Built and supported by a US-based company, Centrify Express for Smart Card enables federal, military and contract employees to access protected websites, VPNs and secured email through their Mac devices. Since installing Yosemite having the card in the reader freezes the Citrix Viewer at start-up (spinning rainbow ball). If I remove the card the program functions normally. If I remove the card the program functions normally.
A tokend makes the keys and certificates on your smart card appear in Keychain Access.app and available to applications like Safari or Chrome.
I recently spent some time looking into getting my PIV card to work for web authentication with Mac OS Sierra (10.12.3) and seem to have got it working. As far as I can tell, I'm the first person to get this working within my office and now I'm wondering how to best document the process and get some other perspectives on the approach. I'd also like to go through the process with a few other people and make sure it's repeatable. With at least one other person's system I was not able to successfully repeat the process.
Also, the compact nature of PDF files leads to increased usage of the format for various purposes. Adobe.com free reader for mac.
I'm wondering if this would be the best place to be documenting my findings or maybe something like handbook.18f.gov instead or maybe even just a google doc to keep it private at first?
Update Accessibility screen reader. : for now I'm putting notes in private Google Doc. If you work in government and would like more information, please leave a comment below.
Also want to flag there may be an opportunity to coordinate with the work to use PIV for digital signing at GSA like https://github.com/GSA/gsa-doc-digital-signature
Background
Most Unix-like systems are configured to use the SSH protocol for remote access, but most SSH client applications do not support PIV as required by Federal policy. PuTTY-CAC, a fork of the Open Source PuTTY SSH client, resolves this issue.
Van Dyke Secure CRT, a commercial product, also supports PIV SSH login for multiple platforms, including Windows and Mac.
Installing PuTTY-CAC
- If you have a forge.mil account, download the latest PuTTY-CAC package from forge.mil. If you do not have access to forge.mil, you can also download it at https://risacher.org/putty-cac. Source code is available at https://github.com/risacher/putty-cac
- There is no installer available for the binaries, so you must either:
- Place the executable files in directly in a directory that you have execute rights over.
- Build an installation package to install the executables in the location you choose. This will enable the PuTTY-CAC applications to be available from the Start Menu.
At a minimum, you must install the following packages: - putty.exe
- pageant.exe
- Verify the version of PuTTY that was installed by opening the application and clicking About in the lower left corner.
4. Launch pageant from the PuTTY install directory,(eg, C:Program FilesPutty-CAC). Pageant will appear in the taskbar on the bottom right of your desktop;it will not open a window.
Insert CAPI Key into Pageant
- Open Windows Explorer or click Start > Computer.
- Open Pageant by clicking the executable.
3. A window will not open, but the Pageant icon will appear on the menu bar.
How to read.awz ebooks on Macbook Pro (Mac OS X 10.6.8)? Ask Question. Up vote 4 down vote favorite. How to read.awz ebooks (Kindle format) on Macbook Pro (Mac OS X 10.6.8)? Can it be converted to PDF with hyperlinks properly supported? I believe the easiest way to read a Kindle ebook on your Mac is to download Amazon's application. Aug 29, 2015 Does anyone know how I can get the kindle app to read on my Mac which runs 10.6.8? Also what is downloading also is not a dmg file, but an app I cannot use on my 10.6.8 computer. (Amazon, if you are reading this, please put this in your notes as people with 10.6.8 cannot follow your link to get the app). Kindle reader for mac 10.6.8. If you don’t do this, Kindle for Mac will automatically update to the latest version which doesn’t work on Leopard. Alternatively, a better way to go is to use Kindle on OS X 10.5.8 is to use Kindle Cloud Reader which is Amazon’s online version of Kindle. Mac users interested in Kindle for mac os x 10.6.8 generally download: Kindle for Mac 3.0 Free. Kindle for Mac is a book reading application by Amazon. It allows you to buy and read books offered through the Kindle service. Kindle allows you to read more than 450,000* books on your Mac. No Kindle required.
4. Right-click the icon and select View Keys.
5. The Pageant Key List window will appear. Click Add CAPI Cert.
6. Select your Smart Card Logon certificate from the Windows Security window.
Make sure you choose the correct certificate! Select“Click here to view certificate properties,” click “Details,” scroll half-way, and locate Enhanced Key Usage. It should begin with “Smart Card Logon”: this indicates it is the correct certificate. If you do not see this field, select a different certificate.
Note: If multiple certificates exist, you may want to clear out the expired or revoked certificates by following [How To – PIV Card – Clear certificate store](FIXME:need URL).
7. Click OK to close the details window.
8. Highlight the correct Smart Card certificate and click OK.
9. The Pageant Window will now display the certificate information.
10. Click Close.
Warning: You must re-add your certificate every time Pageant is started.
Configure PuTTY-CAC
- Right-click the Pageant icon again from the menu bar and select New Session. This will launch PuTTY.
2. From within PuTTY, enter the destination IP address or hostname in the Host Name (or IP address) textbox to setup a new profile, or if you already have profiles set up in PuTTY, load that profile.
Note: If you have multiple destination profiles, you will have to do the following steps for each profile
3. Enter a descriptive name under Saved Sessions textbox (if setting up a new profile).
4. On left panel, select Connection > SSH > CAPI, then check the box beside the words Attempt CAPI Certificate (Key-only) auth (SSH-2).
5. From within PuTTY, select Connection > SSH > Auth then select both “Allow agent forwarding” and 'Allow attempted changes of username in SSH-2.”
6. Click Session, then Save. This profile is now configured for PIV logon.
7. To get your PIV card’s SSH key, in PuTTY, go to Connection > SSH > CAPI and select the browse button on the right side. This will automatically fill in the “Cert” and “SSH keystring” fields.
8. Copy and paste the SSH keystring value from PuTTY into Notepad as you will need to include the SSH key when you contact the jumpbox support team or create a service ticket.
**9. add how to add to authorized_users files
..and request that they add your PIV card’s SSH key to your account on the jumpbox and create a configuration file (as described below) for SSH key forwarding to other systems beyond the initial jumpbox. Include the IP address of the jumpbox you are using, your account name, and the SSH key derived from your PIV card.
For other jumpboxes, submit a service ticket to that support group and include the IP address of the jumpbox you are using, your account name, and the SSH key derived from your PIV card.**
The configuration file should contain “Host *” and “ForwardAgent yes” and exist in the same folder where they place the SSH key.
10. In Saved Sessions, click Save to save your configuration.
Verify PIV Login
Hiw To Get Sthealth Sd Card Reader To Work
- Open Pageant (if not already running) and make sure your CAPI key is populated , close the Pageant window. Right click the Pageant icon and choose “New Session”. This will open PuTTY-CAC .
How To Get My Smart Card Reader To Work
2. Load one of your saved sessions that you previously configured for PIV logon.
3. When prompted, enter your remote Unix/Linux account name, and you should be prompted for your PIV PIN.
How To Get Cac Card Reader To Work On Mac
4. Enter your PIN, click OK and you should be logged in.
5. Once logged in, run ‘ssh-add –l’ to ensure that the forwarding agent is working. If you do not see the key printed when you run this command, something is wrong and you will not be prompted for your PIN if you ssh further into the environment.
How To Get Smart Card Reader To Work On Mac
6. Both the cert key that was pasted into the .ssh/authorized_keys and the config file need to be copied or scp’d to all the servers you will connect to in the data center. If the forwarding agent is working when you ssh to a server beyond the jumphost, you should be prompted for the PIN again.
7. After each server you ‘jump’ to, the output of ssh-add –l should always show the key. If not, either permissions are wrong or a file is mislabeled, or missing.