Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 2:37 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 2 posts ] 
Author Message
PostPosted: Mon Jun 22, 2015 4:56 am 
Offline

Joined: Mon Jun 22, 2015 4:45 am
Posts: 2
I am using both a YK Standard and a Neo. Both keys present the same problem which means the issue is the MAC OS. I am using either key in challenge-response mode with an entry located in the pam.d/authorization file. The problem is that upon startup, when the user enters the password, the key should be inserted to continue login, however the key is not recognized. After login using a MAC decryption rescue key, the keys work just fine for all authorization instances.

I suspected the key's challenge-response were not being read from teh User home directory if filevault was activated as the home would be encrypted. At least that is how it was acting. This is similar in a Linux system with encrypted home. Problem is that Linus decypts the base system and uses a secondary layer of encryption for the home directories. So with that I moved the challenge-***** files to /etc/yubico and then in the pam.d/authorization file added an entry to the end changing the chalresp_path=/etc/yubico. However on restart, the same error exists.

I suspect the challenge files are not being read. I also suspect this has to do with FileVault since after login using the MAC's rescue key, the Yubikeys work just fine for all other authorization instances. What do y'all think?


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Mon Jun 22, 2015 6:40 am 
Offline

Joined: Mon Jun 22, 2015 4:45 am
Posts: 2
Figured it out. What has happened is that the FileVault password and the User password have separated and are actually two different password keys now. Did not know this was possible especially since there is only one user on this MAC. Somehow there is still a link as the password Hint is presented from the user account and not from the file vault key. So actually It is more secure as far as I am concerned.

So I have returned the challenge-**** to the user directory and have adjusted the pam.d/auth to reflect so.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 2 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: Heise IT-Markt [Crawler] and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group