Yubico Forum ...visit our web-store at 2016-07-07T03:07:51+01:00 https://forum.yubico.com/feed.php?f=26&t=2216 2016-07-07T03:07:51+01:00 2016-07-07T03:07:51+01:00 https://forum.yubico.com/viewtopic.php?t=2216&p=8773#p8773 <![CDATA[Re: [Problem] Using Neo for OSX El Capitan Login]]>
So it was not good enough to add the Root CA for the certificate issuer to the System keychain via Keychain Access utility. The solution was to do remove that CA cert from System keychain and re-add it via
Code:
sudo security add-trusted-cert -d -k "/Library/Keychains/System.keychain" <path-to-the-issuing-CA-certificate>


After that has been done, smartcard login and screensaver unlock started working on El Capitan 10.11.5.

Statistics: Posted by mouse008 — Thu Jul 07, 2016 3:07 am

]]> 2016-07-04T13:52:33+01:00 2016-07-04T13:52:33+01:00 https://forum.yubico.com/viewtopic.php?t=2216&p=8762#p8762 <![CDATA[Re: [Problem] Using Neo for OSX El Capitan Login]]>
All the steps I outlined were necessary but insufficient.

Here are my steps:

  • Install the current OpenSC
  • Install a working tokend (happens to be https://github.com/mouse07410/OpenSC.tokend)
  • Placed my CA in the System keychain, set it as "Always Trusted"
  • Configured the NEO, ensuring it has CHUID and CCC installed; then added keys + certificates (issued by my CA)
  • Certificate in the slot 9A has
    Code:
    Key Usage = Digital Signature
    and
    Code:
    Extended Key Usage = Client Authentication, Smartcard Logon
  • Issued
    Code:
    sudo security authorizationdb smartcard enable
    command
  • Did
    Code:
    sc_auth hash
    , which showed my NEO's pubkey hash among the other keys
  • Did
    Code:
    sudo sc_auth accept -u myself -h <the_hash_from_above>
  • Verified that
    Code:
    sc_auth list -u myself
    shows that hash
  • Verified that
    Code:
    Directory Utility
    shows that hash in the user record
  • Verified that Keychain shows all the certs on the NEO as valid
  • Verified that all the "normal" Mac OS X programs can work with NEO keys/certs (Apple Mail, Safari, Chrome, Keychain)

At this point, according to what I read so far, smartcard logon should just work, i.e. when you insert your token the login screen should change and prompt for your PIN instead of your password. In my case it does not happen. System log shows the same error as the other people saw:

Code:
authorizationhost[1609]: Certificate could not be verified: 5


And this cannot be because certificate is self-signed - because mine is not! My certificates are all issued by a trusted CA.

So, to noah977: check that your tokend is fine, e.g., by using Safari and/or Apple Mail. If they can work with NEO, then your tokend is probably OK.

Statistics: Posted by mouse008 — Mon Jul 04, 2016 1:52 pm

]]> 2016-02-16T20:04:40+01:00 2016-02-16T20:04:40+01:00 https://forum.yubico.com/viewtopic.php?t=2216&p=8336#p8336 <![CDATA[Re: [Problem] Using Neo for OSX El Capitan Login]]>
I think that you can add trusted CA yourself (and you can run that CA yourself).

Or you can buy a certificate from an established vendor.

Statistics: Posted by Uriel — Tue Feb 16, 2016 8:04 pm

]]> 2016-02-15T02:05:50+01:00 2016-02-15T02:05:50+01:00 https://forum.yubico.com/viewtopic.php?t=2216&p=8319#p8319 <![CDATA[Re: [Problem] Using Neo for OSX El Capitan Login]]>
One more step closer.

Looking at the error logs on my Macbook (Using Console App), I can see the following errors:

14/2/2016 10:15:00.183 PM authorizationhost[1609]: Certificate could not be verified: 5

From what little I could find on Google, it appears as if OS X is refusing to recognize the digital certificate on the Yubikey because It is self signed

Now, the yubikey-piv-tool will create digital certs, on the device, but they're not signed by anyone. And, it looks like OS X only accepts certs signed by a recognizable CA. So, does this mean it is impossible to use a yubikey PIV to authenticate?

Statistics: Posted by noah977 — Mon Feb 15, 2016 2:05 am

]]> 2016-02-14T15:14:30+01:00 2016-02-14T15:14:30+01:00 https://forum.yubico.com/viewtopic.php?t=2216&p=8317#p8317 <![CDATA[Re: [Problem] Using Neo for OSX El Capitan Login]]>
Figured out how to get sc_auth to add the PIV hash to my user.

According to everything I've read, that should be the final step. However, the login process hasn't changed. When I insert the yubikey, the logon window flashes quickly, but then still show the password prompt instead of the PIN.

Statistics: Posted by noah977 — Sun Feb 14, 2016 3:14 pm

]]> 2016-02-13T03:48:34+01:00 2016-02-13T03:48:34+01:00 https://forum.yubico.com/viewtopic.php?t=2216&p=8314#p8314 <![CDATA[[Problem] Using Neo for OSX El Capitan Login]]>
I like to use the PIV features of my NEO to login to my macbook.

Generally following the guide here: https://randomoracle.wordpress.com/2015/02/09/smart-card-logon-for-os-x-part-iii/

My understanding is that I need to use the sc_auth command to set this up. However, sc_auth does not show my NEO at all.

Some details:
- yubikey-piv-tool sees the NEO and it is fine
- OSX Keychain Access program sees the NEO, and show the keys inside
- pcsctest program shows the NEO and it is fine
- pkcs15-tool shows the NEO, can list contents, etc.

- SC_AUTH DOES NOT SHOW THE NEO

So, every tool I can think of correctly identifies the NEO as a PIV card, and can see that it has keys, certificates, etc.

Any suggestions on how fix this?

Statistics: Posted by noah977 — Sat Feb 13, 2016 3:48 am

]]>