables developers to write PC/SC-compliant applications and drivers on MacOSX starting with MacOSX 10.0.2.
The Smart Card Services SDK is available from Apple's Open Source repository. Access requires agreeing to the Apple Public Source License."
OSX just uses Linux-PAM for authentication (Score:5, Informative)
OSX just uses Linux-PAM [apple.com] for authentication, so if you can get these cards working on Linux, the exact same procedure should work on your Macs. Further, any documentation [google.com] describing how to get these cards working on Linux should also apply to OSX.
Re:PCMCIA? (Score:5, Informative)
Even better than that are the USB smartcards (like the Schlumberger e-Gate series; Java and Cryptoflex). You can just plug the smartcard itself into the USB slot. PC/SC drivers exist for at least the Schlumberger cards but I don't know if they have been made publicly available (maybe they come with OS X now?). No reader required.
No. It doesn't. (Score:5, Informative)
You cannot authenticate from the loginwindow against PAM. Try it. You cannot authenticate against the AFP server.
This is a case of the left hand not knowing what the right hand is doing...
I believe this is because loginwindow consults SecurityServer
directly and PAM sits on top of SecurityServer.
Most of it's already there. (Score:5, Informative)
Pather already includes the Apple Federal SmartCard Package, but you should download and read the docs from Apple Suport. It's essentially MUSCLE with tweaks. Enable it via 'sudo cac_setup' and disable it with 'sudo cac_setup -off'. The details are in
Generally, the framework validates the private key on the card, then reads attributes from the card (by default, the DoD EDI-PI from the Demographics container) and maps this attribute against Open Directory accounts. It's pretty flexible, and it shouldn't take a lot of work to make it work with another PKI.
Re:Verizon VPN services? (Score:5, Informative)
Re:Yes, it does. It may be broken, but it does use (Score:5, Informative)
The majority of authentications under OS X that people actually use do not touch PAM.
Contivity? (Score:4, Informative)
Re:PCMCIA? (Score:3, Informative)
The reason virtual PC won't work (Score:3, Informative)
The only smartcard readers you want to use with a mac recent enough to run Virtual PC well are USB readers, and I haven't had any luck getting them to work in any recent version of Virtual PC. I've had some luck with other USB devices, but for some reason, the (gemplus GemCore-based) readers I've tried have been non-starters.
The last version I tried was 6.0.something. I could occasionally get the driver to properly detect the reader, but never managed to get it to work with even the simplest test applications, let alone VPN support. I think the poster will have more luck with Mac native solutions, as OS X's smartcard support is actually decent.