yubikey 2-factor auth challenge-response for OSX login and screensaver about yubico-pam HOT 20 CLOSED

At least on Ubuntu, the simplistic approach described on the cited wiki page does not work, because PAM configuration uses [success=N ...] to jump around modules and perform the necessary sequence of checks, instead of simply relying on "required"/"sufficient". It's complicated even more by extensive use of @include. In order to include another module, one needs to understand how existing configuration works. For instance, this is my /etc/pam.d/gnome-screensaver:

auth    [success=3 default=ignore]      pam_yubico.so mode=challenge-response
@include common-auth
auth optional pam_gnome_keyring.so

to achieve the effect of "sufficient", because I need to jump to "pam_permit" module which is the fourth one inside /etc/pam.d/common-auth.

OSX might be using some similar arrangement. Could be worth checking.

from yubico-pam.

I just set up a Mavericks installation to require a YubiKey for login.
I modified /etc/pam.d/authorization adding this as first line:

auth       requisite      pam_yubico.so mode=challenge-response

/etc/pam.d/screensaver, /etc/pam.d/sshd also work (didn't try /etc/pam.d/sudo but my guess is that it works)

from yubico-pam.

the files you want to edit are: authorization and screensaver

from yubico-pam.

Thanks for help -- closing this since it is working.

from yubico-pam.

I get 'USB error: kIOReturnSuccess' when I run ykpamcfg -2 for challenge-response on OS X Mavericks 10.9.4, unless I use sudo

See http://forum.yubico.com/viewtopic.php?f=26&t=1169&p=5375#p5375

Any ideas how to get it to work without sudo? Pretty useless otherwise.. the /etc/pam.d/screensaver stuff simply fails with 'Operation not permitted' since the auth is not being run as root

from yubico-pam.

Could it be a problem talking USB without root access? After summer we can try to reproduce this, but we don't have any Mac people around now. If anyone else has ideas, that would be appreciated! Since the problem happens with the standalone 'ykpamcfg' tool, it should be easy to reproduce. Problems with the PAM module under the screensaver are harder to debug.

from yubico-pam.

I dare say that is indeed the problem. It doesn't just occur with ykpamcfg but also ykinfo.

The screensaver issue is just a side-effect/example of the over-arching issue not being able to run things as a non-administrative user, I think.

I also assume it is Mavericks-specific (it occurs for me with either a Yubikey standard or a Neo)

from yubico-pam.

If there is any way for be to provide more debug info when running the 'yk' tools please do let me know, I'll be happy to give more info if I can!

from yubico-pam.

It looks to me as missing udev rules file, or incorrect one (not covering the right vendor/product or setting improper permissions).
(Does this question belong to the bug tracker?)

from yubico-pam.

The thing is OS X doesn't have udev as far as I (and others) can tell.

I think it does belong in the bug tracker, the instructions simply don't work on latest OS X with the latest Yubikey models. If it's not a PAM module bug, it's a documentation issue.

from yubico-pam.

Yes this seems like a real bug, affecting one platform/version. I suspect something in Mac OS X changed and we have to catch up. You could try building the tool from source and running it under a debugger and chase back to where the error comes from. I bet it is from some low-level USB function. The low-level error we get back there could help identify some Apple documentation that would help us fix it.

It may also be that Apple has changed their policy so they don't want this functionality to work for non-root users. Then we have to think about work-arounds.

from yubico-pam.

This seems related to this report: Yubico/yubikey-personalization#34

from yubico-pam.

Klas noticed that your error message 'USB error: kIOReturnSuccess' is somewhat weird, it suggests things actually worked (the kIOReturnSuccess) but the library interpreted that as an error.

mig5, can you run 'ykinfo' and paste the output into the Yubico/yubikey-personalization#34 issue? I suspect the problem is in that project, not here.

from yubico-pam.

OK, you won't believe it, but it was because I had the setting 'Secure Keyboard Entry' turned on in my iTerm/Terminal. Something about this setting triggers some OS X setting designed to prevent keylogging, which appears to have prevented the ykinfo/ykpamcfg tools from interacting with what OS X considered to be a keyboard.

Disabling 'Secure Keyboard Entry' allowed me to run ykpamcfg and get my screensaver 2-factor auth working!

from yubico-pam.

Hi, I am not a programmer or developer, but I want to use yubikey with the yubico challenge response on MAC OS X Mavericks, as a login system do any of you know of a "how to guide" as in how to implement it? Or where I can find detailed instructions, and how to register 2 or more yubikeys as a backup in case one gets stolen or lost? Thanosk, you seem to have nailed it, any chance of doing a video on youtube or a how to guide or both, by any chance?

Hope someone can help.

from yubico-pam.

@dionbeukes I followed this excellent guide, it should get you going. http://blog.avisi.nl/2014/05/06/two-factor-authentication-on-osx-a-yubikey-example/

Registering a second yubikey is easy, you literally just repeat the 'ykpamcfg' step detailed in the post, with your second yubikey plugged in. Nothing to it.

from yubico-pam.

@dionbeukes I followed this guide for MacOSX: https://developers.yubico.com/yubico-pam/doc/MacOSXChallengeResponse.html

from yubico-pam.

Hi thanks for replying. I wanted to email you directly but could not find a way to do it. I have a yubikey already but using both slots on it for something else, will need to order 2 new yubikeys so I can set up the challenge response on both of them, 1 for general use and another as a backup.

On 24 Aug 2014, at 11:40, Thanos Kyritsis [email protected] wrote:

@dionbeukes I followed this guide for MacOSX: https://developers.yubico.com/yubico-pam/doc/MacOSXChallengeResponse.html

—
Reply to this email directly or view it on GitHub.

from yubico-pam.

Hi thanks for replying. I have a yubikey already but using both slots on it for something else, will need to order 2 new yubikeys so I can set up the challenge response on both of them, 1 for general use and another as a backup.

On 23 Aug 2014, at 09:58, Miguel Jacq [email protected] wrote:

@dionbeukes I followed this excellent guide, it should get you going. http://blog.avisi.nl/2014/05/06/two-factor-authentication-on-osx-a-yubikey-example/

Registering a second yubikey is easy, you literally just repeat the 'ykpamcfg' step detailed in the post, with your second yubikey plugged in. Nothing to it.

—
Reply to this email directly or view it on GitHub.

from yubico-pam.

Info for Mojave: I could not get /usr/local/lib/security/pam_yubico.so to work. Turns out the download on yubico.com's website does not work with Mojave. The solution was to use homebrew:

1. Asuming you have the package installed from yubico.com: Uninstall with their script https://support.yubico.com/support/solutions/articles/15000012625-uninstalling-the-macos-login-tool
2. brew install yubico-pam

After I switch to the pam_yubico.so from homebrew, everything else worked as documented.

from yubico-pam.