Login or Register to Ask a Question and Join Our Community

Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

tokenadmin(8) [mojave man page]

tokenadmin(8)						    BSD System Manager's Manual 					     tokenadmin(8)

NAME

     tokenadmin -- Command-line interface to smartcards and other token-based keychains

SYNOPSIS

     tokenadmin [-hqv] command [command_options] [command_args]

DESCRIPTION

     A command-line tool to administer smartcards and other token-based keychains.

OPTIONS

     -h       With no arguments, shows a list of all commands.	If arguments are provided, shows usage for each of the specified commands.  Same
	      as the help command.

     -q       Makes tokenadmin less verbose.

     -v       Makes tokenadmin more verbose.

COMMANDS

     Note: all commands other than help take the -h option to display help.

     help	     Shows all commands.

     create-fv-user  -u short-name -l long-name [-p password]

		     Creates a new FileVaulted user protected by the inserted smart card or token.

		     Options:
		     -u short-name
			      Specify the short (i.e., login) name to be used for the account.
		     -l long-name
			      Specify the full name to be used for the account. If the full name contains spaces, the name must be enclosed by
			      quotation marks.
		     -p password
			      Password for the user's login keychain (optional).

EXAMPLE

     tokenadmin create-fv-user -u fvtest3 -p foo -l "FV Test User 3"

     Create a new FileVaulted user with short name "fvtest3" and full name "FV Test User 3", with the new FileVault image being protected by the
     inserted token. The password for the user's login keychain is "foo".  Note: after creating this user with tokenadmin, you must run "sc_auth
     accept -u fvtest3" or this user will not be able to log in.

SEE ALSO

     security(1), sc_auth(8), systemkeychain(8)

NOTES

     tokenadmin will eventually be merged into the security(1) command.

Darwin								   June 1, 2019 							    Darwin

Check Out this Related Man Page

sc_auth(8)						    BSD System Manager's Manual 						sc_auth(8)

NAME

     sc_auth -- SmartCard authorization setup script

SYNOPSIS

     sc_auth pair   [-v] -u user -h hash
     sc_auth unpair [-v] [-u user] [-h hash]
     sc_auth pairing_ui [-v] [-f] [-s enable|disable|status]
     sc_auth identities
     sc_auth list   [-v] [-u user] [-d domain]
     sc_auth changepin [-t tokenid] [-u]
     sc_auth enable_for_login -c class-id

SYNOPSIS - legacy
     sc_auth accept [-v] [-u user] [-d domain] [-k keyname]
     sc_auth accept [-v] [-u user] [-d domain] -h hash
     sc_auth remove [-v] [-u user] [-d domain]
     sc_auth hash   [-k keyname]

DESCRIPTION

     sc_auth configures a local user account to permit authentication using a supported SmartCard.  Authentication is via asymmetric key (also
     known as public-key) encryption.  sc_auth works with signing keys, but not encryption keys.

     sc_auth can perform the following actions:

     pair     Associate a user with a public key. Because user's keychain will be modified to be unlockable by a key, SmartCard with that key must
	      be present in the reader. The key to use has to be specified by its hash.

     unpair   Remove association with a user and keychain. If no specific hash is provided, all associations with a user are removed.

     pairing_ui
	      Enable, disable and force to display pairing dialog when card with unpaired identities is inserted

     identities
	      List all identities on all SmartCards and display appropriate associations with users (for associated keys) or key names (for unas-
	      sociated keys).

     list     List all public keys associated with a user.

     changepin
	      Change or unblock SmartCard PIN.	This command works only for Personal Identity Verification (PIV) SmartCards. With -u argument, PIN
	      can be unblocked using PUK and without the -u argument, PIN can be changed. Optional -t argument allows specifying tokenID.

     enable_for_login
	      Enable the app extension for login and make the token available to the system for authentication.

DESCRIPTION - legacy
     sc_auth can perform the following legacy actions:

     accept   Associate a user with a public key on a card.  The key to use can be specified either by its name or its hash.

     remove   Remove all public keys associated with a user.

     hash     Print the hashes for all keys on all inserted cards.

OPTIONS

     -u user  Specifies the user whose account is to be modified

     -d domain
	      Specifies the directory domain containing the user account

     -k keyname
	      Specifies a public key by its name

     -h hash  Specifies a public key by its hash

     -v       Verbose mode

     -f       Force to display pairing dialog

     -t tokenid
	      Specifies a token by tokenID

     -c class-id
	      Specifies a token by  'com.apple.ctk.class-id' from Info.plist

NOTES

     sc_auth is a shell script.  It is intended to be modified by administrators to suit their local environments.

     sc_auth is only known to work with a local directory.  Consult the script's source for some limited guidance to using remote directories.

SEE ALSO

     SmartCardServices(7), SmartCardServices-legacy(7), pam_smartcard(8)

MacOSX								 December 11, 2006							    MacOSX
Man Page