[SmartcardServices-Users] Cannot use my Yubikey Neo

Blumenthal, Uri - 0558 - MITLL uri at ll.mit.edu
Tue Mar 3 08:38:32 PST 2015

>> Now some naïve questions, as I browsed the OpenSC.tokend github, but did not
>> find/figure out some important things
> I should mention I am not affiliated with that code project, just something
> I've tried for talking to the NEO. It appears quite functional but i noticed a
> general warning about stability.


>> Do I need to remove anything in order for it to run correctly?
> Shouldn't need to remove anything. There is some sort of dark art to which
> tokend is used when there are multiple tokend(s) for the same card type.
> Really depends on the installers and if they remove any previously installed
> tokend. Sometimes it seems to be the last tokend installed or the first one
> the system has registered for that applet type - I'm actually not completely
> sure. Mostly I have tried to avoid that situation and only have one compatible
> tokend per applet type to be used. Sometimes it takes manual grooming of the
> /System/Library/Security/tokend folder if you have multiple compatible tokends
> for that type. Usually just backing up the tokends in there and removing or
> restoring if needed will get the job done if just testing. If the tokend is
> not there it will not be leveraged. [keep in mind they are directories not
> files]

I have done that (copied the entire directory to a safe place, and pruned it
from everything but OpenSC.tokend).

Now Keychain correctly sees the NEO token, and recognizes/displays the two
certificates on it.

However much to my disappointment – it seems unable to unlock the token

PIN is correct:

$ yubico-piv-tool -v -a verify-pin -P xxxxxx
skipping reader 'SCM SCR 3310 00 00' since it doesn't match.
using reader 'Yubico Yubikey NEO OTP+U2F+CCID 01 00' matching 'Yubikey'.
Action 9 does not need authentication.
Now processing for action 9.
Successfully verified PIN.

Any recommendation how to proceed?

>> Finally, this OpenSC.tokend will work with CAC as well, correct? (It would be
>> a shame to lose the ability to use CAC.)
> Not sure. Might depend what kind of card, which vintage and applet
> configuration.

I’ve observed that it correctly recognizes my CAC and the certs on it – but
again, seems unable to unlock it.

Any help is appreciated!


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20150303/9ad487ed/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5211 bytes
Desc: not available
URL: <https://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20150303/9ad487ed/attachment.p7s>

More information about the SmartcardServices-Users mailing list