beautypg.com

Setting up directory services for smart cards, Using the public key hash method – Apple Mac OS X v10.4 User Manual

Page 10

background image

10

Chapter 2

Setting Up Your Smart Card

Setting Up Directory Services for Smart Cards

Smart card login does a lookup for the expected user in a directory service to
authenticate the user’s identification. It uses one of two methods:
 The public key hash method

Adds the public key hash (pubkeyhash) to the user's directory record. This method
uses Open Directory and the default directory schema is NetInfo.

 The attribute lookup method

Performs a search for a value based on a key from the email signing certificate on the
smart card. This method uses user accounts in an existing directory service. All U.S.
Federal Government smart card users use the attribute lookup method.

Using the Public Key Hash Method

This is the most convenient and secure way of identifying a smart card user. It uses
Open Directory. The default for the user record is a local NetInfo network. You will
retrieve a key from the smart card, and then bind that key to the account.

After setting up the user account, you are ready to attach the smart card reader and
read the card identity information.

To read the smart card identity information:

1

Attach the smart card reader to the computer.

2

Insert the smart card into the card reader.

3

Open the Terminal application, located in the Utilities folder in the Applications folder.

4

To read the identity keys, or hash, from the smart card, use the

sc_auth

command. You

can enter the command in Terminal without any parameter to see a description of the
command’s usage displayed, for example:

$ sc_auth

Usage: sc_auth accept[-v][-u user][-k keyname] #by key on inserted card(s)

sc_auth accept[-v][-u user] -h hash #by known pubkey hash

sc_auth remove[-v][-u user] #remove all public keys for this user

sc_auth hash[-k keyname] #print hashes for keys on inserted card(s)

Enter the following command in Terminal:

sc_auth hash

Here is an example of the results:

$ sc_auth hash

01C2E294XP77B57B63B0A15B8F204C1 Identity Private Key

443F30C356E676F447CD4DCCED19737 Email Signing Private Key

4845564C1F8C6B372CE422933CF1FD1 Email Encryption Private Key

Not all cards have three private keys. In this example, any of the hash entries listed
could be used for binding the card to the account. The following example uses the
identity private key to bind the smart card to the user account.

See also other documents in the category Apple Software: