FV2 and Smart Cards

Smart Cards are becoming an obsession and a rabbit hole. I have to delve deeper and find out there’s no end to the issues that lie ahead. Take FileVault 2 for example: that’s becoming utterly required for use in most computing environments and Apple themselves are busy mandating strong encryption and security everywhere they go.

Sadly it doesn’t work with smart cards. At all. FV2 is squarely set up to use username/password combinations only.

So what do you do if you’re in a secure environment where username and passwords have effectively been replaced by smart card certificate authentication? Well that’s simple. You cheat.

Rich Trouton has a wonderful blog post, based on some work by Allen Golbig on hiding FileVault 2 users. My work is based on their efforts and you can find it below.

https://github.com/franton/Create-FV2-Only-User

Like many of my recent works, this requires CocoaDialog to function effectively and is meant to run after a smartcard user first logs into a Mac. It then does the following things:

  • Waits for FileVault to finish encrypting the Mac.
  • Issues a defaults write command to disable FileVault login passthrough.
  • Processes the information off the card (which should be showing as an extra keychain) to find the username.
  • Does some work on the username data to ensure that there aren’t multiple user accounts with the same name on the Mac.
  • Asks the user for a password so they can unlock the Mac in future
  • Calculates the first unused UID for the FV2 only unlock account
  • Creates a new user account that is hidden based on the above information
  • Adds that user to the FV2 authorised users list
    • (i’m not happy about this part but this is a proof of concept)

The end result is you should have a proper user account but only accessible via the smart card login. You will also have similarly named FV2 account that unlocks the computer but can’t actually be logged in with. Pretty neat huh?