userselector(7) [mojave man page]
UserSelector(7) BSD Miscellaneous Information Manual UserSelector(7) NAME
UserSelector -- overview and documentation DESCRIPTION
UserSelector is invoked only internally by the CryptoTokenKit framework. It is not intended to be used directly by an end user or an adminis- trator. Unless the string property UserSelectorPath is set with full executable path value in the configuration file ( /etc/SmartcardLogin.plist ), the system UserSelector is used. How CryptoTokenKit framework invokes UserSelector: UserSelector -o operation -u username -i pubkeyhash1[,pubkeyhash2,...] Path and format UserSelector runs in a sandbox which limits its path and file format. A custom UserSelector must be stored in the /Library/CryptoTokenKit directory. The file format of the UserSelector must be binary. Shell scripts are not supported. Supported Operations Map Operation This operation returns a list of users bound with pubkeyhashes from the SmartCard certificates. The username parameter is optional. If set, bindings are returned only for the specified user. The list of one or more comma separated pubkeyhashes is mandatory. Result format: Recognized bindings are returned through stdout. Each binding is placed on a separate line. Each line begins with the pubkeyhash string, fol- lowed by the TAB character ( ) and by the username. Sample: $ UserSelector -o map -i 01234567890123456789,ABCDEF01230123456789,98765432109876543210 ABCDEF01230123456789 user1 98765432109876543210 user2 Bind Operation This operation creates binding between the provided pubkeyhash and username . Result format: Exit code is set to 0 when succeeded, error code otherwise Sample: $ UserSelector -o bind -i ABCDEF01230123456789 -u username1 Unbind Operation This operation removes SmartCard bindings for the provided username If no pubkeyhash is provided, all bindings for that user are removed. If one or more pubkeyhashes are provided, only bindings for these are removed. Result format: Exit code is set to 0 when succeeded, error code otherwise Sample: $ UserSelector -o unbind -u username1 -i ABCDEF01230123456789 Check Operation This operation checks SmartCard bindings for a specific user. It returns 0 on stdout when the user has no SmartCard bindings, or 1 when already does. The username parameter is mandatory. Sample: $ UserSelector -o check -u username1 1 SEE ALSO
SmartCardServices(7), sc_auth(8) macOS Oct 12, 2017 macOS
Check Out this Related Man Page
sc_auth(8) BSD System Manager's Manual sc_auth(8) NAME
sc_auth -- SmartCard authorization setup script SYNOPSIS
sc_auth pair [-v] -u user -h hash sc_auth unpair [-v] [-u user] [-h hash] sc_auth pairing_ui [-v] [-f] [-s enable|disable|status] sc_auth identities sc_auth list [-v] [-u user] [-d domain] sc_auth changepin [-t tokenid] [-u] sc_auth enable_for_login -c class-id SYNOPSIS - legacy sc_auth accept [-v] [-u user] [-d domain] [-k keyname] sc_auth accept [-v] [-u user] [-d domain] -h hash sc_auth remove [-v] [-u user] [-d domain] sc_auth hash [-k keyname] DESCRIPTION
sc_auth configures a local user account to permit authentication using a supported SmartCard. Authentication is via asymmetric key (also known as public-key) encryption. sc_auth works with signing keys, but not encryption keys. sc_auth can perform the following actions: pair Associate a user with a public key. Because user's keychain will be modified to be unlockable by a key, SmartCard with that key must be present in the reader. The key to use has to be specified by its hash. unpair Remove association with a user and keychain. If no specific hash is provided, all associations with a user are removed. pairing_ui Enable, disable and force to display pairing dialog when card with unpaired identities is inserted identities List all identities on all SmartCards and display appropriate associations with users (for associated keys) or key names (for unas- sociated keys). list List all public keys associated with a user. changepin Change or unblock SmartCard PIN. This command works only for Personal Identity Verification (PIV) SmartCards. With -u argument, PIN can be unblocked using PUK and without the -u argument, PIN can be changed. Optional -t argument allows specifying tokenID. enable_for_login Enable the app extension for login and make the token available to the system for authentication. DESCRIPTION - legacy sc_auth can perform the following legacy actions: accept Associate a user with a public key on a card. The key to use can be specified either by its name or its hash. remove Remove all public keys associated with a user. hash Print the hashes for all keys on all inserted cards. OPTIONS
-u user Specifies the user whose account is to be modified -d domain Specifies the directory domain containing the user account -k keyname Specifies a public key by its name -h hash Specifies a public key by its hash -v Verbose mode -f Force to display pairing dialog -t tokenid Specifies a token by tokenID -c class-id Specifies a token by 'com.apple.ctk.class-id' from Info.plist NOTES
sc_auth is a shell script. It is intended to be modified by administrators to suit their local environments. sc_auth is only known to work with a local directory. Consult the script's source for some limited guidance to using remote directories. SEE ALSO
SmartCardServices(7), SmartCardServices-legacy(7), pam_smartcard(8) MacOSX December 11, 2006 MacOSX