How I set up OS X to require a Yubikey for local login. (Obsolete)
Update
So funny story. I set all this up, and then one day I forgot my Yubikey and needed to get into the computer.
There is no better test of your own security than getting locked out by your own security.
So it turns out that I hadn’t really thought this through. You can get into single user mode (or whatever Mac OS calls it) with just a password and from there change the config to disable the yubikey module.
I’m leaving this here for posterity, but don’t do it. It’s pointless.
A YubiKey is a small hardware device that offers two-factor authentication with a simple touch of a button. It appears like a USB human interface device (read: keyboard) and under normal conditions, when you press the button, it emits some random characters as if you typed them.
The garbage printed is actually a proprietary one-time-pad which can be verified against a network service.
Challenge and Response
I wanted my mac to require my YubiKey in order to log in locally. Using a OTP that must be verified over the network isn’t going to cut it.
Fortunately yubikeys support a challenge & response mode. In this mode supported software issues a challenge to the Yubikey (some random bytes), and the Yubikey uses the secret key only it knows to sign those random bytes. The signature becomes the response.
The host system can verify that an authorized yubikey is present by validating the signature.
Configuring your Yubikey
Configure your Yubikey for challenge-response. I used the Yubikey Personalization tool and slot #2 of my Yubikey.
Configuring PAM on OSX
PAM is the software that manages the rules for authenticating users. Yubico provide a PAM module the supports Yubikey in Challenge-Response mode.
Install the yubikey PAM module:
brew install yubico-pam
The challenge data are stored per user in ~/.yubico.
mkdir -m0700 -p ~/.yubico
ykpamcfg -2
Dipping a toe in
I was concerned about locking myself out, so to start I only worked on the lock screen. That way if I broke the configuration, a simple reboot would get me logged back in.
The file that controls the rules for unlocking the screen when it is locked is /etc/pam.d/screensaver. I added a line referencing the new PAM module:
# screensaver: auth account
auth required /usr/local/Cellar/pam_yubico/2.16/lib/security/pam_yubico.so mode=challenge-response
auth optional pam_krb5.so use_first_pass use_kcminit
auth required pam_opendirectory.so use_first_pass nullok
account required pam_opendirectory.so
account sufficient pam_self.so
account required pam_group.so no_warn group=admin,wheel fail_safe
account required pam_group.so no_warn deny group=admin,wheel ruser fail_safe
If your version of pam_yubico is different than 2.16 you’ll want to specify a slightly different path here.
Taking the plunge
The file that controls the rules for initial login is /etc/pam.d/authorization. I added the same line from the screensaver and all works as expected.
# authorization: auth account
auth required /usr/local/Cellar/pam_yubico/2.16/lib/security/pam_yubico.so mode=challenge-response
auth optional pam_krb5.so use_first_pass use_kcminit
auth optional pam_ntlm.so use_first_pass
auth required pam_opendirectory.so use_first_pass nullok
account required pam_opendirectory.so
User Experience
There is no user interface to speak of. There is no little box that prompts you to insert your token. The light starts flashing and you push the button twice.
Caveats
If you use full disk encryption, the key is derived only from the password. This makes it inferior to the old eToken + PGP desktop thing we used to do on Windows.