Yubico Forum

Hey Guys,

I know you say here:

http://www.yubico.com/applications/comp ... -os-login/

That you do not have a solution for OSX login, but you provide a link to make it work using PAM.

I followed that link and was only able to get it working with the SUDO PAM, not the authentication (osx login i believe), or the screensaver PAM. Even the user at the end of the link you provided on your site states he had trouble with OSX login and only stated he got it working with Debian.

I have done a ton of googling and I can't find other posts on how to do this.

Any further thoughts on this? The link you provided was posted over 2 years ago so i'm hoping you guys have some ideas.

Thanks.

check this
http://www.map-pin.com/tokenlock.html

_________________
-Tom

I looked at that before and installed it. TokenLock allows you to use any device like wifi, bluetooth, or usb to unlock your machine. It does not use the challenge-response of your yubikey. In fact you don't even need a yubikey, you can use any usb device. Also the software doesn't start until you login to your machine for the first time. This means that I still only need user/pass for the initial login to my mac.

Do you know if there is work being done for a login app like this:?

http://www.yubico.com/applications/comp ... ows-login/

I would like to use my yubikey in challenge-response mode for both the login of my mac, as well as back from screensaver. In my initial post I found the yubico position that this is not currently offered, but the link provided only got sudo access up and working with PAM.

Do you have any other ideas to get this working? Or is yubico working on an app for login like the one for windows I pasted above?

I am aware just of this, https://github.com/Yubico/yubico-pam/wi ... n-Mac-OS-X)

There are no plans for a Mac app at the moment.

_________________
-Tom

PAM worked fine for me for OSX 10.8 on login and sudo and I suspect it would work just as well for 10.7 as well since both now use /etc/pam.d/authorization. I'm still trying to figure it out for 10.6 though.

I largely followed this (macport install + config) https://github.com/Yubico/yubico-pam/wi ... ac-OS-X%29

For sudo I'm guessing you would have updated your /etc/pam.d/sudo file. You can do the same with /etc/pam.d/authorization to control UI login authentication. Here's what mine looks like; I just added the one liner:

auth optional pam_krb5.so use_first_pass use_kcminit
auth optional pam_ntlm.so use_first_pass
auth required pam_yubico.so mode=challenge-response
auth required pam_opendirectory.so use_first_pass nullok
account required pam_opendirectory.so

My yubikey has the first slot configured for OTP and the second for HMAC-SHA1 challenge (without button press).

Make sure you have access to your root console in single user mode before you do anything (cmd+s on bootup. You'll have to "mount -uw /" to be able to write to your /etc/pam.d/authorization file to comment out the yubico pam one liner out if something goes wrong. In other words, be prepared for something going wrong if you're locked out of all your accounts .

I'm still trying to figure out a good authentication stack for /etc/pam.d/screensaver (it doesn't behave like the other ones right off the bat).

Regards
Jeff

For the screensaver to work (OSX 10.8), edit the following in /etc/authorization:
find the line <string>The owner or any administrator can unlock the screensaver.</string> and change it to: <string>(Use SecurityAgent.) The owner or any administrator can unlock the screensaver.</string>
This will make the yubikey pam module work in the screensaver. Note! this will also enable the unlocking of the screensaver by other admin users on your system.