Important!

Blog moved to https://blog.apdu.fr/

I moved my blog from https://ludovicrousseau.blogspot.com/ to https://blog.apdu.fr/ . Why? I wanted to move away from Blogger (owne...

Monday, January 16, 2017

macOS Sierra and (legacy) smart card login

It is easy to configure a user account to use a smartcard to login with macOS Sierra. Some steps are not easy to guess so I wrote this documentation for me to remember.

System configuration

Enable smart card login

$ security authorizationdb smartcard enable
YES (0)

Check configuration

$ security authorizationdb smartcard status
Current smartcard login state: enabled (system.login.console enabled, authentication rule enabled)
YES (0)

Note: you will also get the "YES (0)" result if the smartcard login is disabled. You must check the "enabled" in the output.

User configuration

You need to generate a key pair and a certificate in your smartcard. I used Cacert.org as it is a free CA.



The tokend system is read only so you can't enrol with Safari. You need to use Firefox and the smartcard PKCS#11 library to enrol your card.

After that your smartcard should be visible in the Keychain Access application:

List the possible hashes

$ sc_auth hash
4AB9854A2FFFCFC18EDA76B10B2A7EDCB028300C CAcert WoT User
9F050FD8D4781472FA56AC599BF952052E5EDA65 com.apple.systemdefault
9B6CCF907A02C78774AEEEC7D2501165FB98231A com.apple.kerberos.kdc
9F050FD8D4781472FA56AC599BF952052E5EDA65 com.apple.systemdefault
9B6CCF907A02C78774AEEEC7D2501165FB98231A com.apple.kerberos.kdc

I want to use the CAcert certificate and key.

Configure the hash

$ sudo sc_auth accept -u lroussea -h 4AB9854A2FFFCFC18EDA76B10B2A7EDCB028300C

Check it worked:
$ sc_auth list 
Hash (legacy): 4AB9854A2FFFCFC18EDA76B10B2A7EDCB028300C

Certification Authority configuration

One major problem with CAcert is that this CA is not recognised as trusted by (major) operating systems and (major) web browsers. That is why you get a red warning "This certificate was signed by an unknown authority" in the Keychain Access application.


You need to import and trust the CAcert root certificate. You can get CAcert root certificate from https://www.cacert.org/index.php?id=3. I fetched the root certificate in PEM format and saved it as root.cer.

Import CAcert root certificate

You can import the CACert root certificate using the Keychain Access application but the certificate would not get the needed trust level. You need to use the command line (I got the command from Adding new trusted root certificates to System.keychain):
$ sudo security add-trusted-cert -d -r trustAsRoot -k "/Library/Keychains/System.keychain" root.cer

Note: I had to use -r trustAsRoot instead of -r trustRoot as in the Adding new trusted root certificates to System.keychain web page. Maybe the CAcert root certificate is not considered as a real root certificate.

The CAcert root certificate should be trusted and should not display any blue mark.

Bad:
Good:

User certificate validity

Check your certificate in the smartcard is now considered as valid (with no special blue mark on it):

The certificate must be valid for any user, not just yourself. A good way to check that is to verify the certificate is also valid from another user account. The certificate must be valid before the user is logged so must not have a special (trust) configuration for a particular user.

You can get more details by evaluating the certificate from Keychain Access application.
  1. Control-click on the certificate
  2. Select "Evaluate ..." from the popup menu

  3. Click "Continue" in the next dialog box
  4. Check the certificate status

Enjoy

You can now logout to go back to the login screen. After inserting your smartcard your user should be selected and the prompt should display "PIN code:" instead of the classic "Password:".

You may want to update your default keychain password to be the same as your PIN code so can access your saved password automatically after login using the smartcard.

Conclusion

Using a smartcard to login in macOS Sierra is easy to configure. But you have to take great care about the certificate chain between the CA and your certificate.

I used and described the legacy smart card authentication system. macOS Sierra introduced a new "smart card token" mechanism to replace tokend. That is for another blog article.

Tuesday, January 10, 2017

macOS Sierra 10.12.2 and CCID upgrade

In macOS Sierra 10.12.2 Apple upgraded the CCID driver from version 1.4.24 (present in macOS Sierra 10.12 and 10.12.1) to version 1.4.25.

See "New version of libccid: 1.4.25" to get the list of changes.

Releases

The CCID driver 1.4.25 was released September, 30th 2016. And the macOS Sierra 10.12.2 upgrade was released December 14, 2016 so 2.5 months later.

That is a good news to see Apple integrating new versions of the CCID driver in "minor" operating system upgrades. It was already the case with macOS El Capitan (see "OS X El Capitan and CCID evolution")

Next upgrade

The current CCID version is 1.4.26 from 7 January 2017. I expect to see this version in the next minor Sierra upgrade: 10.12.3.

Saturday, January 7, 2017

MUSCLE mailing list statistics for 2016

As I did in 2009, 2010, 2011, 2012, 2013, 2014 and 2015 I propose some statistics of the MUSCLE mailing list usage.

Evolution

YearTotal number of messages Progression
2009603
2010718+19 %
2011999+39 %
2012207-79 %
2013198-4 %
2014194-2 %
2014194-2 %
2015120-38 %
2016125+4 %

The number of messages is stable this year.

Comments

I am still the top poster on the MUSCLE mailing list with 33% of the messages.

The second top poster is Maksim Ivanov (emaxx@google.com) with 12 messages about fixing bugs in pcsc-lite and CCID. Thanks Maxim.

Then William To (william.to@erg.com.hk) working on a port of pcsc-lite and CCID on Solaris.


Statistics from 10.1.2016 to 22.12.2016
for pcsclite-muscle@lists.alioth.debian.org



People who have written most messages:


 Author  Msg  Percent
1ludovic.rousseau@gmail.com4132.80 %
2emaxx@google.com129.60 %
3william.to@erg.com.hk118.80 %
4oliver.graute@gmail.com64.80 %
5christophe.ferrando@sylyca.com54.00 %
6Gregory_W_Barry@rl.gov43.20 %
7amacias@solutia-it.es43.20 %
8vindrg@gmail.com32.40 %
9pcsclite-muscle-request@lists.alioth.debian.org32.40 %
10jay.aurabind@gmail.com32.40 %
11ivo.raisr@oracle.com32.40 %
12ben.mehlman@sweetsams.com32.40 %
13godfreyhkchung@gmail.com32.40 %
1400cpxxx@gmail.com21.60 %
15dbaryshkov@gmail.com21.60 %
16stephan@matrixstorm.com21.60 %
17janprunk@gmail.com21.60 %
18martin@martinpaljak.net21.60 %
19informatica@actiu.net10.80 %
20andrey.roussev@gmail.com10.80 %
21andre@florath.net10.80 %
22richardhackers@gmail.com10.80 %
23dirkx@webweaving.org10.80 %
24nmav@redhat.com10.80 %
25dwmw2@infradead.org10.80 %
26nicola.barbon@italdes.it10.80 %
27trenta.sis@gmail.com10.80 %
28pcsc@wulf.eu.org10.80 %
29my.nl.abos@gmail.com10.80 %
30maximilian.stein@secunet.com10.80 %
other21.60 %

Best authors, by total size of their messages (w/o quoting):


 Author  KBytes
1ludovic.rousseau@gmail.com1398.8
2oliver.graute@gmail.com665.2
3pcsclite-muscle-request@lists.alioth.debian.org157.5
4william.to@erg.com.hk116.0
5amacias@solutia-it.es106.3
6martin@martinpaljak.net85.7
7emaxx@google.com60.2
8christophe.ferrando@sylyca.com43.6
9ivo.raisr@oracle.com39.9
10Gregory_W_Barry@rl.gov24.8
11godfreyhkchung@gmail.com21.0
12ben.mehlman@sweetsams.com20.4
13andrey.roussev@gmail.com16.3
14janprunk@gmail.com15.6
15stephan@matrixstorm.com13.6
16vindrg@gmail.com12.6
1700cpxxx@gmail.com11.9
18my.nl.abos@gmail.com10.8
19jay.aurabind@gmail.com10.4
20dirkx@webweaving.org10.2
21trenta.sis@gmail.com10.0
22nicola.barbon@italdes.it8.6
23nmav@redhat.com7.1
24maximilian.stein@secunet.com7.0
25dwmw2@infradead.org6.5
26dbaryshkov@gmail.com6.2
27andre@florath.net3.5
28pcsc@wulf.eu.org2.9
29richardhackers@gmail.com2.6
30informatica@actiu.net2.5

Best authors, by average size of their message (w/o quoting):


 Author  bytes
1oliver.graute@gmail.com113525
2pcsclite-muscle-request@lists.alioth.debian.org53774
3martin@martinpaljak.net43854
4ludovic.rousseau@gmail.com34936
5amacias@solutia-it.es27220
6andrey.roussev@gmail.com16730
7ivo.raisr@oracle.com13633
8my.nl.abos@gmail.com11023
9william.to@erg.com.hk10794
10dirkx@webweaving.org10400
11trenta.sis@gmail.com10220
12christophe.ferrando@sylyca.com8939
13nicola.barbon@italdes.it8782
14janprunk@gmail.com8006
15nmav@redhat.com7244
16godfreyhkchung@gmail.com7182
17maximilian.stein@secunet.com7175
18stephan@matrixstorm.com6978
19ben.mehlman@sweetsams.com6956
20dwmw2@infradead.org6639
21Gregory_W_Barry@rl.gov6344
2200cpxxx@gmail.com6074
23emaxx@google.com5134
24vindrg@gmail.com4310
25andre@florath.net3614
26jay.aurabind@gmail.com3537
27dbaryshkov@gmail.com3177
28pcsc@wulf.eu.org2938
29richardhackers@gmail.com2710
30informatica@actiu.net2540

Table showing the most successful subjects:

  Subject  Msg  Percent 
1[Pcsclite-muscle] ccid 1.3.13 IFD require manual smart card
9 7.20 %
2[Pcsclite-muscle] pccs-lite 1.8.xx on Solaris 11
8 6.40 %
3[Pcsclite-muscle] pcsc-lite-1.8.17 on solaris system
7 5.60 %
4[Pcsclite-muscle] High CPU load with pcscd and Kerkey security
6 4.80 %
5[Pcsclite-muscle] Looking/developing magstripe API
4 3.20 %
6[Pcsclite-muscle] SCARD_E_NOT_TRANSACTED
4 3.20 %
7[Pcsclite-muscle] cannot erase epass2003auto - token init
4 3.20 %
8[Pcsclite-muscle] Tracing feature in the client side
3 2.40 %
9[Pcsclite-muscle] Error handling when reading driver configs
3 2.40 %
10[Pcsclite-muscle] Increasing connected smart card reader count
3 2.40 %
11[Pcsclite-muscle] Difference with Windows (maybe a bug)
3 2.40 %
12[Pcsclite-muscle] Smartcard reader Precise Biometrics 200 MC
3 2.40 %
13[Pcsclite-muscle] Bug in CCID library
3 2.40 %
14[Pcsclite-muscle] Difference from Windows' implementation with
3 2.40 %
15[Pcsclite-muscle] SCardConnect: socketcall.sendto(msg) points to
2 1.60 %
16[Pcsclite-muscle] pcscd jams when using '--auto-exit'
2 1.60 %
17[Pcsclite-muscle] further issues with O2MICRO OZ776 (0b97:7772)
2 1.60 %
18[Pcsclite-muscle] SCARD : PROTOCOL_T1 and PROTOCOL_RAW
2 1.60 %
19[Pcsclite-muscle] SCardEndTransaction(hCard,SCARD_EJECT_CARD);
2 1.60 %
20[Pcsclite-muscle] can't "make" ccid on Ubuntu 14.04.4 LTS
2 1.60 %
21[Pcsclite-muscle] Possible generation of duplicate SCARDHANDLE
2 1.60 %
22Pam-pkcs#11 needs a new maintainer(s) soon, or it will die
2 1.60 %
23[Pcsclite-muscle] Support for multiple devices with ifdnfc,
2 1.60 %
24[Pcsclite-muscle] Bug in reconnecting to a card.
2 1.60 %
25[Pcsclite-muscle] ReinerSCT Cyberjack e-com:
2 1.60 %
26[Pcsclite-muscle] ReinerSCT Cyberjack e-com: readerfactory.c:1097:RFInitializeReader()
2 1.60 %
27[Pcsclite-muscle] High CPU load with pcscd and Kerkey security Module
2 1.60 %
28[Pcsclite-muscle] [PATCH] fix racecondition between winscard
2 1.60 %
29New version of libccid: 1.4.22
1 0.80 %
30PySCard 1.9.2 released
1 0.80 %
 other3225.60 %

Most used email clients:

  Mailer  Msg  Percent 
1(unknown)98 78.40 %
2Mozilla/5.x12 9.60 %
3Microsoft Outlook 16.0
9 7.20 %
4Apple Mail (2.3124)
1 0.80 %
5Evolution 3.20.3 (3.20.3-1.1.fc24)
1 0.80 %
6Microsoft Outlook 15.0
1 0.80 %
7NeoMutt/20160910 (1.7.0)
1 0.80 %
8Centrum Email 5.3
1 0.80 %
9KMail1 0.80 %
 other0 0.00 %


Table of maximal quoting:


 Author  Percent
1plomba@net.hr87.42 %
2maximilian.stein@secunet.com56.36 %
3ben.mehlman@sweetsams.com33.15 %
4nicola.barbon@italdes.it33.13 %
5informatica@actiu.net30.77 %
6jay.aurabind@gmail.com27.79 %
7trenta.sis@gmail.com26.20 %
8andre@florath.net23.89 %
9william.to@erg.com.hk21.53 %
10christophe.ferrando@sylyca.com18.63 %
11dbaryshkov@gmail.com18.42 %
12florian_kaiser@genua.de17.73 %
13vindrg@gmail.com16.60 %
14emaxx@google.com15.90 %
15Gregory_W_Barry@rl.gov15.07 %
1600cpxxx@gmail.com15.04 %
17martin@martinpaljak.net13.14 %
18pcsclite-muscle-request@lists.alioth.debian.org12.68 %
19dirkx@webweaving.org12.58 %
20pcsc@wulf.eu.org12.24 %
21janprunk@gmail.com10.30 %
22stephan@matrixstorm.com10.25 %
23amacias@solutia-it.es9.82 %
24ivo.raisr@oracle.com7.84 %
25nmav@redhat.com4.82 %
26godfreyhkchung@gmail.com3.32 %
27ludovic.rousseau@gmail.com3.25 %
28richardhackers@gmail.com2.79 %
29my.nl.abos@gmail.com1.48 %
30dwmw2@infradead.org0.99 %
average6.90 %

Graph showing number of messages written during hours of day:


msgs2
|
1
|
1
|
0
|
0
|
1
|
1
|
0
|
5
|
10
|
9
|
8
|
11
|
10
|
13
|
10
|
11
|
5
|
8
|
5
|
7
|
5
|
1
|
1
|
hour 01234567891011121314151617181920212223

Graph showing number of messages written during days of month:


msgs4
|
7
|
7
|
2
|
3
|
3
|
0
|
4
|
3
|
2
|
6
|
1
|
3
|
2
|
3
|
6
|
5
|
14
|
4
|
7
|
1
|
6
|
12
|
3
|
2
|
3
|
1
|
2
|
3
|
6
|
0
|
day 12345678910111213141516171819202122232425262728293031

Graph showing number of messages written during days of week:


msgs18
|
22
|
27
|
16
|
27
|
7
|
8
|

MonTueWedThuFriSatSun

Maximal quoting:


Author : plomba@net.hr
Subject : [Pcsclite-muscle] SCardEstablishContext method call ret
Date : Wed, 16 Nov 2016 15:26:47 +0100
Quote ratio: 87.43% / 8852 bytes

Longest message:


Author : ludovic.rousseau@gmail.com
Subject : [Pcsclite-muscle] ReinerSCT Cyberjack e-com: readerfactory.c:1097:RFInitializeReader()
Date : Wed, 16 Nov 2016 09:12:45 +0100
Size : 813477 bytes

Most successful subject:


Subject : [Pcsclite-muscle] ccid 1.3.13 IFD require manual smart card
No. of msgs: 9
Total size : 83742 bytes

Final summary:


Total number of messages: 125
Total number of different authors: 32
Total number of different subjects: 62
Total size of messages (w/o headers): 3189502 bytes
Average size of a message: 25516 bytes



Input file last updated: Sat Jan 7 20:35:57 2017Generated by MailListStat v1.3