Configure macOS for smart card-only authentication

Smart card authentication provides strong two-factor authentication in macOS Sierra and later. macOS High Sierra 10.13.2 and later support smart card-only authentication for the mandatory use of a smart card, which disables all password-based authentication. 

This article is intended for system administrators who set security policy in enterprise environments that require smart card authentication. 

Enable smart card-only login

Make sure that you carefully follow these steps to ensure that users will be able to log in to the computer.

  1. Pair a smart card to an admin user account or configure Attribute Matching.
  2. If you’ve enabled strict certificate checks, install any root certificates or intermediates that are required.
  3. Confirm that you can log in to an administrator account using a smart card.
  4. Install a smart-card configuration profile that includes "<key>enforceSmartCard</key><true/>," as shown in the smart card-only configuration profile below.
  5. Confirm that you can still log in using a smart card.

For more information about smart card payload settings, see the Apple Configuration Profile Reference.

For more information about using smart card services, see the macOS Deployment Guide or open Terminal and enter man SmartCardServices.

 

Disable smart card-only authentication

If you manually manage the profiles that are installed on the computer, you can remove the smart card-only profile in two ways. You can use the Profiles pane of System Preferences, or you can use the /usr/bin/profiles command-line tool. For more information, open Terminal and enter man profiles.

If your client computers are enrolled in Mobile Device Management (MDM), you can restore password-based authentication. To do this, remove the smart card configuration profile that enables the smart card-only restriction from the client computers.

To prevent users from being locked out of their account, remove the enforceSmartCard profile before you unpair a smart card or disable attribute matching. If a user is locked out of their account, remove the configuration profile to fix the issue.

If you apply the smart card-only policy before you enable smart card-only authentication, a user can get locked out of their computer. To fix this issue, remove the smart card-only policy:

  1. Start up the computer from macOS Recovery or from an external volume.
  2. Delete the Configuration Profile Repository. To do this, open Terminal and enter the following commands: 
    rm /var/db/ConfigurationProfiles/MDM_ComputerPrefs.plist
    rm /var/db/ConfigurationProfiles/.profilesAreInstalled
    rm /var/db/ConfigurationProfiles/Settings/.profilesAreInstalled
    rm /var/db/ConfigurationProfiles/Store/ConfigProfiles.binary
    rm /var/db/ConfigurationProfiles/Setup/.profileSetupDone
  3. Restart the computer.
  4. Reinstall all the configuration profiles that existed before you enabled smart card-only authentication.

 

Configure Secure Shell Daemon (SSHD) to support smart card-only authentication

Users can use their smart card to authenticate over SSH to the local computer or to remote computers that are correctly configured. Follow these steps to configure SSHD on a computer so that it supports smart card authentication. 

Update the /etc/ssh/sshd_config file:

  1. Use the following command to back up the sshd_config file:
    sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config_backup_`date "+%Y-%m-%d_%H:%M"`
  2. In the sshd_config file, change "#ChallengeResponseAuthentication yes" to "ChallengeResponseAuthentication no" and change "#PasswordAuthentication yes" to "#PasswordAuthentication no."

Then, use the following commands to restart SSHD:

sudo launchctl stop com.openssh.sshd

sudo launchctl start com.openssh.sshd

If a user wants to authenticate SSH sessions using a smart card, have them follow these steps:

  1. Use the following command to export the public key from their smart card:
    ssh-keygen -D /usr/lib/ssh-keychain.dylib
  2. Add the public key from the previous step to the ~/.ssh/authorized_keys file on the target computer.
  3. Use the following command to back up the ssh_config file:
    sudo cp /etc/ssh/ssh_config /etc/ssh/ssh_config_backup_`date "+%Y-%m-%d_%H:%M"`
  4. In the/etc/ssh/ssh_config file, add the line "PKCS11Provider=/usr/lib/ssh-keychain.dylib."

If the user wants to, they can also use the following command to add the private key to their ssh-agent:

ssh-add -s /usr/lib/ssh-keychain.dylib

 

Enable smart card-only for the SUDO command

Use the following command to back up the /etc/pam.d/sudo file:

sudo cp /etc/pam.d/sudo /etc/pam.d/sudo_backup_`date "+%Y-%m-%d_%H:%M"`

Then, replace all of the contents of the /etc/pam.d/sudo file with the following text:

# sudo: auth account password session
auth        sufficient    pam_smartcard.so
auth        required      pam_opendirectory.so
auth        required      pam_deny.so
account     required      pam_permit.so
password    required      pam_deny.so
session     required      pam_permit.so

 

Enable smart card-only for the LOGIN command

Use the following command to back up the /etc/pam.d/login file:

sudo cp /etc/pam.d/login /etc/pam.d/login_backup_`date "+%Y-%m-%d_%H:%M"`

Then, replace all of the contents of the/etc/pam.d/login file with the following text:

# login: auth account password session
auth        sufficient    pam_smartcard.so
auth        optional      pam_krb5.so use_kcminit
auth        optional      pam_ntlm.so try_first_pass
auth        optional      pam_mount.so try_first_pass
auth        required      pam_opendirectory.so try_first_pass
auth        required      pam_deny.so
account     required      pam_nologin.so
account     required      pam_opendirectory.so
password    required      pam_opendirectory.so
session     required      pam_launchd.so
session     required      pam_uwtmp.so
session     optional      pam_mount.so

 

Enable smart card-only for the SU command

Use the following command to back up the /etc/pam.d/su file:

sudo cp /etc/pam.d/su /etc/pam.d/su_backup_`date "+%Y-%m-%d_%H:%M"`

Then, replace all of the contents of the/etc/pam.d/su file with the following text:

# su: auth account password session
auth        sufficient    pam_smartcard.so
auth        required      pam_rootok.so
auth        required      pam_group.so no_warn group=admin,wheel ruser root_only fail_safe
account     required      pam_permit.so
account     required      pam_opendirectory.so no_check_shell
password    required      pam_opendirectory.so
session     required      pam_launchd.so

 

Sample smart card-only configuration profile

Here’s a sample smart card-only configuration profile. You can use it to see the kinds of keys and strings that this type of profile includes.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDescription</key>
<string>Configures smart card-only</string>
<key>PayloadDisplayName</key>
<string>Smart card-only</string>
<key>PayloadIdentifier</key>
<string>com.apple.configprofile.78.</string>
<key>PayloadOrganization</key>
<string>Apple</string>
<key>PayloadType</key>
<string>com.apple.security.smartcard</string>
<key>PayloadUUID</key>
<string>5A15247B-899C-474D-B1D7-DBD82BDE5678</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>UserPairing</key>
<false/>
<key>allowSmartCard</key>
<true/>
<key>checkCertificateTrust</key>
<false/>
<key>enforceSmartCard</key>
<true/>
</dict>
</array>
<key>PayloadDescription</key>
<string>Smartcard profile.</string>
<key>PayloadDisplayName</key>
<string>Smart card-only</string>
<key>PayloadIdentifier</key>
<string>com.apple.configprofile.77</string>
<key>PayloadOrganization</key>
<string></string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadScope</key>
<string>system</string>
<key>PayloadUUID</key>
<string>7D34CC86-C707-44D2-9A9F-C5F6E347BD77</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>

 

Published Date: