Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 9:20 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 6 posts ] 
Author Message
PostPosted: Wed Dec 17, 2014 1:35 am 
Offline

Joined: Thu Aug 28, 2014 9:24 pm
Posts: 23
Location: California
My host system is OS X 10.10. I use VirtualBox, currently version 4.3.20. I have various guest OSs in VBox, for example Fedora 17. If the NEO token is plugged into the OS X host, would the smartcard portion of the token be available from the Linux guest in VBox?

The smartcard is operational and I can use it from the OS X host to authenticate ssh sessions, via gpg-agent and the key stored on the smartcard - that works great. USB options are all enabled for the Fedora 17 guest. I've enabled gpg-agent on the guest the same way I did on the host.

Yet gpg-agent on the guest cannot seem to access the NEO plugged into the host. It just falls back on password authentication. Anything else I need to do / configure / change / enable?

_________________
Florin Andrei
http://florin.myip.org/


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Wed Dec 17, 2014 2:47 am 
Offline

Joined: Tue Nov 18, 2014 9:14 pm
Posts: 95
Location: San Jose, CA
I think you need the extra USB stuff for virtual box (sorry, can't remember the package name). Then you can delegate specific USB devices to be used by the virtual machine.


Top
 Profile  
Reply with quote  
PostPosted: Wed Dec 17, 2014 2:57 am 
Offline

Joined: Thu Aug 28, 2014 9:24 pm
Posts: 23
Location: California
The Extension Pack? It's installed already.

I've also tried to create / add a USB filter for this instance for that specific USB device - still nothing.

Attachment:
File comment: USB screenshot
neo.png
neo.png [ 45.62 KiB | Viewed 3226 times ]

_________________
Florin Andrei
http://florin.myip.org/


Top
 Profile  
Reply with quote  
PostPosted: Wed Dec 17, 2014 3:26 am 
Offline

Joined: Tue Nov 18, 2014 9:14 pm
Posts: 95
Location: San Jose, CA
Do you not then see the USB device in your VM?


Top
 Profile  
Reply with quote  
PostPosted: Wed Dec 17, 2014 3:26 pm 
Offline
Site Admin
Site Admin

Joined: Thu Apr 19, 2012 1:45 pm
Posts: 148
My experience with VirtualBox and smartcards have been a bit hit and miss. With a linux host it works ok if pcscd is stopped on the host, in other cases the device does not seem to be handed over correctly.

I've had some luck with creating an auto rule for a device to get passed through.

/klas


Top
 Profile  
Reply with quote  
PostPosted: Wed Dec 17, 2014 9:18 pm 
Offline

Joined: Thu Aug 28, 2014 9:24 pm
Posts: 23
Location: California
On OS X 10.9 there was a pcscd IIRC, but that seems to be gone.

On 10.10 there's a process that seems to run all the time:

Code:
/System/Library/Frameworks/PCSC.framework/Versions/A/XPCServices/com.apple.ctkpcscd.xpc/Contents/MacOS/com.apple.ctkpcscd

When you use the NEO smartcard for the first time with gpg-agent and ssh, the list of related processes grows:

Code:
/System/Library/Frameworks/PCSC.framework/Versions/A/XPCServices/com.apple.ctkpcscd.xpc/Contents/MacOS/com.apple.ctkpcscd

pcsc-wrapper -- 1 /System/Library/Frameworks/PCSC.framework/PCSC

/System/Library/Frameworks/PCSC.framework/Versions/A/XPCServices/com.apple.ctkpcscd.xpc/Contents/MacOS/com.apple.ctkpcscd


In any case, I can't seem to make it work from the guest. The extra two processes are not even launched when I try to use the smartcard from the guest. Moreover, having the guest running with the USB filter for NEO prevents the smartcard from working correctly with gpg-agent on the host itself. No idea why. Disable those filters and the guest does not interfere with the smartcard and gpg-agent on the host anymore.

---

There is a workaround:

Don't do anything on the guest. On the host, enable "ForwardAgent yes" for the range of IPs where the guests are. Then ssh from the host to the guest.

Now, on the guest, if you try to ssh anywhere, the authentication requests will be forwarded back to the host through the ssh chain. If gpg-agent is enabled on the host, your guest-run ssh session will be authenticated against the smartcard.

Of course, for this to work, before all you must ssh into the guest from the host. And then you're still subject to the smartcard issues that are plaguing OS X 10.10, like this one:

viewtopic.php?f=26&t=1656

Perhaps those issues are what cause the guest to not be able to use the NEO plugged into the host. I don't have a way to tell for sure.

_________________
Florin Andrei
http://florin.myip.org/


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 6 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group