Login or Register to Ask a Question and Join Our Community

Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

userselector(7) [mojave man page]

UserSelector(7) 				       BSD Miscellaneous Information Manual					   UserSelector(7)

NAME

     UserSelector -- overview and documentation

DESCRIPTION

     UserSelector is invoked only internally by the CryptoTokenKit framework. It is not intended to be used directly by an end user or an adminis-
     trator. Unless the string property UserSelectorPath is set with full executable path value in the configuration file (
     /etc/SmartcardLogin.plist ), the system UserSelector is used.

     How CryptoTokenKit framework invokes UserSelector:

	   UserSelector -o operation -u username -i pubkeyhash1[,pubkeyhash2,...]

Path and format
     UserSelector runs in a sandbox which limits its path and file format. A custom UserSelector must be stored in the /Library/CryptoTokenKit
     directory. The file format of the UserSelector must be binary. Shell scripts are not supported.

Supported Operations
   Map Operation
     This operation returns a list of users bound with pubkeyhashes from the SmartCard certificates. The username parameter is optional. If set,
     bindings are returned only for the specified user. The list of one or more comma separated pubkeyhashes is mandatory.

     Result format:

     Recognized bindings are returned through stdout. Each binding is placed on a separate line. Each line begins with the pubkeyhash string, fol-
     lowed by the TAB character (	) and by the username.

     Sample:

	   $ UserSelector -o map -i 01234567890123456789,ABCDEF01230123456789,98765432109876543210
	   ABCDEF01230123456789    user1
	   98765432109876543210    user2

   Bind Operation
     This operation creates binding between the provided pubkeyhash and username .

     Result format:

     Exit code is set to 0 when succeeded, error code otherwise

     Sample:

	   $ UserSelector -o bind -i ABCDEF01230123456789 -u username1

   Unbind Operation
     This operation removes SmartCard bindings for the provided username If no pubkeyhash is provided, all bindings for that user are removed. If
     one or more pubkeyhashes are provided, only bindings for these are removed.

     Result format:

     Exit code is set to 0 when succeeded, error code otherwise

     Sample:

     $ UserSelector -o unbind -u username1 -i ABCDEF01230123456789

   Check Operation
     This operation checks SmartCard bindings for a specific user. It returns 0 on stdout when the user has no SmartCard bindings, or 1 when
     already does. The username parameter is mandatory.

     Sample:

	   $ UserSelector -o check -u username1
	   1

SEE ALSO

     SmartCardServices(7), sc_auth(8)

macOS								   Oct 12, 2017 							     macOS

Check Out this Related Man Page

SmartCardServices-legacy(7)			       BSD Miscellaneous Information Manual			       SmartCardServices-legacy(7)

NAME

     SmartCardServices-legacy -- overview of legacy SmartCard support

DESCRIPTION

     SmartCardServices-legacy is a set of components which add native support for SmartCards to OS X based on Tokend modules. Since OS X 10.12,
     there is  SmartCard support which is described in SmartCardServices(7)

     Supported SmartCards appear as separate keychains.  A Tokend module for each SmartCard you wish to use must be installed in
     /Library/Security/tokend

USB SMART CARD READER DRIVERS

     OS X has built-in support for USB CCID class-compliant SmartCard readers.	For other readers, install the reader driver in
     /usr/local/libexec/SmartCardServices/drivers.  Each driver is a bundle.  The bundle contains an XML file Info.plist which contains the
     device's USB vendor ID and product ID.  For detailed description of the plist format and how to write a reader driver, see
     http://pcsclite.alioth.debian.org/api/group__IFDHandler.html

SMART CARD APDU LOGGING

     It is possible to turn on logging for SmartCards by setting the global preference:

     sudo defaults write /Library/Preferences/com.apple.security.smartcard Logging -bool yes

     After a SmartCard reader is connected (or after reboot) all operations including contents of sent and received APDU messages are then logged
     into the system log.  Logging uses the facility com.apple.security.smartcard.log so it is possible to set up filtering of these logs into
     custom targets (see asl.conf(5))

     To avoid security risks that could occur if logging is turned on indefinitely, the logging setting is one-shot - it must be turned on by the
     command above to start logging again with a new reader.  This includes unplugging and replugging the same reader.

DISABLING NEW SMART CARD SUPPORT

     It is possible to turn of the new tokens by setting the global preference:

     sudo defaults write /Library/Preferences/com.apple.security.smartcard DisabledTokens -array com.apple.CryptoTokenKit.pivtoken

DISABLING SHEET AUTHORIZATION IN PREFERENCES

     When using tokend-based SmartCards, according to your configuration you may not be able to use SmartCards for authorization in System Prefer-
     ences sheets. In such case, you can disable sheets using following command:

     defaults write com.apple.Preferences UseSheets -bool FALSE

     System Preferences will then use the original dialog-based authorization.

ENTITLEMENT

     Sandboxed PCSC clients require 'com.apple.security.smartcard=YES' entitlement. Non-sandboxed PCSC clients do not require such entitlement (in
     order to keep backward compatibility with macOS < 10.10).

SEE ALSO

     SmartCardServices(7), sc_auth(8), defaults(1), asl.conf(5), ssh-keychain(8)

Mac OS X							  August 5, 2014							  Mac OS X
Man Page