Home > Articles > Apple > Operating Systems
Sep 29, 2017 Some (minor) bugs reported on El Capitan are still present in High Sierra. I updated the page 'OS X El Capitan and smart cards: known bugs'. CryptoTokenKit CryptoTokenKit is the native smart card API since the complete rewrite in macOS Yosemite 10.10 (OS X Yosemite BETA and smart.
By default, Mac OS, unlike Windows, doesn't automatically enable the TRIM command for a self-installed SSD. (If your Mac comes with an SSD, TRIM will already be enabled.) (If your Mac comes with. Jan 10, 2019 The second part describes the support for Smart Cards on macOS. Before Sierra. Before Sierra (10.12), macOS had little support for Smart Cards. Actually this statement is not totally true - up until Lion (10.7), macOS had native support for Smart Cards through tokend, a low level service that reads Smart Cards and populates the user’s Keychain. Windows 8.1 / 8 / 10, Mac OS High Sierra 10.13, $49.80 PrimeShield ATV Cover - Heavy Duty Waterproof Windproof Large Quad ATC 4 Wheeler Cover, All-Season Outdoor UV Protection for Kawasaki Yamaha Suzuki Honda Polaris ATV, 94 x 48 x 48', Black.
␡
Page 1 of 5Next >
Using smart cards or similar products can greatly enhance the security of a network and of individual workstations (including portable computers and those used for remote access). Ryan Faas shows you how to implement these alternatives to static usernames and passwords on the Macs in your network.
Like this article? We recommend
Apple Training Series: Mac OS X v10.4 System Administration Reference, Volume 2
Like this article? We recommendLike this article? We recommend
Apple Training Series: Mac OS X v10.4 System Administration Reference, Volume 2
Systems administrators often need to strike a balance between password policies that offer greater levels of security and policies that permit users to choose passwords that are easy to remember. This can be a tricky balancing act: If you force passwords with greater levels of security, users are likely to forget them and continually need to call the help desk to have them reset or write them down on a piece of paper kept at their desk (negating the security of the pa). If you allow less-secure passwords, they can be easily guessed or cracked. As users become more mobile, this becomes an even greater dilemma because of the potential theft of portable computers or the inherent lack of security when users access resources via unprotected Wi-Fi hotspots or home Internet connections. VPN offers some protection for remote access, but in many cases even VPN relies on passwords as the method of authenticating users and granting remote access.
One solution to this conundrum is the use of token-based authentication such as smart cards or one-time password tokens. Both of these technologies offer the capability to beef up security by means of two factor authentication—which requires a physical token as well as either a PIN number or a biometric evidence to grant access. The requirement of a physical device as well as a secret code or other identifying information such as a fingerprint greatly enhance security because the password or PIN is essentially useless without the token, and the token is useless without the PIN or user’s biometric evidence. Also, because a token is a physical object, its absence will be noticed quickly if it is lost or stolen (unlike a compromised username and password).
One-Time Password Solutions
One-time password solutions are devices (often referred to as tokens) that are used to enhance security. They are small devices that have a microprocessor and LCD screen. Each token is seeded with a unique encryption key from a server. The token uses that key to generate a unique one-time password, either each time a user makes a login attempt or at a set interval that is displayed on the LCD screen. To log in to the secured computer or service, a user must enter a username that is associated with his or her token, along with the one-time password displayed on the token and a PIN number that is appended to the sequence of numbers displayed on the token. One-time password solutions for Mac OS X and Mac OS X Server are available from CryptoCard and RSA, although RSA’s solution is limited to VPN access.
Related Resources
This article is intended for system administrators who set security policy in enterprise environments that require smart card authentication.
Enable smart card-only login
Make sure that you carefully follow these steps to ensure that users will be able to log in to the computer.
For more information about smart card payload settings, see the Apple Configuration Profile Reference.
For more information about using smart card services, see the macOS Deployment Guide or open Terminal and enter
man SmartCardServices .
Disable smart card-only authentication
If you manually manage the profiles that are installed on the computer, you can remove the smart card-only profile in two ways. You can use the Profiles pane of System Preferences, or you can use the /usr/bin/profiles command-line tool. For more information, open Terminal and enter
man profiles .
If your client computers are enrolled in Mobile Device Management (MDM), you can restore password-based authentication. To do this, remove the smart card configuration profile that enables the smart card-only restriction from the client computers.
![]()
To prevent users from being locked out of their account, remove the enforceSmartCard profile before you unpair a smart card or disable attribute matching. If a user is locked out of their account, remove the configuration profile to fix the issue.
If you apply the smart card-only policy before you enable smart card-only authentication, a user can get locked out of their computer. To fix this issue, remove the smart card-only policy:
![]() Configure Secure Shell Daemon (SSHD) to support smart card-only authentication
Users can use their smart card to authenticate over SSH to the local computer or to remote computers that are correctly configured. Follow these steps to configure SSHD on a computer so that it supports smart card authentication.
Update the /etc/ssh/sshd_config file:
Free Download Mac Os Sierra
Then, use the following commands to restart SSHD:
sudo launchctl stop com.openssh.sshd
sudo launchctl start com.openssh.sshd
If a user wants to authenticate SSH sessions using a smart card, have them follow these steps:
If the user wants to, they can also use the following command to add the private key to their ssh-agent:
ssh-add -s /usr/lib/ssh-keychain.dylib
Enable smart card-only for the SUDO command
Use the following command to back up the /etc/pam.d/sudo file:
sudo cp /etc/pam.d/sudo /etc/pam.d/sudo_backup_`date '+%Y-%m-%d_%H:%M'`
Then, replace all of the contents of the /etc/pam.d/sudo file with the following text:
Mac Os Sierra CompatibilityEnable smart card-only for the LOGIN command
Use the following command to back up the /etc/pam.d/login file:
sudo cp /etc/pam.d/login /etc/pam.d/login_backup_`date '+%Y-%m-%d_%H:%M'`
Then, replace all of the contents of the/etc/pam.d/login file with the following text:
Enable smart card-only for the SU command
Use the following command to back up the /etc/pam.d/su file:
sudo cp /etc/pam.d/su /etc/pam.d/su_backup_`date '+%Y-%m-%d_%H:%M'`
Then, replace all of the contents of the/etc/pam.d/su file with the following text:
Sample smart card-only configuration profile
Here’s a sample smart card-only configuration profile. You can use it to see the kinds of keys and strings that this type of profile includes.
Comments are closed.
|
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |