Yubico Forum

Hi! I'm new to Yubikey and I have some issues/questions:

Issue #1:
I own several PCs/Macs and attempted to use pam auth for my Mac - I ended getting locked out and having to boot into CLI to comment out the pam auth line.

I followed all of the steps I needed to as listed in the guide but can't seem to get it to work. I even disconnected my account from Keychain/iCloud to get it to work. I haven't tried in Windows. No errors, just locked out no matter what I do. I'm running the latest version of OSX on a MacBook Pro 15" (2015 model).

Issue #2:
How many "configurations" can I save? Can I have let's say, GMail auth as well as Windows AND OSX login enabled? I'm testing with the intent to potentially use Yubikey for some select users within my company but for now I am testing at home. Is there an updated guide or login config and/or limitations to the number of auth types I can use. Potentially I'd like OTP/Challenge/Static all enabled.

Any info is appreciated and if the questions have been answered, let me know.

#1

The most common error I have seen in following the instructions is not moving the pam_yubico.so file to the correct directory:

/usr/lib/pam/

If this file isn't there and you edit the authorization file, PAM is looking for a file that doesn't exist and you will be locked out. The newest version of the OS X Login instructions are found here, and include some screenshots from Terminal (https://www.yubico.com/wp-content/uploa ... gin_en.pdf). Simply running all of the required commands in Terminal isn't sufficient if any of the steps fail.

For example, the step most people error on:

sudo cp /usr/local/Cellar/pam_yubico/<x.xx>/lib/security/pam_yubico.so /usr/lib/pam/pam_yubico.so
NOTE: Replace <x.xx> with Yubico-PAM version number - current as of this writing is 2.20

I have seen people get "Operation not permitted" here (typically that means they didn't disable System Integrity Protection) and just continue on with the instructions. If you skip over this error and edit the authorization file, PAM is looking for a file which doesn't exist, hence the lockout. We also strongly recommend creating a Time Machine backup to minimize downtime if the setup isn't successful. I've set up Yubico PAM on several different OS X laptops, and every time I locked myself out it was because I didn't move the yubico_pam.so file.


#2

There are two configuration slots on the YubiKey, so you can only pick two of the following - Yubico OTP (slot 1 default), Static Password, HMAC-SHA1 Challenge-Response, OATH-HOTP. Beyond that, on the NEO and YubiKey 4, there is U2F, PIV, OpenPGP, and OATH (Yubico Authenticator) - none of these are in any way related to the configuration slots.

You gents are the best - thank you! I was running off old documentation!

Glad you got it sorted, please mark as "solved"