Comments (20)
At least on Ubuntu, the simplistic approach described on the cited wiki page does not work, because PAM configuration uses [success=N ...] to jump around modules and perform the necessary sequence of checks, instead of simply relying on "required"/"sufficient". It's complicated even more by extensive use of @include. In order to include another module, one needs to understand how existing configuration works. For instance, this is my /etc/pam.d/gnome-screensaver:
auth [success=3 default=ignore] pam_yubico.so mode=challenge-response
@include common-auth
auth optional pam_gnome_keyring.so
to achieve the effect of "sufficient", because I need to jump to "pam_permit" module which is the fourth one inside /etc/pam.d/common-auth.
OSX might be using some similar arrangement. Could be worth checking.
from yubico-pam.
I just set up a Mavericks installation to require a YubiKey for login.
I modified /etc/pam.d/authorization adding this as first line:
auth requisite pam_yubico.so mode=challenge-response
/etc/pam.d/screensaver, /etc/pam.d/sshd also work (didn't try /etc/pam.d/sudo but my guess is that it works)
from yubico-pam.
the files you want to edit are: authorization and screensaver
from yubico-pam.
Thanks for help -- closing this since it is working.
from yubico-pam.
I get 'USB error: kIOReturnSuccess' when I run ykpamcfg -2 for challenge-response on OS X Mavericks 10.9.4, unless I use sudo
See http://forum.yubico.com/viewtopic.php?f=26&t=1169&p=5375#p5375
Any ideas how to get it to work without sudo? Pretty useless otherwise.. the /etc/pam.d/screensaver stuff simply fails with 'Operation not permitted' since the auth is not being run as root
from yubico-pam.
Could it be a problem talking USB without root access? After summer we can try to reproduce this, but we don't have any Mac people around now. If anyone else has ideas, that would be appreciated! Since the problem happens with the standalone 'ykpamcfg' tool, it should be easy to reproduce. Problems with the PAM module under the screensaver are harder to debug.
from yubico-pam.
I dare say that is indeed the problem. It doesn't just occur with ykpamcfg but also ykinfo.
The screensaver issue is just a side-effect/example of the over-arching issue not being able to run things as a non-administrative user, I think.
I also assume it is Mavericks-specific (it occurs for me with either a Yubikey standard or a Neo)
from yubico-pam.
If there is any way for be to provide more debug info when running the 'yk' tools please do let me know, I'll be happy to give more info if I can!
from yubico-pam.
It looks to me as missing udev rules file, or incorrect one (not covering the right vendor/product or setting improper permissions).
(Does this question belong to the bug tracker?)
from yubico-pam.
The thing is OS X doesn't have udev as far as I (and others) can tell.
I think it does belong in the bug tracker, the instructions simply don't work on latest OS X with the latest Yubikey models. If it's not a PAM module bug, it's a documentation issue.
from yubico-pam.
Yes this seems like a real bug, affecting one platform/version. I suspect something in Mac OS X changed and we have to catch up. You could try building the tool from source and running it under a debugger and chase back to where the error comes from. I bet it is from some low-level USB function. The low-level error we get back there could help identify some Apple documentation that would help us fix it.
It may also be that Apple has changed their policy so they don't want this functionality to work for non-root users. Then we have to think about work-arounds.
from yubico-pam.
This seems related to this report: Yubico/yubikey-personalization#34
from yubico-pam.
Klas noticed that your error message 'USB error: kIOReturnSuccess' is somewhat weird, it suggests things actually worked (the kIOReturnSuccess) but the library interpreted that as an error.
mig5, can you run 'ykinfo' and paste the output into the Yubico/yubikey-personalization#34 issue? I suspect the problem is in that project, not here.
from yubico-pam.
OK, you won't believe it, but it was because I had the setting 'Secure Keyboard Entry' turned on in my iTerm/Terminal. Something about this setting triggers some OS X setting designed to prevent keylogging, which appears to have prevented the ykinfo/ykpamcfg tools from interacting with what OS X considered to be a keyboard.
Disabling 'Secure Keyboard Entry' allowed me to run ykpamcfg and get my screensaver 2-factor auth working!
from yubico-pam.
Hi, I am not a programmer or developer, but I want to use yubikey with the yubico challenge response on MAC OS X Mavericks, as a login system do any of you know of a "how to guide" as in how to implement it? Or where I can find detailed instructions, and how to register 2 or more yubikeys as a backup in case one gets stolen or lost? Thanosk, you seem to have nailed it, any chance of doing a video on youtube or a how to guide or both, by any chance?
Hope someone can help.
from yubico-pam.
@dionbeukes I followed this excellent guide, it should get you going. http://blog.avisi.nl/2014/05/06/two-factor-authentication-on-osx-a-yubikey-example/
Registering a second yubikey is easy, you literally just repeat the 'ykpamcfg' step detailed in the post, with your second yubikey plugged in. Nothing to it.
from yubico-pam.
@dionbeukes I followed this guide for MacOSX: https://developers.yubico.com/yubico-pam/doc/MacOSXChallengeResponse.html
from yubico-pam.
Hi thanks for replying. I wanted to email you directly but could not find a way to do it. I have a yubikey already but using both slots on it for something else, will need to order 2 new yubikeys so I can set up the challenge response on both of them, 1 for general use and another as a backup.
On 24 Aug 2014, at 11:40, Thanos Kyritsis [email protected] wrote:
@dionbeukes I followed this guide for MacOSX: https://developers.yubico.com/yubico-pam/doc/MacOSXChallengeResponse.html
—
Reply to this email directly or view it on GitHub.
from yubico-pam.
Hi thanks for replying. I have a yubikey already but using both slots on it for something else, will need to order 2 new yubikeys so I can set up the challenge response on both of them, 1 for general use and another as a backup.
On 23 Aug 2014, at 09:58, Miguel Jacq [email protected] wrote:
@dionbeukes I followed this excellent guide, it should get you going. http://blog.avisi.nl/2014/05/06/two-factor-authentication-on-osx-a-yubikey-example/
Registering a second yubikey is easy, you literally just repeat the 'ykpamcfg' step detailed in the post, with your second yubikey plugged in. Nothing to it.
—
Reply to this email directly or view it on GitHub.
from yubico-pam.
Info for Mojave: I could not get /usr/local/lib/security/pam_yubico.so
to work. Turns out the download on yubico.com's website does not work with Mojave. The solution was to use homebrew:
- Asuming you have the package installed from yubico.com: Uninstall with their script https://support.yubico.com/support/solutions/articles/15000012625-uninstalling-the-macos-login-tool
brew install yubico-pam
After I switch to the pam_yubico.so from homebrew, everything else worked as documented.
from yubico-pam.
Related Issues (20)
- Error performing curl for OTP validation w/ Yubico Cloud HOT 13
- Can I use NFC? HOT 2
- fnbl
- Abnormal time delay on pam_yubico on CentOS 7 HOT 2
- Add mysql support fort the yubikey_mapping HOT 1
- RFC4515 not implemented HOT 4
- Problem parsing OTP??
- Inconsistent quotes around username
- OpenVPN + LDAP + Yubico HOT 4
- Mysql close connection after return HOT 1
- [question] yubikey bio series support HOT 3
- RFE: Support domain equivalence HOT 1
- Auth timeouts after key press
- Pam configuration to login with yubikey, but only if present HOT 1
- Multiple keys per user HOT 2
- `libykclient` repository is archived
- ykpamcfg uses bare minimum (weak?) PBKDF2 iteration count
- Yubikey fails to unlock cinnamon screensaver -fix
- Version 2.27 for Ubuntu 22.04 (Jammy)
- ykpersonalize nowhere to be found
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from yubico-pam.