Yubico Forum

Hi,

I like to use the PIV features of my NEO to login to my macbook.

Generally following the guide here: https://randomoracle.wordpress.com/2015/02/09/smart-card-logon-for-os-x-part-iii/

My understanding is that I need to use the sc_auth command to set this up. However, sc_auth does not show my NEO at all.

Some details:
- yubikey-piv-tool sees the NEO and it is fine
- OSX Keychain Access program sees the NEO, and show the keys inside
- pcsctest program shows the NEO and it is fine
- pkcs15-tool shows the NEO, can list contents, etc.

- SC_AUTH DOES NOT SHOW THE NEO

So, every tool I can think of correctly identifies the NEO as a PIV card, and can see that it has keys, certificates, etc.

Any suggestions on how fix this?

Got a little further.

Figured out how to get sc_auth to add the PIV hash to my user.

According to everything I've read, that should be the final step. However, the login process hasn't changed. When I insert the yubikey, the logon window flashes quickly, but then still show the password prompt instead of the PIN.

OK,

One more step closer.

Looking at the error logs on my Macbook (Using Console App), I can see the following errors:

14/2/2016 10:15:00.183 PM authorizationhost[1609]: Certificate could not be verified: 5

From what little I could find on Google, it appears as if OS X is refusing to recognize the digital certificate on the Yubikey because It is self signed

Now, the yubikey-piv-tool will create digital certs, on the device, but they're not signed by anyone. And, it looks like OS X only accepts certs signed by a recognizable CA. So, does this mean it is impossible to use a yubikey PIV to authenticate?

Export a Certificate Signing Request using yubico-piv-tool, get it signed, and import the resultin certificate back.

I think that you can add trusted CA yourself (and you can run that CA yourself).

Or you can buy a certificate from an established vendor.

I have to correct myself.

All the steps I outlined were necessary but insufficient.

Here are my steps:

• Install the current OpenSC
• Install a working tokend (happens to be https://github.com/mouse07410/OpenSC.tokend)
• Placed my CA in the System keychain, set it as "Always Trusted"
• Configured the NEO, ensuring it has CHUID and CCC installed; then added keys + certificates (issued by my CA)
• Certificate in the slot 9A has
  Code:
  Key Usage = Digital Signature
  and
  Code:
  Extended Key Usage = Client Authentication, Smartcard Logon
• Issued
  Code:
  sudo security authorizationdb smartcard enable
  command
• Did
  Code:
  sc_auth hash
  , which showed my NEO's pubkey hash among the other keys
• Did
  Code:
  sudo sc_auth accept -u myself -h <the_hash_from_above>
• Verified that
  Code:
  sc_auth list -u myself
  shows that hash
• Verified that
  Code:
  Directory Utility
  shows that hash in the user record
• Verified that Keychain shows all the certs on the NEO as valid
• Verified that all the "normal" Mac OS X programs can work with NEO keys/certs (Apple Mail, Safari, Chrome, Keychain)

At this point, according to what I read so far, smartcard logon should just work, i.e. when you insert your token the login screen should change and prompt for your PIN instead of your password. In my case it does not happen. System log shows the same error as the other people saw:



And this cannot be because certificate is self-signed - because mine is not! My certificates are all issued by a trusted CA.

So, to noah977: check that your tokend is fine, e.g., by using Safari and/or Apple Mail. If they can work with NEO, then your tokend is probably OK.

The answer turned out to be very simple. There is a difference (though it is unclear why or how) between a certificate added via Keychain Access, and one added via "security" command line interface.

So it was not good enough to add the Root CA for the certificate issuer to the System keychain via Keychain Access utility. The solution was to do remove that CA cert from System keychain and re-add it via


After that has been done, smartcard login and screensaver unlock started working on El Capitan 10.11.5.