On Mar 24, 2009, at 8:25 AM, Martin Paljak wrote:
1. According to the log and my testing, the cosmetic "show locked icon" code is never called on 10.5.6. The lock icon has no practical meaning (except for authenticating the first PIN once when clicked). So it remains "locked" for now.
I can believe that. It would explain why it only prompts for the PIN the first time you click on it.
2. What happens with login is something I don't know and have never tested. I've never made a "tick" somewhere to use my token for OS X login, but I know that if my token is inserted when I reboot the machine, apparently my password is sent to the card until I remove my card. If you know how the apple login thing works, please share your knowledge here or on the SCA wiki (which apparently talks about 10.4 only)
This is for Leopard. It's more complex for Tiger, but still possible. I'm under NDA for Snow Leopard, but it isn't intended to be much different AFAIK. ;-)
sc_auth hash <<printout including a hash value for the certificate on the card>> sudo sc_auth accept -u $USER -h <<copy of hash from last command>>Now when you're at the loginwindow prompt if you put your card in, it will decide what user you are logging in as and prompt for a PIN instead of a Password. The results are "undefined" if you have multiple users with the same hash value, unfortunately.
The hash value, BTW, is just the subject key identifier extension field in the cert. It's computed by the CA, you don't compute it yourself. (Only guaranteed to be unique for a single CA.) sc_auth is just a script layered on top of "dscl" and "security" if you feel like looking at such things.
If you want to debug OpenSC, set debug to 9 in /Library/OpenSC/etc/ opensc.conf and uncomment log and error file locations and send the resulting files to the list. -1303 is "SC_ERROR_BUFFER_TOO_SMALL" which is probably because OpenSC.tokend has only knowledge of 1024b keys. AFAIK none of the official Tokend implementations (according to the latest published source code from Apple) use 2048 keys. I can look into this.
That would make sense, since I gather 2048-bit keys are uncommon.Here are the logs for: open loginwindow, insert card, type PIN, (fail), card removal, password login.
opensc-logs.tar.gz
Description: GNU Zip compressed data
If you give me a hint, I'll try building under Leopard and look at the source. The WIKI (down last night) only describes building under Tiger. I have darwinbuild and friends installed.
------------------------------------------------------ The opinions expressed in this message are mine, not those of Caltech, JPL, NASA, or the US Government. henry.b.h...@jpl.nasa.gov, or hbh...@oxy.edu
_______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
