| Yubico Forum https://forum.yubico.com/ |
|
| potential issue with OS X 10.10 Yosemite and smartcards https://forum.yubico.com/viewtopic.php?f=26&t=1656 |
Page 1 of 1 |
| Author: | FlorinAndrei [ Thu Dec 11, 2014 12:41 am ] |
| Post subject: | potential issue with OS X 10.10 Yosemite and smartcards |
If you're a Mac user and you're using the NEO tokens as smartcards for ssh authentication, you may want to refrain from "upgrading" to 10.10, due to this issue: http://support.gpgtools.org/discussions ... agent-mode Basically, your ssh sessions may get stuck in authentication, randomly. Or authentication may fail, as if you're not using the right ssh key. What seems to be a workable temporary fix is to run "pkill gpg-agent" a few times, then manually do "gpg-agent --daemon" once, in a terminal. Sometimes you may have to unplug / replug the NEO token, too. That usually fixes your ssh authentication with the NEO token. OS X 10.9 seems to work just fine. For context, this is a setup similar to the one described and discussed in this thread: [HOW-TO] - Yubikey NEO, OpenPGP, OpenSSH authentication |
|
| Author: | mrsteveman1 [ Sun Jan 18, 2015 6:22 pm ] |
| Post subject: | Re: potential issue with OS X 10.10 Yosemite and smartcards |
For anyone who is still struggling with this issue on Yosemite (it's because of bugs in Apple's new PCSC implementation), I've come up with a temporary, simple and easily reversible workaround and posted instructions on the GPGTools support forum[1]. It works very well, no need to kill gpg-agent or remove and reinsert the NEO anymore. There are some downsides, but some users will be totally unaffected by them (for instance those with NEO models without the PIV applet, or who aren't using it) and others may find them acceptable tradeoffs anyway to ensure GPG works reliably. [1] details here: http://support.gpgtools.org/discussions/problems/28634-gpg-agent-stops-working-after-osx-upgrade-to-yosemite#comment_35808149 |
|
| Author: | darco [ Tue Jan 20, 2015 8:28 pm ] |
| Post subject: | Re: potential issue with OS X 10.10 Yosemite and smartcards |
I've got some patches to GnuPG which seem to improve the situation for me: https://github.com/darconeous/GnuPG/tre ... mon-behave These patches allow me to get OS X keychain integration along with GnuPG. The integration isn't perfect, and the patches could use some love, but it does work for me. Just make sure you add a line with "card-timeout 2" to "~/.gnupg/scdaemon.conf". |
|
| Author: | megatraveller2 [ Wed Feb 04, 2015 9:33 pm ] |
| Post subject: | Re: potential issue with OS X 10.10 Yosemite and smartcards |
Thanks for that Info Darco. The Setup works just well with the Workaround that FlorinAndrei describes. Do any of you guys use the PAM Module on OS X 10.10 to unlock Screensaver or Sudo with the Yubikey? |
|
| Author: | CypherCookie [ Tue Jul 21, 2015 1:37 pm ] |
| Post subject: | Re: potential issue with OS X 10.10 Yosemite and smartcards |
I've managed to follow the guide Yubico have produced, to install the yubico-pam module, generate the key and set screen saver & login requiring the yubikey to be present to unlock the device all on a OS X 10.9 Mac. The problem i have is that this doesn't work on OS X 10.10. I have followed the exact same steps and screensaver lock works but login 2fa doesn't. I've had a look at the suggestions already given and none of them have helped me to get around this. Any thoughts on how to get around this would be most appreciated! Cypher. |
|
| Author: | ChrisHalos [ Wed Jul 22, 2015 12:28 am ] |
| Post subject: | Re: potential issue with OS X 10.10 Yosemite and smartcards |
PAM module works just fine for me in OSX 10.10.4. Make sure you're adding the "auth required pam_yubico.so mode=challenge-response" line between the "auth" and "account" lines. The order seems to be important. https://www.yubico.com/wp-content/uploa ... -Login.pdf I have not, however, figured out if there is a way to selectively enable the PAM requirement on certain accounts (i.e. configuring this will require the YubiKey for all accounts, assuming you also ran ykpamcfg -2 on each of the user accounts, otherwise you will be unable to log into those accounts. |
|
| Author: | basteed [ Sat Sep 26, 2015 8:26 pm ] |
| Post subject: | Re: potential issue with OS X 10.10 Yosemite and smartcards |
CypherCookie wrote: I've managed to follow the guide Yubico have produced, to install the yubico-pam module, generate the key and set screen saver & login requiring the yubikey to be present to unlock the device all on a OS X 10.9 Mac. The problem i have is that this doesn't work on OS X 10.10. I have followed the exact same steps and screensaver lock works but login 2fa doesn't. I've had a look at the suggestions already given and none of them have helped me to get around this. Any thoughts on how to get around this would be most appreciated! Cypher. Have screensaver & user account login 2FA working on 10.10.5 with my Neo-n with homebrew installed pam_yubico module. Had to move the pam_yubico.so file to /usr/lib/pam from the homebrew installed location. |
|
| Page 1 of 1 | All times are UTC + 1 hour |
| Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |
|