Yubico Forum

Re: potential issue with OS X 10.10 Yosemite and smartcards

2015-09-26T20:26:27+01:00

CypherCookie wrote:

I've managed to follow the guide Yubico have produced, to install the yubico-pam module, generate the key and set screen saver & login requiring the yubikey to be present to unlock the device all on a OS X 10.9 Mac.

The problem i have is that this doesn't work on OS X 10.10. I have followed the exact same steps and screensaver lock works but login 2fa doesn't.

I've had a look at the suggestions already given and none of them have helped me to get around this.

Any thoughts on how to get around this would be most appreciated!

Cypher.

Have screensaver & user account login 2FA working on 10.10.5 with my Neo-n with homebrew installed pam_yubico module. Had to move the pam_yubico.so file to /usr/lib/pam from the homebrew installed location.

Statistics: Posted by basteed — Sat Sep 26, 2015 8:26 pm

Re: potential issue with OS X 10.10 Yosemite and smartcards

2015-07-22T00:28:30+01:00

PAM module works just fine for me in OSX 10.10.4. Make sure you're adding the "auth required pam_yubico.so mode=challenge-response" line between the "auth" and "account" lines. The order seems to be important.

https://www.yubico.com/wp-content/uploa ... -Login.pdf

I have not, however, figured out if there is a way to selectively enable the PAM requirement on certain accounts (i.e. configuring this will require the YubiKey for all accounts, assuming you also ran ykpamcfg -2 on each of the user accounts, otherwise you will be unable to log into those accounts.

Statistics: Posted by ChrisHalos — Wed Jul 22, 2015 12:28 am

Re: potential issue with OS X 10.10 Yosemite and smartcards

2015-07-21T13:37:19+01:00

Statistics: Posted by CypherCookie — Tue Jul 21, 2015 1:37 pm

Re: potential issue with OS X 10.10 Yosemite and smartcards

2015-02-04T21:33:09+01:00

Thanks for that Info Darco. The Setup works just well with the Workaround that FlorinAndrei describes.

Do any of you guys use the PAM Module on OS X 10.10 to unlock Screensaver or Sudo with the Yubikey?

Statistics: Posted by megatraveller2 — Wed Feb 04, 2015 9:33 pm

Re: potential issue with OS X 10.10 Yosemite and smartcards

2015-01-20T20:28:08+01:00

I've got some patches to GnuPG which seem to improve the situation for me:

https://github.com/darconeous/GnuPG/tre ... mon-behave

These patches allow me to get OS X keychain integration along with GnuPG. The integration isn't perfect, and the patches could use some love, but it does work for me.

Just make sure you add a line with "card-timeout 2" to "~/.gnupg/scdaemon.conf".

Statistics: Posted by darco — Tue Jan 20, 2015 8:28 pm

Re: potential issue with OS X 10.10 Yosemite and smartcards

2015-01-18T18:22:36+01:00

For anyone who is still struggling with this issue on Yosemite (it's because of bugs in Apple's new PCSC implementation), I've come up with a temporary, simple and easily reversible workaround and posted instructions on the GPGTools support forum[1]. It works very well, no need to kill gpg-agent or remove and reinsert the NEO anymore.

There are some downsides, but some users will be totally unaffected by them (for instance those with NEO models without the PIV applet, or who aren't using it) and others may find them acceptable tradeoffs anyway to ensure GPG works reliably.

[1] details here: http://support.gpgtools.org/discussions/problems/28634-gpg-agent-stops-working-after-osx-upgrade-to-yosemite#comment_35808149

Statistics: Posted by mrsteveman1 — Sun Jan 18, 2015 6:22 pm

potential issue with OS X 10.10 Yosemite and smartcards

2014-12-11T00:41:08+01:00

If you're a Mac user and you're using the NEO tokens as smartcards for ssh authentication, you may want to refrain from "upgrading" to 10.10, due to this issue:

http://support.gpgtools.org/discussions ... agent-mode

Basically, your ssh sessions may get stuck in authentication, randomly. Or authentication may fail, as if you're not using the right ssh key.

What seems to be a workable temporary fix is to run "pkill gpg-agent" a few times, then manually do "gpg-agent --daemon" once, in a terminal. Sometimes you may have to unplug / replug the NEO token, too. That usually fixes your ssh authentication with the NEO token.

OS X 10.9 seems to work just fine.

For context, this is a setup similar to the one described and discussed in this thread:

[HOW-TO] - Yubikey NEO, OpenPGP, OpenSSH authentication

Statistics: Posted by FlorinAndrei — Thu Dec 11, 2014 12:41 am