Yubico Forum
https://forum.yubico.com/

[Problem] Using Neo for OSX El Capitan Login
https://forum.yubico.com/viewtopic.php?f=26&t=2216
Page 1 of 1

Author:  noah977 [ Sat Feb 13, 2016 3:48 am ]
Post subject:  [Problem] Using Neo for OSX El Capitan Login

Hi,

I like to use the PIV features of my NEO to login to my macbook.

Generally following the guide here: https://randomoracle.wordpress.com/2015/02/09/smart-card-logon-for-os-x-part-iii/

My understanding is that I need to use the sc_auth command to set this up. However, sc_auth does not show my NEO at all.

Some details:
- yubikey-piv-tool sees the NEO and it is fine
- OSX Keychain Access program sees the NEO, and show the keys inside
- pcsctest program shows the NEO and it is fine
- pkcs15-tool shows the NEO, can list contents, etc.

- SC_AUTH DOES NOT SHOW THE NEO

So, every tool I can think of correctly identifies the NEO as a PIV card, and can see that it has keys, certificates, etc.

Any suggestions on how fix this?

Author:  noah977 [ Sun Feb 14, 2016 3:14 pm ]
Post subject:  Re: [Problem] Using Neo for OSX El Capitan Login

Got a little further.

Figured out how to get sc_auth to add the PIV hash to my user.

According to everything I've read, that should be the final step. However, the login process hasn't changed. When I insert the yubikey, the logon window flashes quickly, but then still show the password prompt instead of the PIN.

Author:  noah977 [ Mon Feb 15, 2016 2:05 am ]
Post subject:  Re: [Problem] Using Neo for OSX El Capitan Login

OK,

One more step closer.

Looking at the error logs on my Macbook (Using Console App), I can see the following errors:

14/2/2016 10:15:00.183 PM authorizationhost[1609]: Certificate could not be verified: 5

From what little I could find on Google, it appears as if OS X is refusing to recognize the digital certificate on the Yubikey because It is self signed

Now, the yubikey-piv-tool will create digital certs, on the device, but they're not signed by anyone. And, it looks like OS X only accepts certs signed by a recognizable CA. So, does this mean it is impossible to use a yubikey PIV to authenticate?

Author:  Uriel [ Tue Feb 16, 2016 8:04 pm ]
Post subject:  Re: [Problem] Using Neo for OSX El Capitan Login

Export a Certificate Signing Request using yubico-piv-tool, get it signed, and import the resultin certificate back.

I think that you can add trusted CA yourself (and you can run that CA yourself).

Or you can buy a certificate from an established vendor.

Author:  mouse008 [ Mon Jul 04, 2016 1:52 pm ]
Post subject:  Re: [Problem] Using Neo for OSX El Capitan Login

I have to correct myself.

All the steps I outlined were necessary but insufficient.

Here are my steps:

  • Install the current OpenSC
  • Install a working tokend (happens to be https://github.com/mouse07410/OpenSC.tokend)
  • Placed my CA in the System keychain, set it as "Always Trusted"
  • Configured the NEO, ensuring it has CHUID and CCC installed; then added keys + certificates (issued by my CA)
  • Certificate in the slot 9A has
    Code:
    Key Usage = Digital Signature
    and
    Code:
    Extended Key Usage = Client Authentication, Smartcard Logon
  • Issued
    Code:
    sudo security authorizationdb smartcard enable
    command
  • Did
    Code:
    sc_auth hash
    , which showed my NEO's pubkey hash among the other keys
  • Did
    Code:
    sudo sc_auth accept -u myself -h <the_hash_from_above>
  • Verified that
    Code:
    sc_auth list -u myself
    shows that hash
  • Verified that
    Code:
    Directory Utility
    shows that hash in the user record
  • Verified that Keychain shows all the certs on the NEO as valid
  • Verified that all the "normal" Mac OS X programs can work with NEO keys/certs (Apple Mail, Safari, Chrome, Keychain)

At this point, according to what I read so far, smartcard logon should just work, i.e. when you insert your token the login screen should change and prompt for your PIN instead of your password. In my case it does not happen. System log shows the same error as the other people saw:

Code:
authorizationhost[1609]: Certificate could not be verified: 5


And this cannot be because certificate is self-signed - because mine is not! My certificates are all issued by a trusted CA.

So, to noah977: check that your tokend is fine, e.g., by using Safari and/or Apple Mail. If they can work with NEO, then your tokend is probably OK.

Author:  mouse008 [ Thu Jul 07, 2016 3:07 am ]
Post subject:  Re: [Problem] Using Neo for OSX El Capitan Login

The answer turned out to be very simple. There is a difference (though it is unclear why or how) between a certificate added via Keychain Access, and one added via "security" command line interface.

So it was not good enough to add the Root CA for the certificate issuer to the System keychain via Keychain Access utility. The solution was to do remove that CA cert from System keychain and re-add it via
Code:
sudo security add-trusted-cert -d -k "/Library/Keychains/System.keychain" <path-to-the-issuing-CA-certificate>


After that has been done, smartcard login and screensaver unlock started working on El Capitan 10.11.5.

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/