Yubico Forum

If you're a Mac user and you're using the NEO tokens as smartcards for ssh authentication, you may want to refrain from "upgrading" to 10.10, due to this issue:

http://support.gpgtools.org/discussions ... agent-mode

Basically, your ssh sessions may get stuck in authentication, randomly. Or authentication may fail, as if you're not using the right ssh key.

What seems to be a workable temporary fix is to run "pkill gpg-agent" a few times, then manually do "gpg-agent --daemon" once, in a terminal. Sometimes you may have to unplug / replug the NEO token, too. That usually fixes your ssh authentication with the NEO token.

OS X 10.9 seems to work just fine.

For context, this is a setup similar to the one described and discussed in this thread:

[HOW-TO] - Yubikey NEO, OpenPGP, OpenSSH authentication

_________________
Florin Andrei
http://florin.myip.org/

For anyone who is still struggling with this issue on Yosemite (it's because of bugs in Apple's new PCSC implementation), I've come up with a temporary, simple and easily reversible workaround and posted instructions on the GPGTools support forum[1]. It works very well, no need to kill gpg-agent or remove and reinsert the NEO anymore.

There are some downsides, but some users will be totally unaffected by them (for instance those with NEO models without the PIV applet, or who aren't using it) and others may find them acceptable tradeoffs anyway to ensure GPG works reliably.

[1] details here: http://support.gpgtools.org/discussions/problems/28634-gpg-agent-stops-working-after-osx-upgrade-to-yosemite#comment_35808149

I've got some patches to GnuPG which seem to improve the situation for me:

https://github.com/darconeous/GnuPG/tre ... mon-behave

These patches allow me to get OS X keychain integration along with GnuPG. The integration isn't perfect, and the patches could use some love, but it does work for me.

Just make sure you add a line with "card-timeout 2" to "~/.gnupg/scdaemon.conf".

Thanks for that Info Darco. The Setup works just well with the Workaround that FlorinAndrei describes.

Do any of you guys use the PAM Module on OS X 10.10 to unlock Screensaver or Sudo with the Yubikey?

I've managed to follow the guide Yubico have produced, to install the yubico-pam module, generate the key and set screen saver & login requiring the yubikey to be present to unlock the device all on a OS X 10.9 Mac.

The problem i have is that this doesn't work on OS X 10.10. I have followed the exact same steps and screensaver lock works but login 2fa doesn't.

I've had a look at the suggestions already given and none of them have helped me to get around this.

Any thoughts on how to get around this would be most appreciated!

Cypher.

PAM module works just fine for me in OSX 10.10.4. Make sure you're adding the "auth required pam_yubico.so mode=challenge-response" line between the "auth" and "account" lines. The order seems to be important.

https://www.yubico.com/wp-content/uploa ... -Login.pdf

I have not, however, figured out if there is a way to selectively enable the PAM requirement on certain accounts (i.e. configuring this will require the YubiKey for all accounts, assuming you also ran ykpamcfg -2 on each of the user accounts, otherwise you will be unable to log into those accounts.

Have screensaver & user account login 2FA working on 10.10.5 with my Neo-n with homebrew installed pam_yubico module. Had to move the pam_yubico.so file to /usr/lib/pam from the homebrew installed location.