Yubico Forum https://forum.yubico.com/ |
|
Cahllenge-Response on MAC Yos Startup https://forum.yubico.com/viewtopic.php?f=23&t=1932 |
Page 1 of 1 |
Author: | CyberKen [ Mon Jun 22, 2015 4:56 am ] |
Post subject: | Cahllenge-Response on MAC Yos Startup |
I am using both a YK Standard and a Neo. Both keys present the same problem which means the issue is the MAC OS. I am using either key in challenge-response mode with an entry located in the pam.d/authorization file. The problem is that upon startup, when the user enters the password, the key should be inserted to continue login, however the key is not recognized. After login using a MAC decryption rescue key, the keys work just fine for all authorization instances. I suspected the key's challenge-response were not being read from teh User home directory if filevault was activated as the home would be encrypted. At least that is how it was acting. This is similar in a Linux system with encrypted home. Problem is that Linus decypts the base system and uses a secondary layer of encryption for the home directories. So with that I moved the challenge-***** files to /etc/yubico and then in the pam.d/authorization file added an entry to the end changing the chalresp_path=/etc/yubico. However on restart, the same error exists. I suspect the challenge files are not being read. I also suspect this has to do with FileVault since after login using the MAC's rescue key, the Yubikeys work just fine for all other authorization instances. What do y'all think? |
Author: | CyberKen [ Mon Jun 22, 2015 6:40 am ] |
Post subject: | SOLVED: Challenge-Response on MAC Yos Startup |
Figured it out. What has happened is that the FileVault password and the User password have separated and are actually two different password keys now. Did not know this was possible especially since there is only one user on this MAC. Somehow there is still a link as the password Hint is presented from the user account and not from the file vault key. So actually It is more secure as far as I am concerned. So I have returned the challenge-**** to the user directory and have adjusted the pam.d/auth to reflect so. |
Page 1 of 1 | All times are UTC + 1 hour |
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |