Yubico Forum
https://forum.yubico.com/

macOS Login enforce PIV
https://forum.yubico.com/viewtopic.php?f=23&t=2450
Page 1 of 1

Author:  bmorgenthaler [ Fri Oct 07, 2016 11:38 pm ]
Post subject:  macOS Login enforce PIV

As someone mentioned in another thread the macOS PIV setup with Yubikey doesn't appear to force the yubikey to be present. Not talking about the initial FileVault encryption but screen saver unlock. If I have my nano it, it requires the PIN. If I remove the nano however it allows me to login with my password.

So then:
  1. Is it possible to enforce the Yubikey to be in place to unlock?
  2. What is the proper way to remove the PIV setup so I can go back to PAM

Author:  ChrisHalos [ Mon Oct 10, 2016 12:25 am ]
Post subject:  Re: macOS Login enforce PIV

Removing PIV - delete the certificates on the card (or reset the applet) with PIV Manager, then remove the hashes with sc_auth:

viewtopic.php?t=2434&p=9037

No, it's not possible to force it right now (I've seen hacks that kind of work, but so far it has been very inconsistent and all methods end up breaking some functionality in macOS). FileVault, sudo in Terminal, and Security & Privacy section of System Preferences all currently don't support smart cards. Until these issues are cleared up in Sierra, I wouldn't recommend attempting to force a smart card requirement.

Author:  bmorgenthaler [ Thu Oct 13, 2016 1:53 pm ]
Post subject:  Re: macOS Login enforce PIV

Thanks Chris.

sc_auth was what I was missing. It's really frustrating that macOS doesn't have better smart card support. It is also really annoying that there isn't anyway to get FDE setup with MFA, I've seen some good methods on Linux, too bad we can't get access to the preboot environment. Ah well.

ChrisHalos wrote:
Removing PIV - delete the certificates on the card (or reset the applet) with PIV Manager, then remove the hashes with sc_auth:

viewtopic.php?t=2434&p=9037

No, it's not possible to force it right now (I've seen hacks that kind of work, but so far it has been very inconsistent and all methods end up breaking some functionality in macOS). FileVault, sudo in Terminal, and Security & Privacy section of System Preferences all currently don't support smart cards. Until these issues are cleared up in Sierra, I wouldn't recommend attempting to force a smart card requirement.

Author:  ChrisHalos [ Thu Oct 13, 2016 5:53 pm ]
Post subject:  Re: macOS Login enforce PIV

We can see the smart card ecoystem slowly growing in macOS (following the beta builds very closely here and testing as they are released). If you're familiar with previous builds, smart card support has been essentially non-existent for the past several yearly releases.

My recommendation continues to be use PAM/challenge-response until the ecosystem expands (if you need two-factor for login) - combining with a complex FileVault password is a pretty solid combination. I'm currently playing with both right now (PIV and PAM concurrently), but I wouldn't recommend on a production system at this time.

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/