Earlier I documented how to use a Finnish government issued ID card (FINeID) for SSH authentication. As my vacation ended and I had to dig the smart card reader out to SSH to a machine, I remembered that I never quite figured out how to get login authentication to work with the same card. It took a bit of detective work but it turns out the basic steps are not that complicated. I will only cover the most basic set-up, where you pair one specific smart card with a local account on your computer using the card's public key. It's possible to have more sophisticated setup for larger organisations.
First, check my previous post and follow the instructions for how to set up OpenSC and verify using
pkcs15-tool -k
that your card reader and card is working properly.Then, in case you have Apple ID's associated with your user account, you need to work around a bug in authorizationhost: in System Preferences, go to Users & Groups and select the user you're setting up for smart cart login. Remove all associated Apple ID accounts by clicking on the "Change…" button next to "Apple ID:" and deleting any entries from the list (if any). Failure to do so may make it impossible to unlock the screen and unlock System Preferences panes. You can also manually do this with Directory Utility by removing all entries except the one containing the username from the user's RecordName property in the Users directory.
Once that is done, run the following to enable smart card support for logins:
sudo security authorizationdb smartcard enable
Make sure the card is inserted, and list the public key hashes using the OS X built-in command
sc_auth
:sc_auth hash
It should output a list similar to this, but with slightly more random hashes:
01DEADBEEF00DEADBEEF00DEADBEEF00DEADBEEF todentamis- ja salausavain
02DEADBEEF00DEADBEEF00DEADBEEF00DEADBEEF allekirjoitusavain
03DEADBEEF00DEADBEEF00DEADBEEF00DEADBEEF com.apple.systemdefault
04DEADBEEF00DEADBEEF00DEADBEEF00DEADBEEF com.apple.kerberos.kdc
05DEADBEEF00DEADBEEF00DEADBEEF00DEADBEEF com.apple.systemdefault
06DEADBEEF00DEADBEEF00DEADBEEF00DEADBEEF com.apple.kerberos.kdc
07DEADBEEF00DEADBEEF00DEADBEEF00DEADBEEF Imported Private Key
Again, it's the todentamis- ja salausavain we're interested in. Now use
sc_auth
to associate that public key with a user account:
sudo sc_auth accept -u USERNAME -h 01DEADBEEF00DEADBEEF00DEADBEEF00DEADBEEF
This should be it - when the smart cart is initialised, the corresponding user will automatically be selected in the login screen, and instead of prompting for a password it will prompt you for the card's PIN. Note that typically the card PIN defaults to a 4-digit number but it can be changed to (in the case of a FINeID card) any 4-8 character alphanumeric string using e.g.
pkcs15-tool --change-pin
. For other cards you can inspect the PIN code constraints using pkcs15-tool --list-pins
.When logging in using a smart card rather than a password, OS X will not be able to unlock your login keychain, as it by default is encrypted using your login password. You can choose to either manually unlock the keychain or change the keychain to use your smart card for unlocking rather than a password.
If you have FileVault full disk encryption enabled (and you should) OS X will automatically log you in using the password supplied at the FileVault login screen. If you have followed the instructions above, your account will still have a valid password (it's possible to disable password login entirely by deleting the "ShadowHash" entry in the AuthenticationAuthority record of your user account using Directory Utility - note that this will also effectively disable sudo for that user) and you will be automatically logged in, but the system will not be able to unlock your keychain with that password. To prevent automatic login with FileVault, you can run:
sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES
More information in HT5989.
If you know French, this blog post contains some more details on configuring smart card authentication on Mavericks.