In Sierra a new smart card component has been introduced: pam_smartcard. PAM is Pluggable Authentication Modules.
The source code is available at macOS 10.12 Source and is part of the pam_modules component.
pam_smartcard
The pam_smartcard(8) manage is:
pam_smartcard(8) BSD System Manager's Manual pam_smartcard(8)
NAME
pam_smartcard -- Smartcard PAM module
SYNOPSIS
[service-name] function-class control-flag pam_smartcard [options]
DESCRIPTION
The Smartcard PAM module supports authentication function class. In
terms of the function-class parameter, this is ``auth.''
The Smartcard Authentication Module
This module permits or denies users based on smartcard authentication
support in the Open Directory database, and the presence of an appropri-
ate smartcard in the reader attached to the local machine. When a card is
locked, the user is asked to unlock it with his PIN.
The following options may be passed to this account management module:
no_check_shell
Continues evaluation even if user's shell is not valid. Normally,
users with a shell like /usr/bin/false are considered as dis-
abled.
EXAMPLE
Adding the following line on the top of the /etc/pam.d/sudo enables smartcard support for sudo:
auth sufficient pam_smartcard.so
SEE ALSO
pam.conf(5), pam(8) SmartCardServices(7)
BSD August 27, 2015 BSD
I guess this is related to the introduction of the native support of PIV cards in Sierra. See "
macOS Sierra and PIVToken source code".
The pam_smartcard PAM module is used by two services by default:
- authorization_ctk
- screensaver_ctk
$ grep pam_smartcard /etc/pam.d/*
/etc/pam.d/authorization_ctk:auth required pam_smartcard.so use_first_pass
/etc/pam.d/screensaver_ctk:auth required pam_smartcard.so use_first_pass
$ cat /etc/pam.d/authorization_ctk
# ctk: auth
auth required pam_smartcard.so use_first_pass
account required pam_opendirectory.so
$ cat /etc/pam.d/screensaver_ctk
# ctk: auth
auth required pam_smartcard.so use_first_pass
account required pam_opendirectory.so
account sufficient pam_self.so
account required pam_group.so no_warn group=admin,wheel fail_safe
account required pam_group.so no_warn deny group=admin,wheel ruser fail_safe
SmartCardServices
Another interesting man page is SmartCardServices(7). Here is an extract:
SmartCardServices(7) BSD Miscellaneous Information Manual SmartCardServices(7)
NAME
SmartCardServices -- overview of smart card support
DESCRIPTION
SmartCardServices is a set of components for OS X smart card support.
Any smart card which supports the PIV standard is supported natively by
OS X. Access to smart card items is possible using the keychain inter-
face. Applications can install additional drivers for smart cards that
are not natively supported.
Smart card certificates are automatically added to user's keychain when a
smart card is inserted. Smart card certificates can be listed with
security using the list-smartcards or export-smartcard commands. Keychain
Access GUI cannot be used to manipulate or list these certificates.
SETUP
To associate users with smart cards, the system can be set up for either
fixed key mapping or attribute based mapping. For fixed key use
sc_auth(8) or use the dialog which appears automatically when an unasso-
ciated smartcard is inserted into a reader. This dialog can be globally
suppressed by:
sudo defaults write /Library/Preferences/com.apple.security.smartcard UserPairing -bool NO
Attribute matching can be set up using the appropriate AttributeMapping
section in the configuration file as described below. There is no default
configuration. If no AttributeMapping exists or the configuration file is
missing, attribute matching is not used. If both fixed key mapping and
attribute mapping are able to associate the inserted smart card with a
user, attribute mapping takes precedence.
By default certificates do not need to be trusted to allow association.
Certificate trust can be globally enforced by setting:
sudo defaults write /Library/Preferences/com.apple.security.smartcard checkCertificateTrust -bool YES
[...]
PAM PKCS#11?
Since PAM is available in macOS maybe the
PAM PKCS#11 module can be used without too much changes? This module is for GNU/Linux but may be adapted for macOS.
In this case, adding support for smart card login in macOS, if you already have a PKCS#11 library for your card, should be easy.
Conclusion
The use of smart card in macOS for high level services (like authentication) is easier in Sierra, at least for PIV smart cards.
I imagine that the support of other smart cards models will be proposed by third parties "soon".