search

frankmorgner / OpenSCToken

Use OpenSC in macOS CryptoTokenKit.
GNU General Public License v3.0
75 stars 14 forks source link

Problem with command sudo -u _serviceagent ... #37

Open SilviusSK opened 3 years ago

SilviusSK commented 3 years ago

Hi,I would like to use a smartcard always be available and that's why I used your command, and this is the output

airuzivilvester:~ User$ sudo -u _securityagent /Applications/Utilities/OpenSCTokenApp.app/Contents/MacOS/OpenSCTokenApp Enter PIN for 'Certificate for PIV Authentication (User)': 2021-02-01 14:04:28.546 OpenSCTokenApp[1112:17536] NSXPCSharedListener should but cannot work around rdar://problem/35553241

airuzivilvester:~ User$ sudo -u _securityagent pluginkit -a /Applications/Utilities/OpenSCTokenApp.app/Contents/PlugIns/OpenSCToken.appex Password: add: Connection interrupted

OpenSC v21 macOS Big Sur 11.1

Run OpenSCTokenApp as SecurityAgent sudo -u _securityagent /Applications/Utilities/OpenSCTokenApp.app/Contents/MacOS/OpenSCTokenApp or execute sudo -u _securityagent pluginkit -a /Applications/Utilities/OpenSCTokenApp.app/Contents/PlugIns/OpenSCToken.appex: Registers OpenSC globally. Your token will always be available.

Thnx

frankmorgner commented 3 years ago

Sorry, Apple is constantly changing things around. I don't know how to fix this error.

Do you need to register it globally, at all? If you're pairing your card with your account, you should be able to login without any additional registration; running the App in your local account should be enough, shouldn't it?

SilviusSK commented 3 years ago

Hi Can you tell me what Apple constantly changing ? Maybe I could help.

My idea is to use SmartCrad to log in to the device As a means of security and it doesn't matter if it is after the restart of the device or just logged out, since FileVault does not have support for smartcard we cannot change this the first login will always be with a password.

I have set DisableFDEAutologin to YES

Scenario1: When I run the app from the local account, first login is to unlock FileVault is allways with a password and then second login with the same password and after that can I use SmartCard, in this case, you do not have a SmartCard as the element that secures your account.

Scenario2: If I understand correctly if I register globaly i can use after first login to unlock FileVault what I have to use password the next login can use SmartCard and PIN, in this case yes.

If you set enforceSmartCard to true , in Scenario1 you cannot login in device anymore. You can unlock FileVault and and that is all.