Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Smartcard Support for Panther?

Cliff posted more than 10 years ago | from the smart-cats-with-smarter-cards dept.

OS X 29

poemofatic asks: "I use a Powerbook to connect to my work's VPN server. Recently, my sysadmin has been setting up smart card support for VPN authentication, and I'd like to know if anyone in the Slashdot crowd has managed to use smart cards on Panther to successfully connect to a Microsoft VPN server. Also, it'd be nice to hear if anyone has used either the Schlumberger or Gemplus cards successfully, and whether they've tried the USB tokens."

cancel ×

29 comments

Sorry! There are no comments related to the filter you selected.

fPost (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#9316770)

flirt Post

Smart Cards (5, Informative)

spamtrap (84490) | more than 10 years ago | (#9316795)

Security [apple.com] is where you want to look.

There are smart card PC/SC links on that page that mention the kind of cards that should work.

Chuck

more info on VPNs (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#9316993)

here [wikipedia.org]

Apple smart card information (4, Informative)

daveschroeder (516195) | more than 10 years ago | (#9317296)

Developer - Mac OS X Security [apple.com]

Apple Federal Smart Card Package Manual [apple.com]

"To use FSCP, you need the following:

A Macintosh computer with Mac OS X v10.2.3 installed
A Department of Defense Common Access Card issued since 2001
An SCM Microsystems SCR331 USB High Speed EMV Reader [scmmicro.com]

You can also use one of these smart card readers, but you must download and install driver software from the manufacturer's website:

Gemplus GemPC430 USB Smart Card Reader [gemplus.com]
OMNIKEY CardMan Desktop USB 2020 [omnikey.com]
Schlumberger Sema Reflex USB v.2 Reader [axalto.com] or Reflex USB Lite Reader [axalto.com]


Smart Card Services (PC/SC) SDK [apple.com]

"The PC/SC Workgroup is a collaborative effort of leading international personal computer and smart card companies, united to integrate their technologies under common standards. Apple is a Core Member of the PC/SC Workgroup along with Bull Personal Transaction Systems, Gemplus, Hewlett-Packard, Infineon, Intel, Microsoft, Schlumberger, Sun Microsystems and Toshiba.

PC/SC is a standard that builds upon existing industry smart card standards - ISO7816 and EMV - and complements them by defining low-level device interfaces and device-independent application APIs as well as resource management, to allow multiple applications to share smart card devices attached to a system.

The Smart Card Services SDK enables developers to write PC/SC-compliant applications and drivers on MacOSX starting with MacOSX 10.0.2.

The Smart Card Services SDK is available from Apple's Open Source repository. Access requires agreeing to the Apple Public Source License."

OSX just uses Linux-PAM for authentication (4, Informative)

babbage (61057) | more than 10 years ago | (#9317298)

OSX just uses Linux-PAM [apple.com] for authentication, so if you can get these cards working on Linux, the exact same procedure should work on your Macs. Further, any documentation [google.com] describing how to get these cards working on Linux should also apply to OSX.

No. It doesn't. (4, Informative)

netsrek (76063) | more than 10 years ago | (#9318541)

No, PAM isn't as pervasive in OS X as it can be under Linux.

You cannot authenticate from the loginwindow against PAM. Try it. You cannot authenticate against the AFP server.

This is a case of the left hand not knowing what the right hand is doing...

I believe this is because loginwindow consults SecurityServer
directly and PAM sits on top of SecurityServer.

Yes, it does. It may be broken, but it does use it (1)

babbage (61057) | more than 10 years ago | (#9319172)

Apple's implementation of Linux PAM may not be complete, but that doesn't change the fact that that's what they've been using since Panther came out. This isn't really a debatable point: all of Apple's documentation refers to Linux-PAM, the string 'linux' shows up 15 times in the pam manpage, etc. They got it from Linux.

If, as you say, they aren't using it pervasively, that's a different matter. Maybe by the time 10.4 comes out, the left & right hands at Apple will have had a nice little chat, and you'll finally be able to do a graphical login with PAM. In any case, the Linux version of PAM is available in OSX today, and (at least in some contexts) it can be used the same way it can be used on Linux.

Re:Yes, it does. It may be broken, but it does use (4, Informative)

netsrek (76063) | more than 10 years ago | (#9319727)

My point was that it doesn't actually use it for authentication in very many contexts. yes, it is the same PAM as we're used to under Linux, but my point was that your statement "OSX just uses Linux-PAM [apple.com] for authentication" is kind of misleading.

The majority of authentications under OS X that people actually use do not touch PAM.

Re:Yes, it does. It may be broken, but it does use (1)

babbage (61057) | more than 10 years ago | (#9321466)

Fair enough, but that's not what you said the first time around :-)

Re:Yes, it does. It may be broken, but it does use (0)

Anonymous Coward | more than 10 years ago | (#9331560)

It looks like exactly what he said the first time to me.

PCMCIA? (3, Interesting)

Drakino (10965) | more than 10 years ago | (#9317452)

I've been wanting to play with smart card authentication on my Powerbook, but would only consider implementing it on a permenant basis if it is a PCMCIA reader. That way, I don;t have to have some USB reader hanging off the laptop no matter where it goes.

Anyone seen a PCMCIA reader that follows the needed standard for OS X to use it?

Re:PCMCIA? (4, Informative)

Cthefuture (665326) | more than 10 years ago | (#9317835)

Currently these [musclecard.com] are the main drivers that I know of. There are some PCMCIA Linux drivers with source here [musclecard.com] if you're willing to do some porting work.

Even better than that are the USB smartcards (like the Schlumberger e-Gate series; Java and Cryptoflex). You can just plug the smartcard itself into the USB slot. PC/SC drivers exist for at least the Schlumberger cards but I don't know if they have been made publicly available (maybe they come with OS X now?). No reader required.

Re:PCMCIA? (1)

shekel (27635) | more than 10 years ago | (#9329510)

http://www.scmegastore.com/st_prod.html?p_prodid=6 5

Appears to be a PCMIA type-2 card reader.

They quote $60, less in bulk...

Not sure about mac drivers

Re:PCMCIA? (2, Informative)

PygmySurfer (442860) | more than 10 years ago | (#9324144)

SCM has a variety of readers [scmmicro.com] that work under OS X.

Along these lines ... (5, Interesting)

mpwoodward (194316) | more than 10 years ago | (#9318081)

Is there a way to emulate Windows Digital Certificate functionality on the Mac? I used to successfully use Netlock's VPN client software for OS X and a token (keychain LCD-type), but my company recently did away with the tokens and now uses a combination of the same client software we were using before + a Windows Digital Certificate. I think the answer is a short and simple "no" but I figured I'd ask since we're talking VPNs on the Mac.

Contivity? (3, Informative)

petard (117521) | more than 10 years ago | (#9320044)

According to Nortel's documentation they support X.509 certificates. That's probably what you mean by "emulate Windows Digital Certificate functionality" :-) Check with your documentation for how to configure certificate-based authentication. It's usually pretty easy.

Try IPSecuritas by Lobotomo (1)

samalone (707709) | more than 10 years ago | (#9329412)

Although my setup doesn't use digital certificates, I've had luck with IPSecuritas [lobotomo.com] by Lobotomo software for configuring VPN under Mac OS X. It's a free utility that simply configures Mac OS X's underlying Kame/Racoon implementation. It appears to have support for importing digital certificates for authentication.

--Stuart

Verizon VPN services? (2, Interesting)

sg3000 (87992) | more than 10 years ago | (#9318712)

Maybe this will spur on some other help ...

My company uses VPN services from Verizon in conjunction with an iPass software package and I think a Cisco VPN client. They provide the client software for Windows, but they refuse to provide anything for Mac OS X. Is there a way to get this to work under Mac OS X? That would be great if someone else has had experience with this.

Re:Verizon VPN services? (5, Informative)

Orpheus Liar (157914) | more than 10 years ago | (#9319613)

Odd that you've been told they'll provide no client as iPass makes an OSX client [ipass.com] and Cisco makes an OSX version of its VPN client [cisco.com] which I have running on my AlBook right now (I believe you must have an account with Cisco to get it from their site, but Google shows many hits with the download).

Most of it's already there. (5, Informative)

Cerebus (10185) | more than 10 years ago | (#9319119)

Apple SmartCard support is built with the DoD Common Access Card (CAC) in mind. To work with another PKI you'll need to make modifications.

Pather already includes the Apple Federal SmartCard Package, but you should download and read the docs from Apple Suport. It's essentially MUSCLE with tweaks. Enable it via 'sudo cac_setup' and disable it with 'sudo cac_setup -off'. The details are in /etc/authorization.cac.

Generally, the framework validates the private key on the card, then reads attributes from the card (by default, the DoD EDI-PI from the Demographics container) and maps this attribute against Open Directory accounts. It's pretty flexible, and it shouldn't take a lot of work to make it work with another PKI.

Re:Most of it's already there. (1)

cubuff (79451) | more than 10 years ago | (#9333784)

Has anyone successfully gotten access to a PKI-enabled DoD site using a CAC being read by a Mac? I have a PB running Panther but I have to find a PC everytime I need to surf to a DoD site. In fact I think I even have to use IE since April 1st as the Mozilla I have hasn't been handshaking correctly, but that could be that I don't have the latest version.

It would be ideal to just plug the ActivCard reader into my USB port, insert my CAC and use Safari to get to the site.

-DR

Re:Most of it's already there. (1)

Padrino121 (320846) | more than 10 years ago | (#9352380)

I currently use an ActivCard reader flashed with the SCM BIOS (since that's all it is anyway and Panther has a built in driver for it) and a CAC card without any issues.

Safari doesn't support authentication using PKI however I use Firefox as my browser and it works great with my CAC. Look in the FSCP doc to get a handle on how to setup Firefox to work. If you still have trouble drop me a line and I'll help you out.

Re:Most of it's already there. (0)

Anonymous Coward | more than 10 years ago | (#9369139)

I've been able to do it with the CAC card and Mozilla 1.6.

Does anyone know a way to get the CAC certificates into the Keychain?

VPN Support (4, Insightful)

bschottmi (605615) | more than 10 years ago | (#9319550)

Netlock, (recently acquired by Apani) has a full VPN product support got Nortel Contivity [apani.com] and Cisco [apani.com] that handle SecureID and other cards if you can't get the built in Panther VN support to work.

coupons and such (1)

bodrell (665409) | more than 10 years ago | (#9319650)

I've been wondering about the Smart Cards for awhile, since I'm supposed to be able to do nifty stuff with my Target Visa, like download coupons to the card. And I have a mostly useless American Express Blue, which would be great for online transactions if it worked with something other than Windows.

But even if the card readers work under OS X, don't most applications have software to install, too? Anybody have any experience with actually using a card/reader in practice, rather than just getting the reader to work? Rephrased: anyone able to write to the card as well as read it?

Re:coupons and such (1, Insightful)

Anonymous Coward | more than 10 years ago | (#9373752)

Writing to a smart card usually involves some form of authentication. In the case of javacards (amex blue (i think), as well as ANZ visa cards here in Oz), you need to perform a symmetric key authentication, as per the GlobalPlatform (www.globalplatform.org) specification. This means you need to know the key that is on the card.

cheers.

Hey (-1, Flamebait)

phrasebook (740834) | more than 10 years ago | (#9321757)

How are all you bastards doing?

Virtual PC will work (1)

bdsesq (515351) | more than 10 years ago | (#9322648)

My company's VPN software does not support OSX. So I installed it on Windows running under virtual PC. It took some trial and error but it now connects over my wireless w/o problems.

I didn't use a smart card but there is no reason this approach won't work for you.

The reason virtual PC won't work (2, Informative)

petard (117521) | more than 10 years ago | (#9332366)

is that its USB support just isn't up to snuff.

The only smartcard readers you want to use with a mac recent enough to run Virtual PC well are USB readers, and I haven't had any luck getting them to work in any recent version of Virtual PC. I've had some luck with other USB devices, but for some reason, the (gemplus GemCore-based) readers I've tried have been non-starters.

The last version I tried was 6.0.something. I could occasionally get the driver to properly detect the reader, but never managed to get it to work with even the simplest test applications, let alone VPN support. I think the poster will have more luck with Mac native solutions, as OS X's smartcard support is actually decent.
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>