Mac OS X versions 10.4 Tiger through 10.6 Snow Leopard can allow local user accounts to be secured by a smart card. However, you may need to change your configuration to enable this functionality.

Warning: Following these instructions to lock an account utilizing FileVault may cause your data to become inaccessible, and is not in accordance with the intended purpose of this note.

Locking the Account

To lock an account in Mac using a GoldKey, you will need to obtain a certificate. Self-signed certificates can also be used.

Note: To use the GoldKey smart card to log into an account in Mac OS X, you must have a certificate in the first slot.

Once a certificate has been obtained and loaded onto your GoldKey, open the Terminal application from within Applications / Utilities. Then, run the following commands. You will be prompted for the credentials of a user who can administer the Mac.

   sudo -s
   sc_auth hash

This will show you a list of certificates found on your GoldKey. If the certificate is in the first certificate slot, the output will be something like this:

5787108E7ECA2BC080C6AA1AA742AB3EDCF707A3 PIV Authentication Key

Next, you will need to use the hash shown in the output of the command listed above to accept certificate-based login to the account. For example, to allow the certificate seen above to authenticate as the user “john”, the following command would be used:

   sc_auth accept -u john -h 5787108E7ECA2BC080C6AA1AA742AB3EDCF707A3

For versions of OS X before 10.6, you will also need to follow the instructions in the section labeled “Enabling Smart Card Login” below. For OS X 10.6, you will be able to log into your account with GoldKey after this command has been run.

Refer to Apple’s Smart Card Setup Guide for more information.

Enabling Smart Card Login (before OS X v10.6)

For versions of Mac OS X before 10.6, you will need to enable smart card services. Before these changes are made, the operating system will not check for the presence of a smart card during the login sequence.

To enable smart card login to your Mac, open the Terminal application from within Applications / Utilities, and run the following commands. You will be prompted for the credentials of a user who can administer the Mac.

   sudo -s
   cp /etc/authorization /etc/authorization.orig
   cp /etc/authorization /tmp/

Then, follow these steps:

  • Open /tmp/authorization with a text editor or property editor.
  • Find the “system.login.console” dictionary inside of “rights”. You will need to make the following modifications to the items listed in “mechanisms”:
    1. Add <string>builtin:smartcard-sniffer,privileged</string> after <string>builtin:auto-login,privileged</string>.
    2. Delete <string>authinternal</string>.
    3. Add <string>builtin:authenticate,privileged</string> after <string>builtin:reset-password,privileged</string>.
  • Find the “authenticate” dictionary from within “rules”. You will need to make the following changes to “mechanisms”:
    1. Add <string>builtin:smartcard-sniffer,privileged</string> as the first item.
    2. Delete <string>authinternal</string>.
    3. Add <string>builtin:authenticate,privileged</string> after <string>builtin:authenticate</string>
  • Save your changes, and then apply the changes by entering the following command in the Terminal application:

   cp /tmp/authorization /etc/

For more information regarding the process of configuring a Mac for smart card login, please refer to Apple’s Smart Card Setup Guide.