Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 1:09 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 6 posts ] 
Author Message
PostPosted: Sat Jul 20, 2013 8:25 am 
Offline

Joined: Sat Jul 20, 2013 8:19 am
Posts: 2
Hey Guys,

I know you say here:

http://www.yubico.com/applications/comp ... -os-login/

That you do not have a solution for OSX login, but you provide a link to make it work using PAM.

I followed that link and was only able to get it working with the SUDO PAM, not the authentication (osx login i believe), or the screensaver PAM. Even the user at the end of the link you provided on your site states he had trouble with OSX login and only stated he got it working with Debian.

I have done a ton of googling and I can't find other posts on how to do this.

Any further thoughts on this? The link you provided was posted over 2 years ago so i'm hoping you guys have some ideas.

Thanks.


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Wed Jul 24, 2013 11:52 am 
Offline
Site Admin
Site Admin

Joined: Wed Nov 14, 2012 2:59 pm
Posts: 666
check this
http://www.map-pin.com/tokenlock.html

_________________
-Tom


Top
 Profile  
Reply with quote  
PostPosted: Wed Jul 24, 2013 5:07 pm 
Offline

Joined: Sat Jul 20, 2013 8:19 am
Posts: 2
I looked at that before and installed it. TokenLock allows you to use any device like wifi, bluetooth, or usb to unlock your machine. It does not use the challenge-response of your yubikey. In fact you don't even need a yubikey, you can use any usb device. Also the software doesn't start until you login to your machine for the first time. This means that I still only need user/pass for the initial login to my mac.

Do you know if there is work being done for a login app like this:?

http://www.yubico.com/applications/comp ... ows-login/

I would like to use my yubikey in challenge-response mode for both the login of my mac, as well as back from screensaver. In my initial post I found the yubico position that this is not currently offered, but the link provided only got sudo access up and working with PAM.

Do you have any other ideas to get this working? Or is yubico working on an app for login like the one for windows I pasted above?


Top
 Profile  
Reply with quote  
PostPosted: Thu Jul 25, 2013 7:51 am 
Offline
Site Admin
Site Admin

Joined: Wed Nov 14, 2012 2:59 pm
Posts: 666
I am aware just of this, https://github.com/Yubico/yubico-pam/wi ... n-Mac-OS-X)

There are no plans for a Mac app at the moment.

_________________
-Tom


Top
 Profile  
Reply with quote  
PostPosted: Fri Aug 30, 2013 6:55 am 
Offline

Joined: Fri Aug 30, 2013 4:32 am
Posts: 3
PAM worked fine for me for OSX 10.8 on login and sudo and I suspect it would work just as well for 10.7 as well since both now use /etc/pam.d/authorization. I'm still trying to figure it out for 10.6 though.

I largely followed this (macport install + config) https://github.com/Yubico/yubico-pam/wi ... ac-OS-X%29

For sudo I'm guessing you would have updated your /etc/pam.d/sudo file. You can do the same with /etc/pam.d/authorization to control UI login authentication. Here's what mine looks like; I just added the one liner:

auth optional pam_krb5.so use_first_pass use_kcminit
auth optional pam_ntlm.so use_first_pass
auth required pam_yubico.so mode=challenge-response
auth required pam_opendirectory.so use_first_pass nullok
account required pam_opendirectory.so

My yubikey has the first slot configured for OTP and the second for HMAC-SHA1 challenge (without button press).

Make sure you have access to your root console in single user mode before you do anything (cmd+s on bootup. You'll have to "mount -uw /" to be able to write to your /etc/pam.d/authorization file to comment out the yubico pam one liner out if something goes wrong. In other words, be prepared for something going wrong if you're locked out of all your accounts :).

I'm still trying to figure out a good authentication stack for /etc/pam.d/screensaver (it doesn't behave like the other ones right off the bat).

Regards
Jeff


Top
 Profile  
Reply with quote  
PostPosted: Mon Sep 23, 2013 12:24 pm 
Offline

Joined: Mon Sep 23, 2013 12:12 pm
Posts: 1
cometaj wrote:
I'm still trying to figure out a good authentication stack for /etc/pam.d/screensaver (it doesn't behave like the other ones right off the bat).

For the screensaver to work (OSX 10.8), edit the following in /etc/authorization:
find the line <string>The owner or any administrator can unlock the screensaver.</string> and change it to: <string>(Use SecurityAgent.) The owner or any administrator can unlock the screensaver.</string>
This will make the yubikey pam module work in the screensaver. Note! this will also enable the unlocking of the screensaver by other admin users on your system.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 6 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: Baidu [Spider] and 5 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group