├── .gitignore
├── README.md
├── Smartcard_pivssh
├── Smartcard_unlockpam
└── Smartcard_lockpam


/.gitignore:
--------------------------------------------------------------------------------
1 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Smartcard Scripts
2 | 
3 | ## Contents
4 | - Smartcard_lockpam.sh
5 |     - Configures the pam module to only allow Smartcard authentication
6 | - Smartcard_pivssh.sh
7 |     - Creates an alias in the bash_profile (or zch profile) to set the PKCS11Provider
8 | - Smartcard_unlockpam.sh
9 |     - Configures the pam module to allow password authentication (removes the changes made for lockpam)


--------------------------------------------------------------------------------
/Smartcard_pivssh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | # Who is logged in
 4 | loggedInUser=$(scutil <<< "show State:/Users/ConsoleUser" | awk -F': ' '/[[:space:]]+Name[[:space:]]:/ { if ( $2 != "loginwindow" ) { print $2 }}  ')
 5 | 
 6 | bash="/Users/$loggedInUser/.bash_profile"
 7 | zsh="/Users/$loggedInUser/.zshrc"
 8 | 
 9 | addBash (){
10 | 	# Added EOF Section to create an empty line before adding the alias to the bash_profile. 
11 | 	cat >> "$bash" << EOF
12 | 	
13 | alias pivssh='ssh -A -o PKCS11Provider=/usr/lib/ssh-keychain.dylib'
14 | EOF
15 | 	
16 | }
17 | 
18 | addZSH (){
19 | 	# Added EOF Section to create an empty line before adding the alias to the bash_profile.
20 | 	cat >> "$zsh" << EOF
21 | 	
22 | alias pivssh='ssh -A -o PKCS11Provider=/usr/lib/ssh-keychain.dylib'
23 | EOF
24 | }
25 | 
26 | if [ -f "$bash" ]; then
27 | 		checkBash=$(grep 'alias pivssh' "$bash")
28 | 			if [ "$checkBash" = "" ]; then
29 | 				echo "adding alias to .bash_profile"
30 | 				addBash
31 | 			else
32 | 				echo "Alias already added to .bash_profile"
33 | 			fi
34 | 		else
35 | 			echo ".bash_profile not present, creating"
36 | 			sudo -u "$loggedInUser" touch "$bash"
37 | 			addBash
38 | fi
39 | 
40 | 
41 | if [ -f "$zsh" ]; then
42 | 		checkZSH=$(grep 'alias pivssh' "$zsh")
43 | 			if [ "$checkZSH" = "" ]; then
44 | 				echo "Adding alias to .zshrc"
45 | 				addZSH
46 | 			else
47 | 				echo "Alias already added to .zshrc"
48 | 			fi
49 | 		else
50 | 			echo "zshrc not present, creating"
51 | 			sudo -u "$loggedInUser" touch "$zsh"
52 | 			addZSH
53 | fi


--------------------------------------------------------------------------------
/Smartcard_unlockpam:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | # write out a new sudo file
 4 | cat > /etc/pam.d/sudo << SUDO_END
 5 | 
 6 | # sudo: auth account password session
 7 | auth       sufficient     pam_smartcard.so
 8 | auth       required       pam_opendirectory.so
 9 | account    required       pam_permit.so
10 | password   required       pam_deny.so
11 | session    required       pam_permit.so
12 | SUDO_END
13 | 
14 | # Fix new file ownership and permissions
15 | chmod 444 /etc/pam.d/sudo
16 | chown root:wheel /etc/pam.d/sudo
17 | 
18 | # write out a new login file
19 | cat > /etc/pam.d/login << LOGIN_END
20 | 
21 | # login: auth account password session
22 | auth       optional       pam_krb5.so use_kcminit
23 | auth       optional       pam_ntlm.so try_first_pass
24 | auth       optional       pam_mount.so try_first_pass
25 | auth       required       pam_opendirectory.so try_first_pass
26 | account    required       pam_nologin.so
27 | account    required       pam_opendirectory.so
28 | password   required       pam_opendirectory.so
29 | session    required       pam_launchd.so
30 | session    required       pam_uwtmp.so
31 | session    optional       pam_mount.so
32 | LOGIN_END
33 | 
34 | # Fix new file ownership and permissions
35 | chmod 644 /etc/pam.d/login
36 | chown root:wheel /etc/pam.d/login
37 | 
38 | # write out a new su file
39 | cat > /etc/pam.d/su << SU_END
40 | 
41 | # su: auth account session
42 | auth       sufficient     pam_rootok.so
43 | auth       required       pam_opendirectory.so
44 | account    required       pam_group.so no_warn group=admin,wheel ruser root_only fail_safe
45 | account    required       pam_opendirectory.so no_check_shell
46 | password   required       pam_opendirectory.so
47 | session    required       pam_launchd.so
48 | SU_END
49 | 
50 | # Fix new file ownership and permissions
51 | chmod 644 /etc/pam.d/su
52 | chown root:wheel /etc/pam.d/su


--------------------------------------------------------------------------------
/Smartcard_lockpam:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | # Replace sudo with compliant settings
 4 | cat > /etc/pam.d/sudo << SUDO_END
 5 | 
 6 | # sudo: auth account password session
 7 | auth        sufficient    pam_smartcard.so
 8 | auth        required      pam_opendirectory.so
 9 | auth        required      pam_deny.so
10 | account     required      pam_permit.so
11 | password    required      pam_deny.so
12 | session     required      pam_permit.so
13 | SUDO_END
14 | 
15 | # Fix new file ownership and permissions
16 | chmod 444 /etc/pam.d/sudo
17 | chown root:wheel /etc/pam.d/sudo
18 | 
19 | # Replace login with compliant settings
20 | cat > /etc/pam.d/login << LOGIN_END
21 | 
22 | # login: auth account password session
23 | auth        sufficient    pam_smartcard.so
24 | auth        optional      pam_krb5.so use_kcminit
25 | auth        optional      pam_ntlm.so try_first_pass
26 | auth        optional      pam_mount.so try_first_pass
27 | auth        required      pam_opendirectory.so try_first_pass
28 | auth        required      pam_deny.so
29 | account     required      pam_nologin.so
30 | account     required      pam_opendirectory.so
31 | password    required      pam_opendirectory.so
32 | session     required      pam_launchd.so
33 | session     required      pam_uwtmp.so
34 | session     optional      pam_mount.so
35 | LOGIN_END
36 | 
37 | # Fix new file ownership and permissions
38 | chmod 644 /etc/pam.d/login
39 | chown root:wheel /etc/pam.d/login
40 | 
41 | # Replace su with compliant settings
42 | cat > /etc/pam.d/su << SU_END
43 | 
44 | # su: auth account password session
45 | auth        sufficient    pam_smartcard.so
46 | auth        required      pam_rootok.so
47 | auth        required      pam_group.so no_warn group=admin,wheel ruser root_only fail_safe
48 | account     required      pam_permit.so
49 | account     required      pam_opendirectory.so no_check_shell
50 | password    required      pam_opendirectory.so
51 | session     required      pam_launchd.so
52 | SU_END
53 | 
54 | # Fix new file ownership and permissions
55 | chmod 644 /etc/pam.d/su
56 | chown root:wheel /etc/pam.d/su


--------------------------------------------------------------------------------