Yubico Forum
https://forum.yubico.com/

[macOS] Locked out after enabling PIV + PAM method
https://forum.yubico.com/viewtopic.php?f=23&t=2474
Page 1 of 1

Author:  luclu [ Tue Nov 01, 2016 6:48 pm ]
Post subject:  [macOS] Locked out after enabling PIV + PAM method

Hello,

After upgrading to macOS 10.12 Sierra I wanted to enable the challenge-response method again.
As I noticed the availability of PIV, I gave it a try only to discover that it is not enforcable as login requirement, so I setup the PAM method.

Unfortunately enabling both methods created an incompatiblity.
I'm unable to use the HMAC-SHA1 Challenge-Response functionality as inserting the stick will switch to the PIN entry input field. Specifying the PIN won't help much as the PAM method was added to /etc/pam.d/authorization as requirered.

Of course I created a Time-Machine backup before following the procedure, however the backup seems to be corrupt as I can't successfully mount the backup even on a vanilla Sierra installation. (I'm currently in contact with Apple's support)

I hope there is some way to resolve this without losing all data. If not, please add some word of warning to the guides.

Best, Luca

ps. I will try to deconfigure one of my keys PIV - if possible - and see if this helps.

Author:  Maliced [ Thu Dec 22, 2016 1:33 am ]
Post subject:  Re: [macOS] Locked out after enabling PIV + PAM method

Hey luclu,

I have found a way to reconfigure the /etc/pam.d/* files in the Single User mode. You have to enable root mode in order to make edits to the files in Single User mode. I have pasted the instructions below.

____________________________________________________________________________________________________

Boot into S.U. Mode by holding Cmd+S while booting.
Once the terminal prompt opens, type the following:

mount -uw / ("mount"+space+"-uw"+space+slash)

launchctl load /System/Library/LaunchDaemons/com.apple.opendirectoryd.plist

passwd root

(after you press enter it will ask the password for the root user. Type it, even if it won't show any character. Then type again to confirm. Once you had finished type: exit).
____________________________________________________________________________________________________

Once you've enabled root, you should be able to "sudo vi /etc/pam.d/*" for the screensaver/authorization and delete the "/usr/local/lib/security/pam_yubico.so mode=challenge-response" line the file.

I am probably too late. But, if I am not I hope this helps!

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/