Wednesday, December 7, 2016

macOS Sierra and pam_smartcard

In Sierra a new smart card component has been introduced: pam_smartcard. PAM is Pluggable Authentication Modules.

The source code is available at macOS 10.12 Source and is part of the pam_modules component.


The pam_smartcard(8) manage is:
pam_smartcard(8)          BSD System Manager's Manual         pam_smartcard(8)

     pam_smartcard -- Smartcard PAM module

     [service-name] function-class control-flag pam_smartcard [options]

     The Smartcard PAM module supports authentication function class.  In
     terms of the function-class parameter, this is ``auth.''

   The Smartcard Authentication Module
     This module permits or denies users based on smartcard authentication
     support in the Open Directory database, and the presence of an appropri-
     ate smartcard in the reader attached to the local machine. When a card is
     locked, the user is asked to unlock it with his PIN.

   The following options may be passed to this account management module:
             Continues evaluation even if user's shell is not valid. Normally,
             users with a shell like /usr/bin/false are considered as dis-

     Adding the following line on the top of the /etc/pam.d/sudo enables smartcard support for sudo:
             auth   sufficient

     pam.conf(5), pam(8) SmartCardServices(7)

BSD                             August 27, 2015                            BSD

I guess this is related to the introduction of the native support of PIV cards in Sierra. See "macOS Sierra and PIVToken source code".

The pam_smartcard PAM module is used by two services by default:
  • authorization_ctk
  • screensaver_ctk
$ grep pam_smartcard /etc/pam.d/*
/etc/pam.d/authorization_ctk:auth       required  use_first_pass
/etc/pam.d/screensaver_ctk:auth       required  use_first_pass

$ cat /etc/pam.d/authorization_ctk 
# ctk: auth 
auth       required   use_first_pass
account    required

$ cat /etc/pam.d/screensaver_ctk 
# ctk: auth 
auth       required  use_first_pass
account    required
account    sufficient
account    required no_warn group=admin,wheel fail_safe
account    required no_warn deny group=admin,wheel ruser fail_safe


Another interesting man page is SmartCardServices(7). Here is an extract:
SmartCardServices(7) BSD Miscellaneous Information Manual SmartCardServices(7)

     SmartCardServices -- overview of smart card support

     SmartCardServices is a set of components for OS X smart card support.

     Any smart card which supports the PIV standard is supported natively by
     OS X. Access to smart card items is possible using the keychain inter-
     face. Applications can install additional drivers for smart cards that
     are not natively supported.

     Smart card certificates are automatically added to user's keychain when a
     smart card is inserted. Smart card certificates can be listed with
     security using the list-smartcards or export-smartcard commands. Keychain
     Access GUI cannot be used to manipulate or list these certificates.

     To associate users with smart cards, the system can be set up for either
     fixed key mapping or attribute based mapping. For fixed key use
     sc_auth(8) or use the dialog which appears automatically when an unasso-
     ciated smartcard is inserted into a reader. This dialog can be globally
     suppressed by:

           sudo defaults write /Library/Preferences/ UserPairing -bool NO

     Attribute matching can be set up using the appropriate AttributeMapping
     section in the configuration file as described below. There is no default
     configuration. If no AttributeMapping exists or the configuration file is
     missing, attribute matching is not used. If both fixed key mapping and
     attribute mapping are able to associate the inserted smart card with a
     user, attribute mapping takes precedence.

     By default certificates do not need to be trusted to allow association.
     Certificate trust can be globally enforced by setting:

           sudo defaults write /Library/Preferences/ checkCertificateTrust -bool YES



Since PAM is available in macOS maybe the PAM PKCS#11 module can be used without too much changes? This module is for GNU/Linux but may be adapted for macOS.

In this case, adding support for smart card login in macOS, if you already have a PKCS#11 library for your card, should be easy.


The use of smart card in macOS for high level services (like authentication) is easier in Sierra, at least for PIV smart cards.

I imagine that the support of other smart cards models will be proposed by third parties "soon".