I'd like to enable logging into OS X Yosemite with certificates. This should allow 3 functionalities that I'm not sure that Yubico-PAM gives (correct me if I'm wrong)
- Bind multiple certificates to a single username.
- Automatically detect if the certificate is present, otherwise allow password login (which I can keep backed up elsewhere in case I need it.)
- Require a PIN along with the NEO
Below are the steps I took to try and set this up. But here is the fundamental problem/question:
When I insert the NEO, the Password input box flashes, but continues to only accept my password. Any ideas how to fix this? With traditional smartcards, when you insert the smartcard, the Password input box switches and asks for a PIN instead. My guess is that the CCID aspect of the NEO isn't behaving like a traditional smartcard, so Yosemite isn't responding appropriately by requesting a PIN. Maybe there is a different
security authorizationdb attribute than the one I used below ("smartcard")?
Thanks for your help!
~~~~~
I've installed OpenSC 0.15.0, insert my NEO with the certificate I want installed on slot 9a, and tried the following commands which work with traditional smartcards:
$ sudo security authorizationdb smartcard enable
$ sudo sc_auth accept -u my_username -h my_key_hashI can verify that the settings are correct with these commands:
$ sudo security authorizationdb smartcard statusCurrent smartcard login state: enabled (system.login.console enabled, authentication rule enabled)
YES (0)$ sc_auth hash -kmy_key_hash PIV AUTH key$ sc_auth list -u my_usernamemy_key_hash
Login
FAQ
Search
