[SmartcardServices-Users] Cannot use my Yubikey Neo

Blumenthal, Uri - 0558 - MITLL uri at ll.mit.edu
Fri Mar 6 05:21:37 PST 2015 

Actually, I checked - and must apologize for misleading you. There are FOUR slots for certificates in the PIV applet, and the FIFTH one is for the 3DES management key. 

On a different system that also runs Mavericks 10.9.5 but doesn't have all the corporate crap installed, OpenSC.tokend seemed to work OK with CAC but did not recognize NEO at all. Whatever scarce logs I managed to get, I will post here later.

--
Regards,
Uri Blumenthal                            Voice: (781) 981-1638
Cyber Systems and Technology   Fax:   (781) 981-0186
MIT Lincoln Laboratory                Cell:  (339) 223-5363
244 Wood Street, Lexington, MA 02420-9185       

Web:  http://www.ll.mit.edu/CST/
MIT LL Root CA:  <https://www.ll.mit.edu/labcertificateauthority.html>
------Original Message------
From: Thomas Westfeld
To: Blumenthal, Uri
Cc: hotz at 2ndquadrant.com
Cc: rdisiena at gmail.com
Cc: SmartCardServices-Users
Subject: Re: [SmartcardServices-Users] Cannot use my Yubikey Neo
Sent: Mar 5, 2015 16:41

Well that does not sound too promising. Funny that Yubico is advertizing using the Yubikey NEO to store certs on it to be used via the Mac OS X keychain. I also do not understand, why the SmartCardServices PIV.tokend does recognize the yubikey, although it claims to be PIV compliant.

Thank you for the explanation of the different slots.


Am 05.03.2015 um 22:26 schrieb Blumenthal, Uri - 0558 - MITLL <uri at ll.mit.edu>:

> 1. I would not call it "works". What you got is having the card *recognized* - one/first step on a potentially long road. 
> 
> 2. No, there are *three* lots for PK keys. The fourth one is for 3DES authentication/management key.
> 
> 3. "yubico-piv-tool --help" (I think - maybe it was on NEO PIV web page) tells what these slots are: one for Digital Signature cert, one for Key Management cert (i.e. encryption), one for PIV Authentication (I think it is Identity cert), and one for card management (3DES). I haven't seen any docs, but Yubico web page on NEO PIV lists those.
> 
> In summary, OpenSC.tokend is busted, and attempts to recompile it did not produce a usable program. Anybody who understands it cares to pitch in?
> 
> --
> Regards,
> Uri Blumenthal                            Voice: (781) 981-1638
> Cyber Systems and Technology   Fax:   (781) 981-0186
> MIT Lincoln Laboratory                Cell:  (339) 223-5363
> 244 Wood Street, Lexington, MA 02420-9185       
> 
> Web:  http://www.ll.mit.edu/CST/
> MIT LL Root CA:  <https://www.ll.mit.edu/labcertificateauthority.html>
> ------Original Message------
> From: Thomas Westfeld
> To: Blumenthal, Uri
> Cc: Henry B (Hank) Hotz, CISSP
> Cc: Ridley DiSiena
> Cc: SmartCardServices-Users
> Subject: Re: [SmartcardServices-Users] Cannot use my Yubikey Neo
> Sent: Mar 5, 2015 16:01
> 
> Hello again,
> 
> finally I got it to work. It just does not work to iinstall OpenSC via homebrew because the corresponding tokend is missing. When installing from the github repo https://github.com/OpenSC/OpenSC/releases it works. I can now insert the yubikey and it appears in my keychain.
> 
> However I also have a similar problem concerning the unlocking of the keychain on the yubikey. It asks me for the keychain password of the yubikey and I enter the PIN, however Mail reports an error in using this certificate on the yubikey.
> 
> When checking which tokend takes care of the yubikey it is the OpenSC one, so that sounds reasonable.
> 
> I managed to import certificates and keys into the yubikey using the yubico-piv-tool. 
> 
> BTW is there a documentation or hint, which slot to use for which purpose and what the implications are? Am I right that the yubikey has 4 slots for for cert/key pairs?
> 
> Am 05.03.2015 um 16:28 schrieb Blumenthal, Uri - 0558 - MITLL <uri at ll.mit.edu>:
> 
>> On 3/3/15, 15:31 , "Henry B (Hank) Hotz, CISSP" <hotz at 2ndquadrant.com>
>> wrote:
>> 
>>>>> Do I need to remove anything in order for it to run correctly?
>>>> 
>>>> Shouldn't need to remove anything. There is some sort of dark art to
>>>> which tokend is used when there are multiple tokend(s) for the same card
>>>> type.
>>> 
>>> Need to make sure you use the tools that go with the tokend that’s
>>> actually attached and running. Plug the card in and do a ps -ef | fgrep
>>> tokend to see.
>> 
>> I’ve tried several things, unfortunately including attempt to
>> recompile/reinstall pcsc-lite-1.8.13, which messed everything up
>> enormously.
>> 
>> I’ve restored the original Apple /usr/sbin/pcscd and
>> /usr/libexec/SmartCardServices/drivers/ifd-ccid.bundle, but despite all
>> that it does not start any tokend.
>> 
>> Prior to this pcsc-lite fiasco, OpenSC.tokend would start/run (if present)
>> when a smart card was inserted, and it would recognize/display the card
>> and the certs that were on it - but it would not unlock it (prompts for a
>> PIN, accepts the PIN, and then nothing changes - and the card stays
>> locked; no error message or such).
> 
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3072 bytes
Desc: not available
URL: <https://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20150306/dce37833/attachment.p7s>

More information about the SmartcardServices-Users mailing list