Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 2:27 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 4 posts ] 
Author Message
 Post subject: macOS Login enforce PIV
PostPosted: Fri Oct 07, 2016 11:38 pm 
Offline

Joined: Tue Nov 25, 2008 9:25 pm
Posts: 8
As someone mentioned in another thread the macOS PIV setup with Yubikey doesn't appear to force the yubikey to be present. Not talking about the initial FileVault encryption but screen saver unlock. If I have my nano it, it requires the PIN. If I remove the nano however it allows me to login with my password.

So then:
  1. Is it possible to enforce the Yubikey to be in place to unlock?
  2. What is the proper way to remove the PIV setup so I can go back to PAM


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Mon Oct 10, 2016 12:25 am 
Offline
Yubico Team
Yubico Team

Joined: Thu Oct 16, 2014 3:44 pm
Posts: 349
Removing PIV - delete the certificates on the card (or reset the applet) with PIV Manager, then remove the hashes with sc_auth:

viewtopic.php?t=2434&p=9037

No, it's not possible to force it right now (I've seen hacks that kind of work, but so far it has been very inconsistent and all methods end up breaking some functionality in macOS). FileVault, sudo in Terminal, and Security & Privacy section of System Preferences all currently don't support smart cards. Until these issues are cleared up in Sierra, I wouldn't recommend attempting to force a smart card requirement.


Top
 Profile  
Reply with quote  
PostPosted: Thu Oct 13, 2016 1:53 pm 
Offline

Joined: Tue Nov 25, 2008 9:25 pm
Posts: 8
Thanks Chris.

sc_auth was what I was missing. It's really frustrating that macOS doesn't have better smart card support. It is also really annoying that there isn't anyway to get FDE setup with MFA, I've seen some good methods on Linux, too bad we can't get access to the preboot environment. Ah well.

ChrisHalos wrote:
Removing PIV - delete the certificates on the card (or reset the applet) with PIV Manager, then remove the hashes with sc_auth:

viewtopic.php?t=2434&p=9037

No, it's not possible to force it right now (I've seen hacks that kind of work, but so far it has been very inconsistent and all methods end up breaking some functionality in macOS). FileVault, sudo in Terminal, and Security & Privacy section of System Preferences all currently don't support smart cards. Until these issues are cleared up in Sierra, I wouldn't recommend attempting to force a smart card requirement.


Top
 Profile  
Reply with quote  
PostPosted: Thu Oct 13, 2016 5:53 pm 
Offline
Yubico Team
Yubico Team

Joined: Thu Oct 16, 2014 3:44 pm
Posts: 349
We can see the smart card ecoystem slowly growing in macOS (following the beta builds very closely here and testing as they are released). If you're familiar with previous builds, smart card support has been essentially non-existent for the past several yearly releases.

My recommendation continues to be use PAM/challenge-response until the ecosystem expands (if you need two-factor for login) - combining with a complex FileVault password is a pretty solid combination. I'm currently playing with both right now (PIV and PAM concurrently), but I wouldn't recommend on a production system at this time.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group