Yubico Forum

Hello,

I have been testing the new feature in Sierra to leverage PIV token login for authentication. I have wiped the token several times, therefore I am assuming that there are references to the prior tokens somewhere in the keychain.

I cannot locate where the linkage is between the Yubikey token and the authentication chain on Sierra so I may delete the old tokens.

Can someone point me in the right direction?

To unpair users from smartcards on macOS Sierra, the sc_auth command line tool should be used.

Examples:

To list all smartcard hashes for user:

sc_auth list [username]

To unpair a smart card for user:

sc_auth unpair -h [hash]

To unpair all smartcards for user:

sc_auth unpair [username]

For full documentation:
man sc_auth

Can this be added to the GUI tool?

No, the PIV Manager is only used for editing the NEO or YubiKey 4. We have no interest in trying to integrate it to handle managing Apple applications.

There are also other alternatives to this. If you don't want Sierra to prompt you to pair a smart card at all (this will work for ANY smart card inserted that contains a valid certificate), you can simply run:

sc_auth pairing_ui -s disable (can be re-enabled at any time with sc_auth pairing_ui -s enable)