This section provides installation information that is specific to smart card reader drivers for Microsoft Windows. Vendors that supply their own reader drivers should make each driver a member of the SmartCardReader setup class in the INF Version Section of the driver's INF file. Vendors must also add a section to properly configure the. Digi scan sim card reader driver free download - Card Reader Driver 5.1.2600.3000.zip, SCR3310 USB Smart Card Reader drivers, Card Reader Driver 2.0.0.1.zip, and many more programs. SCR3310v2.0 USB Smart Card Reader Part No: 905331 Identiv's SCR3310v2.0 is a small and ergonomic USB smart card reader with backside mounting holes.
PIV Login for Macs
As of November 1, 2015, all Mac users at NIH are required to log in with a smart card.
What is PIV Login for Macs?
PIV Login for Macs is an ongoing initiative to implement the federally mandated smart card login requirement on Apple Macintosh computers at NIH. Once the initiative is complete, Mac users will be required to log into their computers using a HHS ID smart card, such as a Personal Identity Verification (PIV) card, Restricted Local Access (RLA) badge, or an Alternate Logon Token (ALT card).
Smart card login will be enacted through a custom-developed software plugin (NIHAuthPlugin). The process for installing the plugin will be conducted in a staggered manner by IC Smart card login will be enacted through a custom-developed software plugin (NIHAuthPlugin). The process for installing the plugin will be conducted in a staggered manner by IC. Smart card login is already required for Windows computers at NIH.
For information on policy requirements for PIV Login view Smart Card Policies.
How to Log Into a Mac With a Smart Card
For instructions on logging into a Mac with a smart card view How to log into your Mac with your PIV Card.
Impact on FileVault and Keychain Passwords
Once PIV login for Macs is enabled, it will impact the passwords for the Mac applications FileVault and Keychain. The following sections describe the impact and provide links to additional instructions.
FileVault Password Update if you change your NIH password while your computer is NOT connected to the NIH network, FileVault will continue to use your old password until it is updated. For instructions on updating your FileVault password, view How to Update the FileVault Password.
Note: If you become locked out of FileVault, contact your IC’s local IT support group for assistance.
Keychain Password Update the first time you log into your Mac using a PIV, you will be prompted to update your Keychain password. Update the Keychain password using the PIN associated with your PIV. For instructions, view Update Your Keychain Password.
Note: Mac users should always log into their computers using a PIV and PIN. PIV login provides better security and avoids having to reset the Keychain password repeatedly.
Additionally, if you log into your Mac differently than the previous login — For example: using your NIH username and password to login after previously using your PIV card — a dialog box will appear indicating the system was unable to unlock your login Keychain. The dialog box will also provide options for updating the login Keychain. For information about updating the login Keychain, view How to update your Keychain Password during login or How to update or re-create Mac OS Keychain password.
Note: For assistance updating the Keychain login on your Mac, contact the NIH IT Service Desk for help. Once PIV login is enforced (and users can only log in with their PIV cards), this Keychain unlock issue will no longer occur.
Information and Assistance
See the PIV Mac Frequently Asked Questions (FAQ)
For additional information, search the NIH IT Knowledge Base for tutorials, instruction sheets and user guides or refer to the appropriate How-To Guide.
For questions or user support, please contact the NIH IT Service Desk.
This article is intended for system administrators who set security policy in enterprise environments that require smart card authentication.
Enable smart card-only login
Make sure that you carefully follow these steps to ensure that users will be able to log in to the computer.
- Pair a smart card to an admin user account or configure Attribute Matching.
- If you’ve enabled strict certificate checks, install any root certificates or intermediates that are required.
- Confirm that you can log in to an administrator account using a smart card.
- Install a smart-card configuration profile that includes '<key>enforceSmartCard</key><true/>,' as shown in the smart card-only configuration profile below.
- Confirm that you can still log in using a smart card.
For more information about smart card payload settings, see the Apple Configuration Profile Reference.
For more information about using smart card services, see the macOS Deployment Guide or open Terminal and enter
man SmartCardServices
.Disable smart card-only authentication
If you manually manage the profiles that are installed on the computer, you can remove the smart card-only profile in two ways. You can use the Profiles pane of System Preferences, or you can use the /usr/bin/profiles command-line tool. For more information, open Terminal and enter
man profiles
.If your client computers are enrolled in Mobile Device Management (MDM), you can restore password-based authentication. To do this, remove the smart card configuration profile that enables the smart card-only restriction from the client computers.
To prevent users from being locked out of their account, remove the enforceSmartCard profile before you unpair a smart card or disable attribute matching. If a user is locked out of their account, remove the configuration profile to fix the issue.
If you apply the smart card-only policy before you enable smart card-only authentication, a user can get locked out of their computer. To fix this issue, remove the smart card-only policy:
- Turn on your Mac, then immediately press and hold Command-R to start up from macOS Recovery. Release the keys when you see the Apple logo, a spinning globe, or a prompt for a firmware password.
- Select Disk Utility from the Utilities window, then click Continue.
- From the Disk Utility sidebar, select the volume that you're using, then choose File > Mount from the menu bar. (If the volume is already mounted, this option is dimmed.) Then enter your administrator password when prompted.
- Quit Disk Utility.
- Choose Terminal from the Utilities menu in the menu bar.
- Delete the Configuration Profile Repository. To do this, open Terminal and enter the following commands.
In these commands, replace <volumename> with the name of the macOS volume where the profile settings were installed.rm /Volumes/<volumename>/var/db/ConfigurationProfiles/MDM_ComputerPrefs.plist
rm /Volumes/<volumename>/var/db/ConfigurationProfiles/.profilesAreInstalled
rm /Volumes/<volumename>/var/db/ConfigurationProfiles/Settings/.profilesAreInstalled
rm /Volumes/<volumename>/var/db/ConfigurationProfiles/Store/ConfigProfiles.binary
rm /Volumes/<volumename>/var/db/ConfigurationProfiles/Setup/.profileSetupDone
- When done, choose Apple () menu > Restart.
- Reinstall all the configuration profiles that existed before you enabled smart card-only authentication.
Configure Secure Shell Daemon (SSHD) to support smart card-only authentication
Users can use their smart card to authenticate over SSH to the local computer or to remote computers that are correctly configured. Follow these steps to configure SSHD on a computer so that it supports smart card authentication.
Update the /etc/ssh/sshd_config file:
- Use the following command to back up the sshd_config file:
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config_backup_`date '+%Y-%m-%d_%H:%M'`
- In the sshd_config file, change '#ChallengeResponseAuthentication yes' to 'ChallengeResponseAuthentication no' and change '#PasswordAuthentication yes' to '#PasswordAuthentication no.'
Then, use the following commands to restart SSHD:
![Sd card reader for mac Sd card reader for mac](/uploads/1/2/6/5/126556080/521363841.jpeg)
sudo launchctl stop com.openssh.sshd
sudo launchctl start com.openssh.sshd
If a user wants to authenticate SSH sessions using a smart card, have them follow these steps:
- Use the following command to export the public key from their smart card:
ssh-keygen -D /usr/lib/ssh-keychain.dylib
- Add the public key from the previous step to the ~/.ssh/authorized_keys file on the target computer.
- Use the following command to back up the ssh_config file:
sudo cp /etc/ssh/ssh_config /etc/ssh/ssh_config_backup_`date '+%Y-%m-%d_%H:%M'`
- In the/etc/ssh/ssh_config file, add the line 'PKCS11Provider=/usr/lib/ssh-keychain.dylib.'
If the user wants to, they can also use the following command to add the private key to their ssh-agent:
ssh-add -s /usr/lib/ssh-keychain.dylib
Enable smart card-only for the SUDO command
Use the following command to back up the /etc/pam.d/sudo file:
sudo cp /etc/pam.d/sudo /etc/pam.d/sudo_backup_`date '+%Y-%m-%d_%H:%M'`
Then, replace all of the contents of the /etc/pam.d/sudo file with the following text:
Enable smart card-only for the LOGIN command
Use the following command to back up the /etc/pam.d/login file:
sudo cp /etc/pam.d/login /etc/pam.d/login_backup_`date '+%Y-%m-%d_%H:%M'`
Then, replace all of the contents of the/etc/pam.d/login file with the following text:
Enable smart card-only for the SU command
Use the following command to back up the /etc/pam.d/su file:
sudo cp /etc/pam.d/su /etc/pam.d/su_backup_`date '+%Y-%m-%d_%H:%M'`
Then, replace all of the contents of the/etc/pam.d/su file with the following text:
Smart Card Reader For Mac Sierra Mac
Sample smart card-only configuration profile
Smart Card Reader For Mac Sierra Download
Here’s a sample smart card-only configuration profile. You can use it to see the kinds of keys and strings that this type of profile includes.