[SmartcardServices-Users] Cannot use my Yubikey Neo

Blumenthal, Uri - 0558 - MITLL uri at ll.mit.edu
Thu Mar 5 13:26:04 PST 2015

1. I would not call it "works". What you got is having the card *recognized* - one/first step on a potentially long road. 

2. No, there are *three* lots for PK keys. The fourth one is for 3DES authentication/management key.

3. "yubico-piv-tool --help" (I think - maybe it was on NEO PIV web page) tells what these slots are: one for Digital Signature cert, one for Key Management cert (i.e. encryption), one for PIV Authentication (I think it is Identity cert), and one for card management (3DES). I haven't seen any docs, but Yubico web page on NEO PIV lists those.

In summary, OpenSC.tokend is busted, and attempts to recompile it did not produce a usable program. Anybody who understands it cares to pitch in?

Uri Blumenthal                            Voice: (781) 981-1638
Cyber Systems and Technology   Fax:   (781) 981-0186
MIT Lincoln Laboratory                Cell:  (339) 223-5363
244 Wood Street, Lexington, MA 02420-9185       

Web:  http://www.ll.mit.edu/CST/
MIT LL Root CA:  <https://www.ll.mit.edu/labcertificateauthority.html>
------Original Message------
From: Thomas Westfeld
To: Blumenthal, Uri
Cc: Henry B (Hank) Hotz, CISSP
Cc: Ridley DiSiena
Cc: SmartCardServices-Users
Subject: Re: [SmartcardServices-Users] Cannot use my Yubikey Neo
Sent: Mar 5, 2015 16:01

Hello again,

finally I got it to work. It just does not work to iinstall OpenSC via homebrew because the corresponding tokend is missing. When installing from the github repo https://github.com/OpenSC/OpenSC/releases it works. I can now insert the yubikey and it appears in my keychain.

However I also have a similar problem concerning the unlocking of the keychain on the yubikey. It asks me for the keychain password of the yubikey and I enter the PIN, however Mail reports an error in using this certificate on the yubikey.

When checking which tokend takes care of the yubikey it is the OpenSC one, so that sounds reasonable.

I managed to import certificates and keys into the yubikey using the yubico-piv-tool. 

BTW is there a documentation or hint, which slot to use for which purpose and what the implications are? Am I right that the yubikey has 4 slots for for cert/key pairs?

Am 05.03.2015 um 16:28 schrieb Blumenthal, Uri - 0558 - MITLL <uri at ll.mit.edu>:

> On 3/3/15, 15:31 , "Henry B (Hank) Hotz, CISSP" <hotz at 2ndquadrant.com>
> wrote:
>>>> Do I need to remove anything in order for it to run correctly?
>>> Shouldn't need to remove anything. There is some sort of dark art to
>>> which tokend is used when there are multiple tokend(s) for the same card
>>> type.
>> Need to make sure you use the tools that go with the tokend that’s
>> actually attached and running. Plug the card in and do a ps -ef | fgrep
>> tokend to see.
> I’ve tried several things, unfortunately including attempt to
> recompile/reinstall pcsc-lite-1.8.13, which messed everything up
> enormously.
> I’ve restored the original Apple /usr/sbin/pcscd and
> /usr/libexec/SmartCardServices/drivers/ifd-ccid.bundle, but despite all
> that it does not start any tokend.
> Prior to this pcsc-lite fiasco, OpenSC.tokend would start/run (if present)
> when a smart card was inserted, and it would recognize/display the card
> and the certs that were on it - but it would not unlock it (prompts for a
> PIN, accepts the PIN, and then nothing changes - and the card stays
> locked; no error message or such).

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3072 bytes
Desc: not available
URL: <https://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20150305/bff3c29d/attachment.p7s>

More information about the SmartcardServices-Users mailing list