Smartcard Support for Panther?

poemofatic asks: "I use a Powerbook to connect to my work's VPN server. Recently, my sysadmin has been setting up smart card support for VPN authentication, and I'd like to know if anyone in the Slashdot crowd has managed to use smart cards on Panther to successfully connect to a Microsoft VPN server. Also, it'd be nice to hear if anyone has used either the Schlumberger or Gemplus cards successfully, and whether they've tried the USB tokens."

Smart Cards

[spamtrap]

Security is where you want to look.

There are smart card PC/SC links on that page that mention the kind of cards that should work.

Chuck

Apple smart card information

[daveschroeder]

Developer - Mac OS X Security

Apple Federal Smart Card Package Manual

"To use FSCP, you need the following:

A Macintosh computer with Mac OS X v10.2.3 installed
A Department of Defense Common Access Card issued since 2001
An SCM Microsystems SCR331 USB High Speed EMV Reader

You can also use one of these smart card readers, but you must download and install driver software from the manufacturer's website:

Gemplus GemPC430 USB Smart Card Reader
OMNIKEY CardMan Desktop USB 2020
Schlumberger Sema Reflex USB v.2 Reader or Reflex USB Lite Reader

Smart Card Services (PC/SC) SDK

"The PC/SC Workgroup is a collaborative effort of leading international personal computer and smart card companies, united to integrate their technologies under common standards. Apple is a Core Member of the PC/SC Workgroup along with Bull Personal Transaction Systems, Gemplus, Hewlett-Packard, Infineon, Intel, Microsoft, Schlumberger, Sun Microsystems and Toshiba.

PC/SC is a standard that builds upon existing industry smart card standards - ISO7816 and EMV - and complements them by defining low-level device interfaces and device-independent application APIs as well as resource management, to allow multiple applications to share smart card devices attached to a system.

The Smart Card Services SDK enables developers to write PC/SC-compliant applications and drivers on MacOSX starting with MacOSX 10.0.2.

The Smart Card Services SDK is available from Apple's Open Source repository. Access requires agreeing to the Apple Public Source License."

OSX just uses Linux-PAM for authentication

[babbage]

OSX just uses Linux-PAM for authentication, so if you can get these cards working on Linux, the exact same procedure should work on your Macs. Further, any documentation describing how to get these cards working on Linux should also apply to OSX.

PCMCIA?

[Drakino]

I've been wanting to play with smart card authentication on my Powerbook, but would only consider implementing it on a permenant basis if it is a PCMCIA reader. That way, I don;t have to have some USB reader hanging off the laptop no matter where it goes.

Anyone seen a PCMCIA reader that follows the needed standard for OS X to use it?

Re:PCMCIA?

[Cthefuture]

Currently these are the main drivers that I know of. There are some PCMCIA Linux drivers with source here if you're willing to do some porting work.

Even better than that are the USB smartcards (like the Schlumberger e-Gate series; Java and Cryptoflex). You can just plug the smartcard itself into the USB slot. PC/SC drivers exist for at least the Schlumberger cards but I don't know if they have been made publicly available (maybe they come with OS X now?). No reader required.

Re:PCMCIA?

[PygmySurfer]

SCM has a variety of readers that work under OS X.

Re:PCMCIA?

[shekel]

http://www.scmegastore.com/st_prod.html?p_prodid=6 5

Appears to be a PCMIA type-2 card reader.

They quote $60, less in bulk...

Not sure about mac drivers

Along these lines ...

[mpwoodward]

Is there a way to emulate Windows Digital Certificate functionality on the Mac? I used to successfully use Netlock's VPN client software for OS X and a token (keychain LCD-type), but my company recently did away with the tokens and now uses a combination of the same client software we were using before + a Windows Digital Certificate. I think the answer is a short and simple "no" but I figured I'd ask since we're talking VPNs on the Mac.

No. It doesn't.

[netsrek]

No, PAM isn't as pervasive in OS X as it can be under Linux.

You cannot authenticate from the loginwindow against PAM. Try it. You cannot authenticate against the AFP server.

This is a case of the left hand not knowing what the right hand is doing...

I believe this is because loginwindow consults SecurityServer
directly and PAM sits on top of SecurityServer.

Verizon VPN services?

[sg3000]

Maybe this will spur on some other help ...

My company uses VPN services from Verizon in conjunction with an iPass software package and I think a Cisco VPN client. They provide the client software for Windows, but they refuse to provide anything for Mac OS X. Is there a way to get this to work under Mac OS X? That would be great if someone else has had experience with this.

Re:Verizon VPN services?

[Orpheus+Liar]

Odd that you've been told they'll provide no client as iPass makes an OSX client and Cisco makes an OSX version of its VPN client which I have running on my AlBook right now (I believe you must have an account with Cisco to get it from their site, but Google shows many hits with the download).

Most of it's already there.

[Cerebus]

Apple SmartCard support is built with the DoD Common Access Card (CAC) in mind. To work with another PKI you'll need to make modifications.

Pather already includes the Apple Federal SmartCard Package, but you should download and read the docs from Apple Suport. It's essentially MUSCLE with tweaks. Enable it via 'sudo cac_setup' and disable it with 'sudo cac_setup -off'. The details are in /etc/authorization.cac.

Generally, the framework validates the private key on the card, then reads attributes from the card (by default, the DoD EDI-PI from the Demographics container) and maps this attribute against Open Directory accounts. It's pretty flexible, and it shouldn't take a lot of work to make it work with another PKI.

Re:Most of it's already there.

[cubuff]

Has anyone successfully gotten access to a PKI-enabled DoD site using a CAC being read by a Mac? I have a PB running Panther but I have to find a PC everytime I need to surf to a DoD site. In fact I think I even have to use IE since April 1st as the Mozilla I have hasn't been handshaking correctly, but that could be that I don't have the latest version.

It would be ideal to just plug the ActivCard reader into my USB port, insert my CAC and use Safari to get to the site.

-DR

Re:Most of it's already there.

[Padrino121]

I currently use an ActivCard reader flashed with the SCM BIOS (since that's all it is anyway and Panther has a built in driver for it) and a CAC card without any issues.

Safari doesn't support authentication using PKI however I use Firefox as my browser and it works great with my CAC. Look in the FSCP doc to get a handle on how to setup Firefox to work. If you still have trouble drop me a line and I'll help you out.

Re:Most of it's already there.

I've been able to do it with the CAC card and Mozilla 1.6.

Does anyone know a way to get the CAC certificates into the Keychain?

Yes, it does. It may be broken, but it does use it

[babbage]

Apple's implementation of Linux PAM may not be complete, but that doesn't change the fact that that's what they've been using since Panther came out. This isn't really a debatable point: all of Apple's documentation refers to Linux-PAM, the string 'linux' shows up 15 times in the pam manpage, etc. They got it from Linux.

If, as you say, they aren't using it pervasively, that's a different matter. Maybe by the time 10.4 comes out, the left & right hands at Apple will have had a nice little chat, and you'll finally be able to do a graphical login with PAM. In any case, the Linux version of PAM is available in OSX today, and (at least in some contexts) it can be used the same way it can be used on Linux.

VPN Support

[bschottmi]

Netlock, (recently acquired by Apani) has a full VPN product support got Nortel Contivity and Cisco that handle SecureID and other cards if you can't get the built in Panther VN support to work.

coupons and such

[bodrell]

I've been wondering about the Smart Cards for awhile, since I'm supposed to be able to do nifty stuff with my Target Visa, like download coupons to the card. And I have a mostly useless American Express Blue, which would be great for online transactions if it worked with something other than Windows.

But even if the card readers work under OS X, don't most applications have software to install, too? Anybody have any experience with actually using a card/reader in practice, rather than just getting the reader to work? Rephrased: anyone able to write to the card as well as read it?

Re:coupons and such

Writing to a smart card usually involves some form of authentication. In the case of javacards (amex blue (i think), as well as ANZ visa cards here in Oz), you need to perform a symmetric key authentication, as per the GlobalPlatform (www.globalplatform.org) specification. This means you need to know the key that is on the card.

cheers.

Re:Yes, it does. It may be broken, but it does use

[netsrek]

My point was that it doesn't actually use it for authentication in very many contexts. yes, it is the same PAM as we're used to under Linux, but my point was that your statement "OSX just uses Linux-PAM [apple.com] for authentication" is kind of misleading.

The majority of authentications under OS X that people actually use do not touch PAM.

Contivity?

[petard]

According to Nortel's documentation they support X.509 certificates. That's probably what you mean by "emulate Windows Digital Certificate functionality" :-) Check with your documentation for how to configure certificate-based authentication. It's usually pretty easy.

Re:Yes, it does. It may be broken, but it does use

[babbage]

Fair enough, but that's not what you said the first time around :-)

Virtual PC will work

[bdsesq]

My company's VPN software does not support OSX. So I installed it on Windows running under virtual PC. It took some trial and error but it now connects over my wireless w/o problems.

I didn't use a smart card but there is no reason this approach won't work for you.

Try IPSecuritas by Lobotomo

[samalone]

Although my setup doesn't use digital certificates, I've had luck with IPSecuritas by Lobotomo software for configuring VPN under Mac OS X. It's a free utility that simply configures Mac OS X's underlying Kame/Racoon implementation. It appears to have support for importing digital certificates for authentication.

--Stuart

Re:Yes, it does. It may be broken, but it does use

It looks like exactly what he said the first time to me.

The reason virtual PC won't work

[petard]

is that its USB support just isn't up to snuff.

The only smartcard readers you want to use with a mac recent enough to run Virtual PC well are USB readers, and I haven't had any luck getting them to work in any recent version of Virtual PC. I've had some luck with other USB devices, but for some reason, the (gemplus GemCore-based) readers I've tried have been non-starters.

The last version I tried was 6.0.something. I could occasionally get the driver to properly detect the reader, but never managed to get it to work with even the simplest test applications, let alone VPN support. I think the poster will have more luck with Mac native solutions, as OS X's smartcard support is actually decent.