SmartCard logon

Hello,

I am developing a smartcard CTK extension for macOS.

I have trouble to smartcard logon the first time after a reboot or a logout (e.g. when there is the text "Your password is required to enable touch id"). Trouble = I'm not asked for the PIN.

But time to time after a logout (from whatever account), I can login with the smartcard. After a lockscreen I can always login with the smartcard.

  • Is there an easy way to debug the logon process ?

Regards, ++dom

It seems like you are encountering an issue with the initial smart card logon after a system reboot on macOS. This behavior might be related to the system's security policies or the order in which authentication mechanisms are initialized during the boot process.

Here are a few suggestions to help you debug and potentially resolve the issue:

Check System Log for Errors: Review the system logs to see if there are any error messages related to smart card authentication during the initial logon. You can use the Console application or check the logs using the command line:

Look for any error messages or warnings that might provide insights into the problem.

Smart Card Initialization Timing: Ensure that your smart card initialization process is properly timed during the system boot. There may be dependencies or delays in the initialization of smart card services that are causing the issue. You may need to delay your smart card initialization until after other necessary system services are up and running.

Debugging with sc_auth Tool: macOS includes a tool called sc_auth that can be useful for debugging smart card issues. You can use it to trigger smart card authentication manually and observe any error messages. For example:

The --debug option will provide more detailed output. You can use this tool to simulate the authentication process and see if it reveals any issues.

Consider Credential Caching: macOS might be caching credentials for a certain period after the initial login, which could explain why the smart card works after a password login. Check if there are any caching mechanisms in place and if adjusting their settings helps.

Review Security Policies: Ensure that your smart card logon extension adheres to macOS security policies. The security policies might have specific requirements or restrictions that affect the behavior of authentication mechanisms.

oops, no code.

part 1 log show --predicate 'eventMessage contains "smart card"' --info

and part 2 sudo sc_auth --debug

Thank you very much BornP, I will check next week.

Does your test Mac have FileVault enabled?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Hello Quinn,

Sorry, I switched to another project in the meantime. Back to this one.

Yes indeed, the FileVault is enabled. But I did not get any error during the pairing step.

Are the CTKs loaded at boot time / session login ?

Regards, ++dom

Are the CTKs loaded at boot time / session login ?

Modern smart card support is based on CryptoTokenKit (CTK) app extensions. There are two flavours of those:

  • A smart card token driver, which subclasses TKSmartCardTokenDriver

  • A persistent token driver, which subclasses TKTokenDriver

A smart card token can be use for login. A persistent token cannot.

If you’re building a smart card token, see Authenticating Users with a Cryptographic Token for info on a specific hoop you have to jump through.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

SmartCard logon
 
 
Q