The source code is available at macOS 10.12 Source and is part of the pam_modules component.
pam_smartcard
The pam_smartcard(8) manage is:pam_smartcard(8) BSD System Manager's Manual pam_smartcard(8) NAME pam_smartcard -- Smartcard PAM module SYNOPSIS [service-name] function-class control-flag pam_smartcard [options] DESCRIPTION The Smartcard PAM module supports authentication function class. In terms of the function-class parameter, this is ``auth.'' The Smartcard Authentication Module This module permits or denies users based on smartcard authentication support in the Open Directory database, and the presence of an appropri- ate smartcard in the reader attached to the local machine. When a card is locked, the user is asked to unlock it with his PIN. The following options may be passed to this account management module: no_check_shell Continues evaluation even if user's shell is not valid. Normally, users with a shell like /usr/bin/false are considered as dis- abled. EXAMPLE Adding the following line on the top of the /etc/pam.d/sudo enables smartcard support for sudo: auth sufficient pam_smartcard.so SEE ALSO pam.conf(5), pam(8) SmartCardServices(7) BSD August 27, 2015 BSD
I guess this is related to the introduction of the native support of PIV cards in Sierra. See "macOS Sierra and PIVToken source code".
The pam_smartcard PAM module is used by two services by default:
- authorization_ctk
- screensaver_ctk
$ grep pam_smartcard /etc/pam.d/* /etc/pam.d/authorization_ctk:auth required pam_smartcard.so use_first_pass /etc/pam.d/screensaver_ctk:auth required pam_smartcard.so use_first_pass
$ cat /etc/pam.d/authorization_ctk
# ctk: auth
auth required pam_smartcard.so use_first_pass
account required pam_opendirectory.so
$ cat /etc/pam.d/screensaver_ctk
# ctk: auth
auth required pam_smartcard.so use_first_pass
account required pam_opendirectory.so
account sufficient pam_self.so
account required pam_group.so no_warn group=admin,wheel fail_safe
account required pam_group.so no_warn deny group=admin,wheel ruser fail_safe
SmartCardServices
Another interesting man page is SmartCardServices(7). Here is an extract:SmartCardServices(7) BSD Miscellaneous Information Manual SmartCardServices(7) NAME SmartCardServices -- overview of smart card support DESCRIPTION SmartCardServices is a set of components for OS X smart card support. Any smart card which supports the PIV standard is supported natively by OS X. Access to smart card items is possible using the keychain inter- face. Applications can install additional drivers for smart cards that are not natively supported. Smart card certificates are automatically added to user's keychain when a smart card is inserted. Smart card certificates can be listed with security using the list-smartcards or export-smartcard commands. Keychain Access GUI cannot be used to manipulate or list these certificates. SETUP To associate users with smart cards, the system can be set up for either fixed key mapping or attribute based mapping. For fixed key use sc_auth(8) or use the dialog which appears automatically when an unasso- ciated smartcard is inserted into a reader. This dialog can be globally suppressed by: sudo defaults write /Library/Preferences/com.apple.security.smartcard UserPairing -bool NO Attribute matching can be set up using the appropriate AttributeMapping section in the configuration file as described below. There is no default configuration. If no AttributeMapping exists or the configuration file is missing, attribute matching is not used. If both fixed key mapping and attribute mapping are able to associate the inserted smart card with a user, attribute mapping takes precedence. By default certificates do not need to be trusted to allow association. Certificate trust can be globally enforced by setting: sudo defaults write /Library/Preferences/com.apple.security.smartcard checkCertificateTrust -bool YES [...]
PAM PKCS#11?
Since PAM is available in macOS maybe the PAM PKCS#11 module can be used without too much changes? This module is for GNU/Linux but may be adapted for macOS.In this case, adding support for smart card login in macOS, if you already have a PKCS#11 library for your card, should be easy.
Conclusion
The use of smart card in macOS for high level services (like authentication) is easier in Sierra, at least for PIV smart cards.I imagine that the support of other smart cards models will be proposed by third parties "soon".