| Yubico Forum https://forum.yubico.com/ |
|
| [SOLVED] - CCID NEO Support on Mac OS https://forum.yubico.com/viewtopic.php?f=26&t=1088 |
Page 2 of 2 |
| Author: | dreamss [ Tue Sep 17, 2013 7:39 pm ] |
| Post subject: | Re: [SOLVED] - CCID NEO Support on Mac OS |
where can i get the PIV applet >_< I wanna start testing the smartcard capabilities for a couple clients who run tax preparation offices. |
|
| Author: | xychix [ Tue Sep 24, 2013 7:21 pm ] |
| Post subject: | Re: [SOLVED] - CCID NEO Support on Mac OS |
--edit-- [SOLVED] the howto on the top of this forum is for OSX viewtopic.php?f=26&t=1171 however i had it all working already appearantly. deinstalled openSC, all still working fine  Just install GPG-Tools, if you can get your hands on a linux box then thah might be an ideal location for personalization of the key, keeps OSX clean Just needed to import my public key and set trust to 5, Ultimately. THEN and ONLY THEN pgp recognizes the private keys on the card as usable. |
|
| Author: | air [ Wed Jan 15, 2014 4:11 am ] |
| Post subject: | Re: [SOLVED] - CCID NEO Support on Mac OS |
ctoph1977 wrote: oh lovely the git hub page has disappeared - now im curious wether i should publish my pull back even tho I couldn't get it to work. Please do publish your pull, I'd like to see it. |
|
| Author: | ppc [ Wed Jan 22, 2014 7:55 pm ] |
| Post subject: | Re: [SOLVED] - CCID NEO Support on Mac OS |
The libccid provided by apple is incredibly old and doesn't support most of the readers out there. You can add support for the Yubikey NEO, as well as many other useful readers by updating libccid and installing it over the Apple provided one. This process is described on the libccid page. This works brilliantly and allows normal access to the NEO through pcscd. If you want the PIV applet to show up in Keychain Access and be otherwise accessible to the OS, you need to install the OpenSC.tokend module in /System/Library/Security/tokend. You can build it, as well as OpenSC, or download binaries from the OpenSC repo. Keep in mind, though, that if you install OpenSC.tokend, the Yubikey will be snatched up by the OS whenever it's inserted and will be inaccessible by GPG. If you want to use it with GPG, you'll need to kill the 'pcscd' process, first. (There must be some way to make gpg and pcscd play nice together, but I haven't yet worked it out. I'll certainly post the solution when I figure it out!) |
|
| Author: | martinpaljak [ Wed Jan 22, 2014 9:47 pm ] |
| Post subject: | Re: [SOLVED] - CCID NEO Support on Mac OS |
ppc wrote: The libccid provided by apple is incredibly old and doesn't support most of the readers out there. You can add support for the Yubikey NEO, as well as many other useful readers by updating libccid and installing it over the Apple provided one. This process is described on the libccid page. This works brilliantly and allows normal access to the NEO through pcscd. If you want the PIV applet to show up in Keychain Access and be otherwise accessible to the OS, you need to install the OpenSC.tokend module in /System/Library/Security/tokend. You can build it, as well as OpenSC, or download binaries from the OpenSC repo. Keep in mind, though, that if you install OpenSC.tokend, the Yubikey will be snatched up by the OS whenever it's inserted and will be inaccessible by GPG. If you want to use it with GPG, you'll need to kill the 'pcscd' process, first. (There must be some way to make gpg and pcscd play nice together, but I haven't yet worked it out. I'll certainly post the solution when I figure it out!) You can download a pre-built CCID free software driver ("unofficial" warning, maybe) with NEO support from here: https://github.com/martinpaljak/osx-ccid-installer No, gpg and OpenSC.tokend don't match and probably never will, because that's the apparent design decision of GnuPG developers - their application needs to have exclusive access. The interesting thing here is that while NEO does not provide any of the applets as default selected (there's cure for that) what gets picked up - OpenPGP or PIV - depends on your configuration and might not be what you want. |
|
| Author: | ppc [ Thu Jan 23, 2014 1:38 am ] |
| Post subject: | Re: [SOLVED] - CCID NEO Support on Mac OS |
Quote: No, gpg and OpenSC.tokend don't match and probably never will, because that's the apparent design decision of GnuPG developers - their application needs to have exclusive access. Which is a shame, since GPG handles cards so poorly compared to OpenSC and ensures that certain connected readers are only ever used for one or the other. You should be able to put the following in ~/.gnupg/scdaemon.conf and use pcscd (instead of the integrated CCID drivers) to access the card Code: pcsc-driver /System/Library/Frameworks/PCSC.framework/PCSC #This will be different for non-Macs disable-ccid #Don't use the integrated CCID drivers card-timeout 5 #Release the card after 5 seconds ...but I've never been able to get that to work. The version of scdaemon provided with MacGPG never looks at scdaemon.conf and I can't figure out exactly where it's being called from to change its arguments. Quote: The interesting thing here is that while NEO does not provide any of the applets as default selected (there's cure for that) what gets picked up - OpenPGP or PIV - depends on your configuration and might not be what you want. Can you elaborate on this? How do you change the default applet and what is the effect of having a default applet selected? |
|
| Author: | martinpaljak [ Thu Jan 23, 2014 11:22 am ] |
| Post subject: | Re: [SOLVED] - CCID NEO Support on Mac OS |
ppc wrote: Quote: No, gpg and OpenSC.tokend don't match and probably never will, because that's the apparent design decision of GnuPG developers - their application needs to have exclusive access. Which is a shame, since GPG handles cards so poorly compared to OpenSC and ensures that certain connected readers are only ever used for one or the other. You should be able to put the following in ~/.gnupg/scdaemon.conf and use pcscd (instead of the integrated CCID drivers) to access the card Code: pcsc-driver /System/Library/Frameworks/PCSC.framework/PCSC #This will be different for non-Macs disable-ccid #Don't use the integrated CCID drivers card-timeout 5 #Release the card after 5 seconds ...but I've never been able to get that to work. The version of scdaemon provided with MacGPG never looks at scdaemon.conf and I can't figure out exactly where it's being called from to change its arguments. Quote: The interesting thing here is that while NEO does not provide any of the applets as default selected (there's cure for that) what gets picked up - OpenPGP or PIV - depends on your configuration and might not be what you want. Can you elaborate on this? How do you change the default applet and what is the effect of having a default applet selected? No apparent difference for default applet in case of piv or openpgp. Do use gpgtools.org and with a single reader you dont have to change anything iirc. I dont recall release card option though.... And i just used yubiclip to log on from a tablet. Nice. |
|
| Author: | ppc [ Thu Jan 23, 2014 9:06 pm ] |
| Post subject: | Re: [SOLVED] - CCID NEO Support on Mac OS |
Quote: Do use gpgtools.org and with a single reader you dont have to change anything iirc. I dont recall release card option though.... Actually, it looks like scdaemon does read its config file. If you add Code: reader-port "Yubico Yubikey NEO OTP+CCID 00 00" #Don't have to unplug other card readers to use gpg! to ~/.gnupg/scdaemon.conf, gpg will read from the Yubikey even if it is not the only/first reader on your system. Also, it looks like some of the other options in there are being handled. 'disable-ccid' and 'pcsc-driver' seem to be working, as all access is through pcscd. 'card-timeout' doesn't seem to be doing anything, though. I think 'card-timeout' isn't working because gpg-agent is keeping a connection to scdaemon open. I use gpg-agent for ssh, though, so I can't really disable it. Frustrating! Who cares if gpg-agent has a connection open? I should be able to sleep the card until an actual transaction occurs. We need a scdaemon that isn't so restrictive. Have you tried gnupg-pkcs11-scd? |
|
| Author: | Uriel [ Thu Mar 05, 2015 9:11 pm ] |
| Post subject: | Re: [SOLVED] - CCID NEO Support on Mac OS |
Cannot build gnupg-pkcs11-scd on Mac, because it needs pkcs11-helper, which does not exist on Mac, and porting did not work for me.  I needed to modify the ~/.gnupg/scdaemon.conf: Code: reader-port "Yubico Yubikey NEO OTP+U2F+CCID 00 00" reader-port "Yubico Yubikey NEO OTP+U2F+CCID 01 00" pcsc-driver /System/Library/Frameworks/PCSC.framework/PCSC disable-ccid card-timeout 15 #Release the card after 15 seconds In general, having GPGTools https://gpgtools.org installed provided with gpg2, gpg-agent, and scdaemon to use with NEO. I was able to secure email in OpenPGP mode using NEO and GPGTools. Regarding PIV, the story is more difficult. It seems fairly straightforward to access NEO with tools from OpenSC https://github.com/OpenSC/OpenSC/releases, and using OpenSSL, or Keystore Explorer http://keystore-explorer.sourceforge.net/ (and of course yubico-piv-tool) one is able to generate keys & certificates, and load them on the NEO. The problem is - I'm not aware of any application that can use those certificates, either for email, or for login, or such. OpenSC.tokend https://github.com/OpenSC/OpenSC.tokend recognizes NEO but cannot unlock it, or do anything useful with it (in fact it refuses to unlock any smart card, so there must be something wrong with my setup, but I can't figure out what it could be). PKard does not recognize NEO (because NEO does not return Card Capabilities Container). Update After some change (among many - can't tell what exactly it was) OpenSC.tokend stopped recognizing NEO. But I guess I shouldn't complain because it started unlocking CAC and PIV cards successfully. Though at this time NEO PIV == No-Go. |
|
| Page 2 of 2 | All times are UTC + 1 hour |
| Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |
|