Smartcard account on Mac

WORK IN PROGRESS — This procedure is not working yet — Use at your own risk! I have a Mac (OSX 10.5) & use a smart card. I wanted to use the Smart Card to access the Mac. I have gotten different parts to work at different times, but I think I finally have it. I wanted 3 things from the Smart Card: login, key-chain, and FileVault (FV). The basis for this is from a great write up from AppleMacGeniusVille:http://www.applemacgeniusville.com/2009/09/15/enabling-cac-login-and-creating-filevault-cac-user/WORK IN PROGRESS — This procedure is not working yet — Use at your own risk! But there were a couple of problems that I had:

  1. It did not cover moving an existing FV account.
  2. I could not get into the new FV account without the smart card. (What happens when the chip goes bad….)

Conventions:

  • user = username for working user account
  • # = command prompt as root (sudo su -)
  • $ = command prompt as user

So here goes:

  1. MAKE A COMPLETE BACKUP
  2. clean up old account (get rid of big / unused files)
  3. login with an admin account that is not the one you are moving.
  4. open terminal & sudo su –
  5. save the original FV account
    1. # mkdir /Users/user.save
    2. # mv /Users/user/user.sparsebundle /Users/user.save/
  6. Remove the account (GUI Tool: System Preferences->Accounts)
  7. Remove any old smart card info from your account.myhost# sc_auth remove -u current_user
  8. make sure that FV Master password is set, if you have already used FV then should be. (GUI Tool: System Preferences->Security->FileVault)
  9. Create a new FV User with tokenadmin
    1. # tokenadmin create-fv-user -u user -l ”Long User Name” -p tempPassword
  10. change the password on the new sparse image (this adds a user level password to the FV (sparse) image) — this should be the same password as the OLD user — it will use the SmartCard to authentincate and add a password (it also changed the NEW user password for me)
    1. # hdiutil chpass -newstdinpass /Users/user.sparsebundle
  11. Mount the (new) FV User image 
    1.  # hdiutil attach /Users/user/user.sparsebundle
  12. If you want to change the format of the sparsebundle, now is the time. (I wanted this to be case sensitive, while my OS disk is not – turns out that this REALLY is a pain -wasted a lot of time here!!!)*
    1. Open Disk Utility select the user.sparsebundle for the NEW user
    2. Select Partition
    3. Select Volume Scheme: 1 Partition
    4. Click Options & Select GUID Partition (If you use Apple partition here this utility creates a small partition that is not visible in most instances, but will screw up FileVault)
    5. set the name the your short username (example: user)
    6. Select the Format; for me: Mac OS Extended (Case-sensitive, Journaled)
    7. Click Apply & confirm by clicking: Partition
  13. Mount the OLD FV user
    1. # hdiutil attach /Users/user.save/user.sparsebundle
  14. Make links to identify the old and new
    1. cd /Volumes
    2. # ln -s user new
    3. # ln -s “user 1” old
    4. Verify new is the new FV directory and old is the one with the data that needs to be saved. If not fix these links.
  15. Copy the files from the old to the new
    1. # cd /Volumes
    2. # rsync -av old/ new/
  16. remove the links
    1. # cd /Volumes
    2. # rm new old
  17. unmount the old sparse bundle
    1. # hdiutil unmount /Users/user.save
  18. set the login keychain to unlock with smartcard:
    1. # systemkeychain -T /Volumes/user/Library/keychains/login.keychain
  19. unmount the new sparse bundle
    1. # hdiutil unmount /Users/new_user

Comments:* Macs & Case Sensitive file systems are a PAIN!!! There are several Mac applications that do not work with case sensititve file systems. Examples include Adobe products, antivirus products, and I am sure there are others. But if you work in UNIX world then there are times that you need case sensitivity… so you have to come up with numerous workarounds…WORK IN PROGRESS — This procedure is not working yet — Use at your own risk!