Yubico Forum ...visit our web-store at 2013-09-23T12:24:27+01:00 https://forum.yubico.com/feed.php?f=16&t=1112 2013-09-23T12:24:27+01:00 2013-09-23T12:24:27+01:00 https://forum.yubico.com/viewtopic.php?t=1112&p=4390#p4390 <![CDATA[Re: {QUESTION} yubikey challenge-response (2 factor) for OSX]]> cometaj wrote:

I'm still trying to figure out a good authentication stack for /etc/pam.d/screensaver (it doesn't behave like the other ones right off the bat).

For the screensaver to work (OSX 10.8), edit the following in /etc/authorization:
find the line <string>The owner or any administrator can unlock the screensaver.</string> and change it to: <string>(Use SecurityAgent.) The owner or any administrator can unlock the screensaver.</string>
This will make the yubikey pam module work in the screensaver. Note! this will also enable the unlocking of the screensaver by other admin users on your system.

Statistics: Posted by branch — Mon Sep 23, 2013 12:24 pm

]]> 2013-08-30T06:55:21+01:00 2013-08-30T06:55:21+01:00 https://forum.yubico.com/viewtopic.php?t=1112&p=4318#p4318 <![CDATA[Re: {QUESTION} yubikey challenge-response (2 factor) for OSX]]>
I largely followed this (macport install + config) https://github.com/Yubico/yubico-pam/wi ... ac-OS-X%29

For sudo I'm guessing you would have updated your /etc/pam.d/sudo file. You can do the same with /etc/pam.d/authorization to control UI login authentication. Here's what mine looks like; I just added the one liner:

auth optional pam_krb5.so use_first_pass use_kcminit
auth optional pam_ntlm.so use_first_pass
auth required pam_yubico.so mode=challenge-response
auth required pam_opendirectory.so use_first_pass nullok
account required pam_opendirectory.so

My yubikey has the first slot configured for OTP and the second for HMAC-SHA1 challenge (without button press).

Make sure you have access to your root console in single user mode before you do anything (cmd+s on bootup. You'll have to "mount -uw /" to be able to write to your /etc/pam.d/authorization file to comment out the yubico pam one liner out if something goes wrong. In other words, be prepared for something going wrong if you're locked out of all your accounts :).

I'm still trying to figure out a good authentication stack for /etc/pam.d/screensaver (it doesn't behave like the other ones right off the bat).

Regards
Jeff

Statistics: Posted by cometaj — Fri Aug 30, 2013 6:55 am

]]> 2013-07-25T07:51:00+01:00 2013-07-25T07:51:00+01:00 https://forum.yubico.com/viewtopic.php?t=1112&p=4152#p4152 <![CDATA[Re: {QUESTION} yubikey challenge-response (2 factor) for OSX]]> https://github.com/Yubico/yubico-pam/wi ... n-Mac-OS-X)

There are no plans for a Mac app at the moment.

Statistics: Posted by Tom — Thu Jul 25, 2013 7:51 am

]]> 2013-07-24T17:07:21+01:00 2013-07-24T17:07:21+01:00 https://forum.yubico.com/viewtopic.php?t=1112&p=4151#p4151 <![CDATA[Re: {QUESTION} yubikey challenge-response (2 factor) for OSX]]>
Do you know if there is work being done for a login app like this:?

http://www.yubico.com/applications/comp ... ows-login/

I would like to use my yubikey in challenge-response mode for both the login of my mac, as well as back from screensaver. In my initial post I found the yubico position that this is not currently offered, but the link provided only got sudo access up and working with PAM.

Do you have any other ideas to get this working? Or is yubico working on an app for login like the one for windows I pasted above?

Statistics: Posted by sp33domcgee — Wed Jul 24, 2013 5:07 pm

]]> 2013-07-24T11:52:31+01:00 2013-07-24T11:52:31+01:00 https://forum.yubico.com/viewtopic.php?t=1112&p=4149#p4149 <![CDATA[Re: {QUESTION} yubikey challenge-response (2 factor) for OSX]]> http://www.map-pin.com/tokenlock.html

Statistics: Posted by Tom — Wed Jul 24, 2013 11:52 am

]]> 2013-07-20T08:25:22+01:00 2013-07-20T08:25:22+01:00 https://forum.yubico.com/viewtopic.php?t=1112&p=4141#p4141 <![CDATA[{QUESTION} yubikey challenge-response (2 factor) for OSX]]>
I know you say here:

http://www.yubico.com/applications/comp ... -os-login/

That you do not have a solution for OSX login, but you provide a link to make it work using PAM.

I followed that link and was only able to get it working with the SUDO PAM, not the authentication (osx login i believe), or the screensaver PAM. Even the user at the end of the link you provided on your site states he had trouble with OSX login and only stated he got it working with Debian.

I have done a ton of googling and I can't find other posts on how to do this.

Any further thoughts on this? The link you provided was posted over 2 years ago so i'm hoping you guys have some ideas.

Thanks.

Statistics: Posted by sp33domcgee — Sat Jul 20, 2013 8:25 am

]]>