Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

10.3: See some of the hidden Access Card features System
For those of you who are curious about seeing some of the hidden government-specific capacities of your Mac, run cac_setup from the terminal as root (preface it with sudo, in other words). Then user-switch over to the login window. You'll see some of the hidden bits where you can log in with a government access card reader. You can get back to being yourself through the "Other" user selection -- but you are first shown the standard DoD disclaimer that I see every day on Windows. Pretty neat.

When you're done, run cac_setup -off, again as root.

[robg adds: Wow, the DoD disclaimer is very thorough -- I was going to post a screenshot of it, too, but it's just too long!]
    •    
  • Currently 1.50 / 5
  You rated: 1 / 5 (6 votes cast)
 
[19,762 views]  

10.3: See some of the hidden Access Card features | 33 comments | Create New Account
Click here to return to the '10.3: See some of the hidden Access Card features' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.3: See some of the hidden Access Card features
Authored by: sierratarn on Nov 12, '03 11:48:34AM
Apple has a PDF Document that tells much more about configuring and using the CAC services in OS X 10.2.3 and later.

[ Reply to This | # ]
10.3: See some of the hidden Access Card features
Authored by: msk on Nov 13, '03 09:47:56AM

Unfortunately the only things that work are logging in and changing system preferences (screen saver also I assume). The PDF file details how to use Mozilla with the certficate on the Common Access Card but unfortunately it does not work, at least in my configuration of Mac OS X 10.3.1 and Mozzila 1.5 (Netscape 7.1 has the same problem). Basically there is a step where you select the pkcs11.shlb file and it fails (page 8).

The idea is for signing email that having a software certificate only means the email was sent from your computer, not that you neccessarily sent the email. Panther's filevault increases software certifcate security but not everyone is ready to use that. With PGP you could keep your keys on a floppy in the old days and now you probably could keep the keys and the programs on a USB module.

These smartcards would be really useful for University computer labs where username/password pairs are pretty risky but requiring a physical card and it's PIN number would make sure the user is really the user.



[ Reply to This | # ]
10.3: See some of the hidden Access Card features
Authored by: derPlau on Nov 12, '03 12:59:49PM

That's pretty cool. But I wonder how much of a standard install (and, by extension, how much disk space) is taken up by these types of things that are so clearly devoted to a very specific subset of users? Seems like a bit of a waste, really.



[ Reply to This | # ]
10.3: See some of the hidden Access Card features
Authored by: aranor on Nov 12, '03 09:11:14PM

Erm, you *could* have chosen not to install it in a custom install, I believe.



[ Reply to This | # ]
10.3: See some of the hidden Access Card features
Authored by: msk on Nov 13, '03 09:35:39AM

In contrast I wanted to install it and couldn't find it in the custom install, instead I manually installed it from the package on CD#3. Was it already installed by the standard custom choices? I don't know.

Side note: verion 1.0 of this software is available for order on the Apple Store but they fail to mention that that package is for Mac OS 10.2 and crashes 10.3 -- of course I ordered 10.3 and the v 1.0 software on the same order.



[ Reply to This | # ]
10.3: See some of the hidden Access Card features
Authored by: msk on Nov 13, '03 09:56:52AM

And in OS X 10.2 all that wasted space for those languages and fonts that I didn't need. All that space for those tiny markets just so it would be convenient for them.

Basically if you are a power user you know what files and directories to delete, the word in this thread is that virtually everything related to CAC is in one directory. You needed a really fancy script to clean up the extra language files in 10.2 and every third party program has it's own stack of language files.

All this is assuming that a standard install installs the CAC files, I have not confirmed that, I've done five custom installs (on four computers) and there was no choice for installing or not installing the CAC files, so I manually installed them on one computer. I'll check the other three computers and see how much wasted space this amounts to.



[ Reply to This | # ]
10.3: See some of the hidden Access Card features
Authored by: unforeseen:X11 on Nov 12, '03 01:36:25PM

there ist the "old" blue Apple, not the new Chrome one...

...just to mention. =)



[ Reply to This | # ]
Small warning: restart if you "go back" after DOD message
Authored by: zacht on Nov 12, '03 02:59:40PM

If you activate this CAC thing, go to the login window, click "Other", OK the DOD warning, and then click "Go Back"... then it restarts. Immediately.

zach



[ Reply to This | # ]
Small warning: restart if you "go back" after DOD message
Authored by: kanecorp on Nov 12, '03 09:18:34PM

that doesn't happen to me!



[ Reply to This | # ]
10.3: See some of the hidden Access Card features
Authored by: Linnwood on Nov 12, '03 04:52:36PM

Great Tip! But does anyone know how to turn on the DoD department and branch logos?



[ Reply to This | # ]
10.3: See some of the hidden Access Card features
Authored by: msk on Nov 13, '03 09:59:06AM

Good question, I keep hearing about the logos, I got a SCR331 reader, I got a card and no logos. What gives. Looks like a half baked muffin to me.



[ Reply to This | # ]
10.3: See some of the hidden Access Card features
Authored by: deej5871 on Jun 11, '04 07:58:38PM
I've done it but it involves messing with the .nib for the CAC login window and changing the image inside the SecurityAgent package, which is in CoreServices (specifically, loginpanel.tiff).

Proof: Screenie

That DoD logo is the one straight from /System/Library/CoreServices/SecurityAgentPlugins/SCLoginPlugin.bundle/

Oh yeah.. This is working on 10.3.4.

[ Reply to This | # ]

10.3: See some of the hidden Access Card features
Authored by: ibroughton on Jul 02, '04 06:54:39AM

That looks good, but has anyone actually managed to get this to work with a generic USB key? I know SBODGER was working on something some time ago, but there are no updates :-(

---
The server is up but the site is down and I don't know which direction you are trying to go



[ Reply to This | # ]
Portions of this are editable
Authored by: thinmac on Nov 12, '03 08:20:52PM

Just for fun, most of this stuff is editable by the root user. As near as I can tell (I haven't really done much with it yet), all the files for this are in the /System/Library/CoreServices/SecurityAgentPlugins/SCLoginPlugin.bundle/ directory.

Most of it is tiffs of the seals of the various armed forces and the DoD, but if you then look in Contents/Resources/English.lproj/login.nib/objects.nib, and do a search for DoD or something equivelent, you'll find that disclaimer message.

Anyway, it looks like fun stuff to play with. And, to answer the question from above, it looks like this stuff is taking up 2536K, which may or may not be an aggregious waste of disk space depending on your point of view.



[ Reply to This | # ]
Portions of this are editable
Authored by: kanecorp on Nov 12, '03 09:17:25PM

do you now how to enable these logos so they show up?



[ Reply to This | # ]
Portions of this are editable
Authored by: encro on Nov 14, '03 09:18:08AM
Close but not quite correct ;-) The CAC login screen uses this bundle:

/System/Library/CoreServices/SecurityAgent.app
Within that bundle you can change the following images to something like a defence logo if you like...

/Contents/Resources/loginpanel.tiff
/Contents/Resources/MacOSXart.tif
The defence logo's need to be scaled smaller so that the logo doesn't appear cropped (in a box). They can also be of .png or .gif types. I guess that those with Common Access Card based systems would have a method of using the logo at the right size without modifying it's size. Oh, and always backup before you tamper with system resources.

[ Reply to This | # ]
10.3: See some of the hidden Access Card features
Authored by: g3cko on Nov 12, '03 09:07:02PM

What kinda cards do these things use? would usb sticks work? i know theres a pam module for linux that lets you authenticate using them......



[ Reply to This | # ]
10.3: See some of the hidden Access Card features
Authored by: marmoset on Nov 13, '03 08:31:41AM

PCMCIA cards, IIRC (it's been a few years)



[ Reply to This | # ]
10.3: See some of the hidden Access Card features
Authored by: richard_k_smith on Nov 13, '03 10:01:58AM
I found a couple of pages with information on the CAC:

an october news announcement, with pictures of a card reader hooked to a computer: defenselink

A brochure, intended for people getting a card for the first time:navy.mil

[ Reply to This | # ]

10.3: See some of the hidden Access Card features
Authored by: msk on Nov 13, '03 10:19:04AM

I've been told standard smartcards, the Linux guru says something about "MUSCLE" cards. Check out the ActivCard and Schlumberger websites with regards to smartcards. Of course the Apple CAC package is geared told DoD programmed smartcards but I've been told that they didn't test using DoD CAC cards which is why things don't work for DoD CACs. So clearly there are non-DoD cards that will work, these would be great for school and college labs.



[ Reply to This | # ]
PCMCIA smart card reader for OS X?
Authored by: Drakino on Nov 13, '03 11:18:24AM

I'd love to have smart card authentication on my Powerbook, but so far I can only find USB smart card readers with OS X support. Anyone know of a PCMCIA version, as this would be much more convienient, since I could just leave the reader in the PCMCIA slot all the time instead of having to carry a USB reader with the laptop.



[ Reply to This | # ]
PCMCIA smart card reader for OS X?
Authored by: sozepiggytails on Nov 14, '03 12:35:00AM

I've seen them on eBay, but I haven't heard of any OS X drivers available for them. IBM sells a 'personal security kit' for laptops, that should be the one to look at.

---
____ _______
duty now for the future!



[ Reply to This | # ]
PCMCIA smart card reader for OS X?
Authored by: scottis24 on Jan 21, '04 12:11:56PM

Here's the deal on the PCMCIA readers,
According to Activcard and Cryptocard, the PCMCIA readers will not work in Mac OS X due to the architecture or something (BS Sales person answer).

Weirdly enough because when I plug in my DOD supplied activcard PCMCIA reader in my Powerbook it shows up in the bar as a PSCR (Personal Smart Card Reader). According to the documentation from Apple (FSCP Install guide) supported readers are only usb. The old FCSP packages for jaguar have been built in to Panther much in the same way as x11 has. I will have one of these supported usb readers tommorow and will let you all know what happens

The DOD common access card is a gov issued ID card based on a schlumberger 32k v2 card. The DOD is using these for all sorts of things from building access to PC login.

FWIW



[ Reply to This | # ]
PCMCIA smart card reader for OS X?
Authored by: DeepTrance on Jul 28, '04 02:29:58PM

My company has provided PCMCIA SmartCard drivers and Apple is evaluating it at the moment. It works with our own silicon - SCM's SCR24X series. The drivers are available at our website www.scmmicro.com.



[ Reply to This | # ]
PCMCIA smart card reader for OS X?
Authored by: ibroughton on Jul 29, '04 12:16:45PM

Still no sign of a driver that will work with a generic USB key though?

---
The server is up but the site is down and I don't know which direction you are trying to go



[ Reply to This | # ]
Login Screen?
Authored by: Thom on Nov 13, '03 01:03:47PM

In Panther (or Jaguar for that matter), is there a way that I can force users to acknowlege a 'you are subject to policies blah blah' dialog box?

I'm getting that question from our policy group and noticed that this hint seems to contain some of that 'correct usage' stuff, not just authing with a smartcard...

Thanks!



[ Reply to This | # ]
Login Screen?
Authored by: Hes Nikke on Nov 14, '03 02:15:10AM
this hint goes over that :)

---
vacuums do not suck. they merely provide an absence that allows other objects to take the place of what becomes absent.

[ Reply to This | # ]

10.3: See some of the hidden Access Card features
Authored by: sboger on Nov 14, '03 07:40:52AM

to answer a few other comments.

first, im a hardcore unix user, so i have a different perspective on all this. It looks like panther does use PAM to authenticate. that means we should be able to plug in modules.

i have downloaded the nifty linux pam_usb module that allows a user to login simply by inserting a usb drive... i have passed several compile hurdles, but am still stuck on a few others.

if this compiles, i see no reason why we couldn't use this on panther for true usb authentication.

if anyone has solid C coding experience and wants to help port this, please email me. Specifically, I am seeing errors in the mount() function.

Thank you,
Steven Boger
Red Hat Certified Engineer, [RHCE]
Unix Geek, [GEEK]
sboger@hotmail.com



[ Reply to This | # ]
10.3: See some of the hidden Access Card features
Authored by: ibroughton on Jan 03, '04 12:20:40PM

Any updates as to the viability of this being availible soon? I would love USB Key authentication on my Mac!

---
--
The server is up but the site is down and I don't know which direction you are trying to go



[ Reply to This | # ]
10.3: See some of the hidden Access Card features
Authored by: zerografix on Jul 26, '04 01:38:20PM

I second that.



[ Reply to This | # ]
10.3: See some of the hidden Access Card features
Authored by: ibroughton on May 02, '05 12:45:17PM

So much water has passed under the bridge since this article was written. Has anyone had any success with USB key login authentication? I still like the idea, but don't fancy shelling ouy $130 for a securikey!

---
The server is up but the site is down and I don't know which direction you are trying to go



[ Reply to This | # ]
10.3: See some of the hidden Access Card features
Authored by: MJAIII on Nov 24, '03 02:40:45PM

I'm guessing this wasn't implemented in Jaguar?

It doesn't work under Jaguar, but that was mentioned. Maybe I'll snoop around the CDs for awhile and see what I can find.



[ Reply to This | # ]
10.3: See some of the hidden Access Card features
Authored by: nagualito on Nov 03, '05 12:43:25AM

Well, that's cute...I am now locked out of my admin account and I can
only login to a test user account (non-admin). I have tried everything
that I could find to get back including resetting my password via install
disk. All I can get is a cac login and my user name/password is not accepted.

Any ideas? (and yes, I have tried OF, PRAM, install disk and just about
everything else I could find).

Nagualito -



[ Reply to This | # ]