[SmartcardServices-Users] Cannot use my Yubikey Neo

Blumenthal, Uri - 0558 - MITLL uri at ll.mit.edu
Tue Mar 3 10:58:40 PST 2015

Can somebody please help figuring how to configure <the system> to associate
a given tokend with a given smart card type?

In case it matters, the cards I use are CAC and Yubikey NEO. When
OpenSC.tokend is installed, it grabs both CAC and NEO (as both support PIV).
When OpenSC.tokend is not installed, NEO is not recognized by Keychain.

Uri Blumenthal                               Voice: (781) 981-1638

From:  Uri Blumenthal <uri at ll.mit.edu>
Date:  Tuesday, March 3, 2015 at 11:38
To:  Ridley DiSiena <rdisiena at gmail.com>
Cc:  "hotz at 2ndquadrant.com" <hotz at 2ndquadrant.com>,
"smartcardservices-users at lists.macosforge.org"
<smartcardservices-users at lists.macosforge.org>, "westfeld at mac.com"
<westfeld at mac.com>
Subject:  Re: [SmartcardServices-Users] Cannot use my Yubikey Neo

>>> Now some naïve questions, as I browsed the OpenSC.tokend github, but did not
>>> find/figure out some important things
>> I should mention I am not affiliated with that code project, just something
>> I've tried for talking to the NEO. It appears quite functional but i noticed
>> a general warning about stability.
> :-)
>>> Do I need to remove anything in order for it to run correctly?
>> Shouldn't need to remove anything. There is some sort of dark art to which
>> tokend is used when there are multiple tokend(s) for the same card type.
>> Really depends on the installers and if they remove any previously installed
>> tokend. Sometimes it seems to be the last tokend installed or the first one
>> the system has registered for that applet type - I'm actually not completely
>> sure. Mostly I have tried to avoid that situation and only have one
>> compatible tokend per applet type to be used. Sometimes it takes manual
>> grooming of the /System/Library/Security/tokend folder if you have multiple
>> compatible tokends for that type. Usually just backing up the tokends in
>> there and removing or restoring if needed will get the job done if just
>> testing. If the tokend is not there it will not be leveraged. [keep in mind
>> they are directories not files]
> I have done that (copied the entire directory to a safe place, and pruned it
> from everything but OpenSC.tokend).
> Now Keychain correctly sees the NEO token, and recognizes/displays the two
> certificates on it.
> However much to my disappointment – it seems unable to unlock the token
> keychain. 
> PIN is correct:
> $ yubico-piv-tool -v -a verify-pin -P xxxxxx
> skipping reader 'SCM SCR 3310 00 00' since it doesn't match.
> using reader 'Yubico Yubikey NEO OTP+U2F+CCID 01 00' matching 'Yubikey'.
> Action 9 does not need authentication.
> Now processing for action 9.
> Successfully verified PIN.
> $
> Any recommendation how to proceed?
>>> Finally, this OpenSC.tokend will work with CAC as well, correct? (It would
>>> be a shame to lose the ability to use CAC.)
>> Not sure. Might depend what kind of card, which vintage and applet
>> configuration.
> I’ve observed that it correctly recognizes my CAC and the certs on it – but
> again, seems unable to unlock it.
> Any help is appreciated!
> Thanks!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20150303/c4a7d713/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5211 bytes
Desc: not available
URL: <https://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20150303/c4a7d713/attachment-0001.p7s>

More information about the SmartcardServices-Users mailing list