| Yubico Forum https://forum.yubico.com/ |
|
| [Q?] is the NEO smartcard accessible from VirtualBox guest? https://forum.yubico.com/viewtopic.php?f=26&t=1665 |
Page 1 of 1 |
| Author: | FlorinAndrei [ Wed Dec 17, 2014 1:35 am ] |
| Post subject: | [Q?] is the NEO smartcard accessible from VirtualBox guest? |
My host system is OS X 10.10. I use VirtualBox, currently version 4.3.20. I have various guest OSs in VBox, for example Fedora 17. If the NEO token is plugged into the OS X host, would the smartcard portion of the token be available from the Linux guest in VBox? The smartcard is operational and I can use it from the OS X host to authenticate ssh sessions, via gpg-agent and the key stored on the smartcard - that works great. USB options are all enabled for the Fedora 17 guest. I've enabled gpg-agent on the guest the same way I did on the host. Yet gpg-agent on the guest cannot seem to access the NEO plugged into the host. It just falls back on password authentication. Anything else I need to do / configure / change / enable? |
|
| Author: | darco [ Wed Dec 17, 2014 2:47 am ] |
| Post subject: | Re: [Q?] is the NEO smartcard accessible from VirtualBox gue |
I think you need the extra USB stuff for virtual box (sorry, can't remember the package name). Then you can delegate specific USB devices to be used by the virtual machine. |
|
| Author: | FlorinAndrei [ Wed Dec 17, 2014 2:57 am ] |
| Post subject: | Re: [Q?] is the NEO smartcard accessible from VirtualBox gue |
The Extension Pack? It's installed already. I've also tried to create / add a USB filter for this instance for that specific USB device - still nothing. Attachment:
File comment: USB screenshot
 neo.png [ 45.62 KiB | Viewed 3222 times ] |
|
| Author: | darco [ Wed Dec 17, 2014 3:26 am ] |
| Post subject: | Re: [Q?] is the NEO smartcard accessible from VirtualBox gue |
Do you not then see the USB device in your VM? |
|
| Author: | Klas [ Wed Dec 17, 2014 3:26 pm ] |
| Post subject: | Re: [Q?] is the NEO smartcard accessible from VirtualBox gue |
My experience with VirtualBox and smartcards have been a bit hit and miss. With a linux host it works ok if pcscd is stopped on the host, in other cases the device does not seem to be handed over correctly. I've had some luck with creating an auto rule for a device to get passed through. /klas |
|
| Author: | FlorinAndrei [ Wed Dec 17, 2014 9:18 pm ] |
| Post subject: | Re: [Q?] is the NEO smartcard accessible from VirtualBox gue |
On OS X 10.9 there was a pcscd IIRC, but that seems to be gone. On 10.10 there's a process that seems to run all the time: Code: /System/Library/Frameworks/PCSC.framework/Versions/A/XPCServices/com.apple.ctkpcscd.xpc/Contents/MacOS/com.apple.ctkpcscd When you use the NEO smartcard for the first time with gpg-agent and ssh, the list of related processes grows: Code: /System/Library/Frameworks/PCSC.framework/Versions/A/XPCServices/com.apple.ctkpcscd.xpc/Contents/MacOS/com.apple.ctkpcscd pcsc-wrapper -- 1 /System/Library/Frameworks/PCSC.framework/PCSC /System/Library/Frameworks/PCSC.framework/Versions/A/XPCServices/com.apple.ctkpcscd.xpc/Contents/MacOS/com.apple.ctkpcscd In any case, I can't seem to make it work from the guest. The extra two processes are not even launched when I try to use the smartcard from the guest. Moreover, having the guest running with the USB filter for NEO prevents the smartcard from working correctly with gpg-agent on the host itself. No idea why. Disable those filters and the guest does not interfere with the smartcard and gpg-agent on the host anymore. --- There is a workaround: Don't do anything on the guest. On the host, enable "ForwardAgent yes" for the range of IPs where the guests are. Then ssh from the host to the guest. Now, on the guest, if you try to ssh anywhere, the authentication requests will be forwarded back to the host through the ssh chain. If gpg-agent is enabled on the host, your guest-run ssh session will be authenticated against the smartcard. Of course, for this to work, before all you must ssh into the guest from the host. And then you're still subject to the smartcard issues that are plaguing OS X 10.10, like this one: viewtopic.php?f=26&t=1656 Perhaps those issues are what cause the guest to not be able to use the NEO plugged into the host. I don't have a way to tell for sure. |
|
| Page 1 of 1 | All times are UTC + 1 hour |
| Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |
|