[SmartcardServices-Users] Cannot use my Yubikey Neo

Thomas Westfeld westfeld at mac.com
Tue Mar 3 11:25:32 PST 2015

Hello everyone,

I also made some experiments on how to get my Yubikey NEO working. I now started from scratch and installing a new 10.9 from scratch. I then installed homebrew, the Xcode command line tools for compiling and OpenSC version 0.14.0. I rebooted the machine

I inserted my Yubikey and I got the usual error message in the console (the NEO was in CCID+U2F mode):
3/3/15 6:09:55.814 PM com.apple.SecurityServer[15]: Token reader Yubico Yubikey NEO U2F+CCID 00 00 inserted into system
3/3/15 6:09:55.814 PM com.apple.SecurityServer[15]: token in reader Yubico Yubikey NEO U2F+CCID 00 00 cannot be used (error 229)

Then I used the NEO manager to disable everything on the yubikey except the CCID, but I got the same error as above.

Interestingly, the homebrew opensc installation does not put anything into the tokend folder. Should it do so?
The pcsctest command succeeds in printing my cards ATR and can connect to my yubikey.

I then deinstalled opensc using homebrew and updated the system to 10.9.5

I then installed SmartCard Services from http://smartcardservices.macosforge.org and from it the PIV.tokend only. But even after a reboot I got the same error message and my yubikey is not visible in the Keychain.

So it is not really just plug it in and it works. I also checked the .plist file mentioned before and it seems that the yubikey is already whitelisted there.

@Uri How did you manage to get the yubikey visible?


Am 03.03.2015 um 19:58 schrieb Blumenthal, Uri - 0558 - MITLL <uri at ll.mit.edu>:

> Can somebody please help figuring how to configure <the system> to associate a given tokend with a given smart card type?   
> In case it matters, the cards I use are CAC and Yubikey NEO. When OpenSC.tokend is installed, it grabs both CAC and NEO (as both support PIV). When OpenSC.tokend is not installed, NEO is not recognized by Keychain.
> Thanks!
> -- 
> Regards,
> Uri Blumenthal                               Voice: (781) 981-1638
> From: Uri Blumenthal <uri at ll.mit.edu>
> Date: Tuesday, March 3, 2015 at 11:38 
> To: Ridley DiSiena <rdisiena at gmail.com>
> Cc: "hotz at 2ndquadrant.com" <hotz at 2ndquadrant.com>, "smartcardservices-users at lists.macosforge.org" <smartcardservices-users at lists.macosforge.org>, "westfeld at mac.com" <westfeld at mac.com>
> Subject: Re: [SmartcardServices-Users] Cannot use my Yubikey Neo
>>>> Now some naïve questions, as I browsed the OpenSC.tokend github, but did not find/figure out some important things
>>> I should mention I am not affiliated with that code project, just something I've tried for talking to the NEO. It appears quite functional but i noticed a general warning about stability.
>> :-)
>>>> Do I need to remove anything in order for it to run correctly? 
>>> Shouldn't need to remove anything. There is some sort of dark art to which tokend is used when there are multiple tokend(s) for the same card type. Really depends on the installers and if they remove any previously installed tokend. Sometimes it seems to be the last tokend installed or the first one the system has registered for that applet type - I'm actually not completely sure. Mostly I have tried to avoid that situation and only have one compatible tokend per applet type to be used. Sometimes it takes manual grooming of the /System/Library/Security/tokend folder if you have multiple compatible tokends for that type. Usually just backing up the tokends in there and removing or restoring if needed will get the job done if just testing. If the tokend is not there it will not be leveraged. [keep in mind they are directories not files]
>> I have done that (copied the entire directory to a safe place, and pruned it from everything but OpenSC.tokend).
>> Now Keychain correctly sees the NEO token, and recognizes/displays the two certificates on it. 
>> However much to my disappointment – it seems unable to unlock the token keychain. 
>> PIN is correct:
>> $ yubico-piv-tool -v -a verify-pin -P xxxxxx
>> skipping reader 'SCM SCR 3310 00 00' since it doesn't match.
>> using reader 'Yubico Yubikey NEO OTP+U2F+CCID 01 00' matching 'Yubikey'.
>> Action 9 does not need authentication.
>> Now processing for action 9.
>> Successfully verified PIN.
>> $
>> Any recommendation how to proceed?
>>>> Finally, this OpenSC.tokend will work with CAC as well, correct? (It would be a shame to lose the ability to use CAC.)
>>> Not sure. Might depend what kind of card, which vintage and applet configuration.
>> I’ve observed that it correctly recognizes my CAC and the certs on it – but again, seems unable to unlock it.
>> Any help is appreciated!
>> Thanks!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20150303/92182bb3/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4103 bytes
Desc: not available
URL: <https://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20150303/92182bb3/attachment.p7s>

More information about the SmartcardServices-Users mailing list