<html><head><meta http-equiv="Content-Type" content="text/html charset=windows-1252"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">Hello everyone,<div><br></div><div>I also made some experiments on how to get my Yubikey NEO working. I now started from scratch and installing a new 10.9 from scratch. I then installed homebrew, the Xcode command line tools for compiling and OpenSC version 0.14.0. I rebooted the machine</div><div><br></div><div>I inserted my Yubikey and I got the usual error message in the console (the NEO was in CCID+U2F mode):</div><div><div style="margin: 0px; font-size: 11px; font-family: Menlo;">3/3/15 6:09:55.814 PM com.apple.SecurityServer[15]: Token reader Yubico Yubikey NEO U2F+CCID 00 00 inserted into system</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;">3/3/15 6:09:55.814 PM com.apple.SecurityServer[15]: token in reader Yubico Yubikey NEO U2F+CCID 00 00 cannot be used (error 229)</div></div><div><br></div><div>Then I used the NEO manager to disable everything on the yubikey except the CCID, but I got the same error as above.</div><div><br></div><div>Interestingly, the homebrew opensc installation does not put anything into the tokend folder. Should it do so?</div><div>The pcsctest command succeeds in printing my cards ATR and can connect to my yubikey.</div><div><br></div><div>I then deinstalled opensc using homebrew and updated the system to 10.9.5</div><div><br></div><div>I then installed SmartCard Services from <a href="http://smartcardservices.macosforge.org">http://smartcardservices.macosforge.org</a> and from it the PIV.tokend only. But even after a reboot I got the same error message and my yubikey is not visible in the Keychain.</div><div><br></div><div>So it is not really just plug it in and it works. I also checked the .plist file mentioned before and it seems that the yubikey is already whitelisted there.</div><div><br></div><div>@Uri How did you manage to get the yubikey visible?</div><div><br></div><div>Regards,</div><div>Thomas</div><div><br><div><div><div>Am 03.03.2015 um 19:58 schrieb Blumenthal, Uri - 0558 - MITLL <<a href="mailto:uri@ll.mit.edu">uri@ll.mit.edu</a>>:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; font-size: 14px; font-family: Calibri, sans-serif;"><div><div>Can somebody please help figuring how to configure <the system> to associate a given tokend with a given smart card type? </div><div><br></div><div>In case it matters, the cards I use are CAC and Yubikey NEO. When OpenSC.tokend is installed, it grabs both CAC and NEO (as both support PIV). When OpenSC.tokend is not installed, NEO is not recognized by Keychain.</div><div><br></div><div>Thanks!</div><div><div>-- </div><div><div style="font-size: 12px;">Regards,</div><div style="font-size: 12px;">Uri Blumenthal Voice: (781) 981-1638</div><div style="font-size: 12px;"><br></div></div></div></div><div><br></div><span id="OLK_SRC_BODY_SECTION"><div style="font-family: Calibri; font-size: 11pt; text-align: left; border-width: 1pt medium medium; border-style: solid none none; padding: 3pt 0in 0in; border-top-color: rgb(181, 196, 223);"><span style="font-weight:bold">From: </span> Uri Blumenthal <<a href="mailto:uri@ll.mit.edu">uri@ll.mit.edu</a>><br><span style="font-weight:bold">Date: </span> Tuesday, March 3, 2015 at 11:38 <br><span style="font-weight:bold">To: </span> Ridley DiSiena <<a href="mailto:rdisiena@gmail.com">rdisiena@gmail.com</a>><br><span style="font-weight:bold">Cc: </span> "<a href="mailto:hotz@2ndquadrant.com">hotz@2ndquadrant.com</a>" <<a href="mailto:hotz@2ndquadrant.com">hotz@2ndquadrant.com</a>>, "<a href="mailto:smartcardservices-users@lists.macosforge.org">smartcardservices-users@lists.macosforge.org</a>" <<a href="mailto:smartcardservices-users@lists.macosforge.org">smartcardservices-users@lists.macosforge.org</a>>, "<a href="mailto:westfeld@mac.com">westfeld@mac.com</a>" <<a href="mailto:westfeld@mac.com">westfeld@mac.com</a>><br><span style="font-weight:bold">Subject: </span> Re: [SmartcardServices-Users] Cannot use my Yubikey Neo<br></div><div><br></div><blockquote id="MAC_OUTLOOK_ATTRIBUTION_BLOCKQUOTE" style="BORDER-LEFT: #b5c4df 5 solid; PADDING:0 0 0 5; MARGIN:0 0 0 5;" type="cite"><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; font-size: 14px; font-family: Calibri, sans-serif;"><span id="OLK_SRC_BODY_SECTION" style="font-family: Calibri, sans-serif;"><blockquote id="MAC_OUTLOOK_ATTRIBUTION_BLOCKQUOTE" style="BORDER-LEFT: #b5c4df 5 solid; PADDING:0 0 0 5; MARGIN:0 0 0 5;" type="cite"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex" type="cite"><div><font style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Now some naïve questions, as I browsed the OpenSC.tokend github, but did not find/figure out some important things</font></div><div></div></blockquote><div> </div><div>I should mention I am not affiliated with that code project, just something I've tried for talking to the NEO. It appears quite functional but i noticed a general <span></span>warning about stability.</div></blockquote></span><div style="font-family: Calibri, sans-serif;"><br></div><div style="font-family: Calibri, sans-serif;">:-)</div><div style="font-family: Calibri, sans-serif;"><br></div><span id="OLK_SRC_BODY_SECTION" style="font-family: Calibri, sans-serif;"><blockquote id="MAC_OUTLOOK_ATTRIBUTION_BLOCKQUOTE" style="BORDER-LEFT: #b5c4df 5 solid; PADDING:0 0 0 5; MARGIN:0 0 0 5;" type="cite"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex" type="cite"><font style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Do I need to remove anything in order for it to run correctly?</font> </blockquote><div><br></div><div>Shouldn't need to remove anything. There is some sort of dark art to which tokend is used when there are multiple tokend(s) for the same card type. Really depends on the installers and if they remove any previously installed tokend. Sometimes it seems
to be the last tokend installed or the first one the system has registered for that applet type - I'm actually not completely sure. Mostly I have tried to avoid that situation and only have one compatible tokend per applet type to be used. Sometimes it takes
manual grooming of the /System/Library/Security/tokend folder if you have multiple compatible tokends for that type. Usually just backing up the tokends in there and removing or restoring if needed will get the job done if just testing. If the tokend is not
there it will not be leveraged. [keep in mind they are directories not files]</div></blockquote></span><div style="font-family: Calibri, sans-serif;"><br></div><div style="font-family: Calibri, sans-serif;">I have done that (copied the entire directory to a safe place, and pruned it from everything but OpenSC.tokend).</div><div style="font-family: Calibri, sans-serif;"><br></div><div style="font-family: Calibri, sans-serif;">Now Keychain correctly sees the NEO token, and recognizes/displays the two certificates on it. </div><div style="font-family: Calibri, sans-serif;"><br></div><div style="font-family: Calibri, sans-serif;"><b>However</b> much to my disappointment – it seems <b>unable to unlock the token keychain</b>. </div><div style="font-family: Calibri, sans-serif;"><br></div><div style="font-family: Calibri, sans-serif;">PIN is correct:</div><div style="font-family: Calibri, sans-serif;"><br></div><div><div><font face="Courier">$ yubico-piv-tool -v -a verify-pin -P xxxxxx</font></div><div><font face="Courier">skipping reader 'SCM SCR 3310 00 00' since it doesn't match.</font></div><div><font face="Courier">using reader 'Yubico Yubikey NEO OTP+U2F+CCID 01 00' matching 'Yubikey'.</font></div><div><font face="Courier">Action 9 does not need authentication.</font></div><div><font face="Courier">Now processing for action 9.</font></div><div><font face="Courier">Successfully verified PIN.</font></div><div><font face="Courier">$</font></div></div><div style="font-family: Calibri, sans-serif;"><br></div><div style="font-family: Calibri, sans-serif;">Any recommendation how to proceed?</div><div style="font-family: Calibri, sans-serif;"><br></div><span id="OLK_SRC_BODY_SECTION" style="font-family: Calibri, sans-serif;"><blockquote id="MAC_OUTLOOK_ATTRIBUTION_BLOCKQUOTE" style="BORDER-LEFT: #b5c4df 5 solid; PADDING:0 0 0 5; MARGIN:0 0 0 5;" type="cite"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex" type="cite"><div><font style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Finally, this OpenSC.tokend will work with CAC as well, correct? (It would be a shame to lose the ability to use CAC.)</font></div><div></div></blockquote><div><br></div><div>Not sure. Might depend what kind of card, which vintage and applet configuration.</div></blockquote></span><div style="font-family: Calibri, sans-serif;"><br></div><div style="font-family: Calibri, sans-serif;">I’ve observed that it <b>correctly recognizes my CAC</b> and the certs on it – but again, seems <b>unable to unlock it</b>.</div><div><br></div><span id="OLK_SRC_BODY_SECTION" style="font-family: Calibri, sans-serif;"><div class="gmail_extra">Any help is appreciated!</div></span><div><br></div><div>Thanks!</div></div></blockquote></span></div>
</blockquote></div><br></div></div></body></html>