Smartcard account on Mac

WORK IN PROGRESS — This procedure is not working yet — Use at your own risk! I have a Mac (OSX 10.5) & use a smart card. I wanted to use the Smart Card to access the Mac. I have gotten different parts to work at different times, but I think I finally have it. I wanted 3 things from the Smart Card: login, key-chain, and FileVault (FV). The basis for this is from a great write up from AppleMacGeniusVille:http://www.applemacgeniusville.com/2009/09/15/enabling-cac-login-and-creating-filevault-cac-user/WORK IN PROGRESS — This procedure is not working yet — Use at your own risk! But there were a couple of problems that I had:

  1. It did not cover moving an existing FV account.
  2. I could not get into the new FV account without the smart card. (What happens when the chip goes bad….)

Conventions:

  • user = username for working user account
  • # = command prompt as root (sudo su -)
  • $ = command prompt as user

So here goes:

  1. MAKE A COMPLETE BACKUP
  2. clean up old account (get rid of big / unused files)
  3. login with an admin account that is not the one you are moving.
  4. open terminal & sudo su –
  5. save the original FV account
    1. # mkdir /Users/user.save
    2. # mv /Users/user/user.sparsebundle /Users/user.save/
  6. Remove the account (GUI Tool: System Preferences->Accounts)
  7. Remove any old smart card info from your account.myhost# sc_auth remove -u current_user
  8. make sure that FV Master password is set, if you have already used FV then should be. (GUI Tool: System Preferences->Security->FileVault)
  9. Create a new FV User with tokenadmin
    1. # tokenadmin create-fv-user -u user -l ”Long User Name” -p tempPassword
  10. change the password on the new sparse image (this adds a user level password to the FV (sparse) image) — this should be the same password as the OLD user — it will use the SmartCard to authentincate and add a password (it also changed the NEW user password for me)
    1. # hdiutil chpass -newstdinpass /Users/user.sparsebundle
  11. Mount the (new) FV User image 
    1.  # hdiutil attach /Users/user/user.sparsebundle
  12. If you want to change the format of the sparsebundle, now is the time. (I wanted this to be case sensitive, while my OS disk is not – turns out that this REALLY is a pain -wasted a lot of time here!!!)*
    1. Open Disk Utility select the user.sparsebundle for the NEW user
    2. Select Partition
    3. Select Volume Scheme: 1 Partition
    4. Click Options & Select GUID Partition (If you use Apple partition here this utility creates a small partition that is not visible in most instances, but will screw up FileVault)
    5. set the name the your short username (example: user)
    6. Select the Format; for me: Mac OS Extended (Case-sensitive, Journaled)
    7. Click Apply & confirm by clicking: Partition
  13. Mount the OLD FV user
    1. # hdiutil attach /Users/user.save/user.sparsebundle
  14. Make links to identify the old and new
    1. cd /Volumes
    2. # ln -s user new
    3. # ln -s “user 1” old
    4. Verify new is the new FV directory and old is the one with the data that needs to be saved. If not fix these links.
  15. Copy the files from the old to the new
    1. # cd /Volumes
    2. # rsync -av old/ new/
  16. remove the links
    1. # cd /Volumes
    2. # rm new old
  17. unmount the old sparse bundle
    1. # hdiutil unmount /Users/user.save
  18. set the login keychain to unlock with smartcard:
    1. # systemkeychain -T /Volumes/user/Library/keychains/login.keychain
  19. unmount the new sparse bundle
    1. # hdiutil unmount /Users/new_user

Comments:* Macs & Case Sensitive file systems are a PAIN!!! There are several Mac applications that do not work with case sensititve file systems. Examples include Adobe products, antivirus products, and I am sure there are others. But if you work in UNIX world then there are times that you need case sensitivity… so you have to come up with numerous workarounds…WORK IN PROGRESS — This procedure is not working yet — Use at your own risk!

IPv6 with Mac OSX

As of OSX 10.5.8, there seems to be a problem with static assigned IPv6 Addresses. You can fill in the dialog, but it does not actually configure the adapter.

Work around:
ifconfig en0 inet6 2001:48:24:12::12/64
route add -inet6 -prefixlen 0 default 2001:48:24:12::1

Note: this is not actually my IP (v6) address

OpenSSL to encrypt a file

There are more elegant ways to do this, but when you need to encrypt a file from one point to another this works and the tool is almost always available.

<br />encrypt:<br />openssl enc -aes-256-cbc -a -salt -in file.txt -out file.enc<br />(password)<br /><br />decrypt:<br />openssl enc -d -aes-256-cbc -a -in file.enc -out file.txt<br />(password)<br />

source:
OpenSSL Command-Line HOWTO

Default Application for a file

There is not a simple Universal utility included with OSX to do this. But there is a freeware package available.

Set the Default application for a filetype in Mac:
http://www.rubicode.com/Software/RCDefaultApp/

  • RCDefaultApp is a Mac OS X 10.2 or higher preference pane that allows a user to set the default application used for various URL schemes, file extensions, file types, MIME types, and Uniform Type Identifiers (or UTIs; MacOS 10.4 only). MacOS X uses the extension and file type settings to choose the application when opening a file in Finder, while Safari and other applications use the URL and MIME type settings at other times for content not related to a file (such as an unknown URL protocol, or a media stream).

Thanks to APC Mag for pointing to this:
How to: set your default applications in Mac OS X

Mac Keyboard with Linux

I noticed the neat little Mac keyboards @ Bestbuy and was thinking about putting one on a myth box that I’m building.

So just a little research:
http://hansmi.ch/articles/apple-keyboard-with-linux

http://forums.macosxhints.com/archive/index.php/t-44415.html

Google: mac keyboard on linux — looks like some good info