Yubico Forum
https://forum.yubico.com/

Help - Requesting HOW TO: Yubikey Neo and OSX in CCID Mode
https://forum.yubico.com/viewtopic.php?f=26&t=1607
Page 1 of 1

Author:  akatz0813 [ Mon Nov 17, 2014 6:37 pm ]
Post subject:  Help - Requesting HOW TO: Yubikey Neo and OSX in CCID Mode

Hello all!

I'd like to request anyone that is successfully using their Yubikey Neo in OSX Yosemite in CCID/PIV mode to provide step by step instructions on client setup. I currently have a certificate installed on the Yubikey already that I provisioned on a PC. I now need to be able to use it in OSX.

There are many forum posts about very specific issues with OSX, but no guide that is start to finish.

Thank you!

Author:  dwmw2 [ Thu Nov 20, 2014 12:47 am ]
Post subject:  Re: Help - Requesting HOW TO: Yubikey Neo and OSX in CCID Mo

I haven't really used the PIV bits under OSX, but I did manage to get the device talking to pcsclite. Unfortunately, pcsclite doesn't have a generic USB CCID class driver; it's all matched on specific vendor/device IDs. So I had to edit /usr/libexec/SmartCardServices/drivers/ifd-ccid.bundle/Contents/Info.plist to add the vendor ID / device ID / name to the relevant arrays.

I think maybe I also had to make it run pcscd because it wasn't started by default; I don't remember now.

Once you've done that, the device should be recognised as a card reader and show up when you run 'pcsctest'.

That should be the start of your 'start to finish' guide. As I said, I didn't look at PIV — but it was working well enough for me to test the OATH support in the VPN application I was working on.

Author:  asym [ Fri Nov 21, 2014 1:58 am ]
Post subject:  Re: Help - Requesting HOW TO: Yubikey Neo and OSX in CCID Mo

My primary use case is OS X (10.10) with a yubikey NEO-n in CCID/PIV mode only for use in mutual-auth TLS through Safari. The steps I followed were to download and install OpenSC (Yosemite installer was just posted within the last few days). I then put it into CCID mode only using Yubikey NEO Manager and installed the yubico-piv-tool and installed a .p12 using this tool.

The end result is that a keychain is present with my credential on it, but unlocking it via either Keychain Access or in the certificate prompt in Safari does not work. I have reset my pin and for testing purposes set an incorrect pin lockout of 30. I'm having trouble finding why exactly this cannot be unlocked via any application accessing keychain, but all command prompt tools (opensc-tool, yubico-piv-tool) are able to operate with it, which tells me the PIN is set and working. Additionally, installing the .p12 into keychain directly functions as expected, which eliminates that element.

I'd love to hear if anyone got this far and figured out that last step!

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/