yubico-pam: Breaks in macOS 10.15
Hi,
I have just upgraded to macOS 10.15 and it seems yubico-pam no longer works for /etc/pam.d/authorization and /etc/pam.d/screensaver.
/etc/pam.d/authorization
After the upgrade, I re-configured /etc/pam.d/authorization to:
# authorization: auth account
auth optional pam_krb5.so use_first_pass use_kcminit
auth optional pam_ntlm.so use_first_pass
auth required pam_opendirectory.so use_first_pass nullok
auth required /usr/local/lib/security/pam_yubico.so mode=challenge-response
account required pam_opendirectory.so
This caused me not able to log in or authenticate in e.g. System Preferences -> Security & Privacy. (had to enter recovery mode to unlock, oops!)
/etc/pam.d/screensaver
My /etc/pam.d/screensaver is configured as:
# screensaver: auth account
auth optional pam_krb5.so use_first_pass use_kcminit
auth required pam_opendirectory.so use_first_pass nullok
auth required /usr/local/lib/security/pam_yubico.so mode=challenge-response
account required pam_opendirectory.so
account sufficient pam_self.so
account required pam_group.so no_warn group=admin,wheel fail_safe
account required pam_group.so no_warn deny group=admin,wheel ruser fail_safe
It works ok if you don’t have a YubiKey plugged in (blocks login successfully) or normally touch YubiKey when prompted. BUT, it crashes and forcibly logs out the user if you unplug YubiKey when the LED is blinking.
And since I cannot use yubico-pam in /etc/pam.d/authorization now, it means the challenge-response can be effectively bypassed since if my password is leaked, one can simply plug in a wrong key to log me out, then use my password to normally log in.
About this issue
- Original URL
- State: open
- Created 5 years ago
- Reactions: 13
- Comments: 84 (16 by maintainers)
Any updates on a potential fix for this issue? It’s been a while since Catalina was released. Currently our company is not security compliant since we require Yubikey 2FA at logon. Why isn’t Yubico providing us updates/information on this issue? This is an important feature, one of the reasons we chose for the Yubikey…
Mostly as an update. Yubico has no more information about this, we’ve opened a radar with apple and tried to get clarity with no answers so far.
@Frederick888 yes. but please be aware of the fact that this is a work around and might stop working at any time.
Not excatly. Of course, you need a PIN to use the certificates on the smartcard. But it’s not 2FA for the Mac, as you can log-in into the mac without the smartcard but with your password only. You may define a quite complex password (maybe a combination of some chars you enter and a static password provided by pressing the button on same Yubikey (you have to configure the key accordingly)) to get a little bit more security. But it’s not 2FA as we know it from the challenge response method configured in the PAM config files.
In their zeal to remain “inventive”/ahead of the curve, Apple manages to break things that work such as Yubikey/PAM auth… along with other useless innovations, like the function key touchbar …
There has been a workaround committed for this in the yubikey-personalization repo.
If you run homebrew, try applying this diff to the ykpers formula: https://github.com/nevun/homebrew-core/commit/8f433b6c2e87d2aeb91a7663f52364d0332b035c
…and then do
brew reinstall ykpers. This made it work for me on catalinaFYI, we put together a small guide on the macOS smart card support, heavily based on Apples documentation, available here: https://developers.yubico.com/PIV/Guides/Smart_card-only_authentication_on_macOS.html
No updates on the pam module as far as I know.
I did not try it, mayba you can follow this guide:
https://osxdominion.wordpress.com/2015/04/21/signing-mobileconfig-profiles-with-keychain-certificates/
Well… it originally was, but you can actually do all sorts of stuff with it. I do prefer ProfileCreator from Github over it, because it’s more easy to use. But as always, ymmv.
@tob1k technically smartcard is 2FA - you’ve the physical card w/the certs that authenticate you as the 2nd factor and the PIN you must enter to unlock the card. Neither one would work without the other.
On MacOS you can also disable anything except Smartcard logins, which should provide you with an extra layer of security.
Could anyone post instructions on how to remedy this from recovery mode? I’m struggling with Terminal and am locked out. Thank you for any help!
@Frederick888 in regards to you comment about the pam.d files being reset, I always assume that anything I customize on a mac will be reset. I treat OS updates a “firmware” updates. For this reason, I configure a LaunchDaemon that will reprogram anything I ever edit on a mac. In this case I run a carefully crafted awk and sed script that will update pam.d files every time the computer is rebooted, fairly robustly. This has kept my yubikey setting since I started using it a year and a half ago.
After updating to from 10.15.1 to 10.15.2, logging in with the yubikey worked without issue (It’s been working for login only in Catalina this whole time, just not screensaver or privilege elevation). But after a second reboot, it stopped working.
So Apple has at least made it 100% broken instead of 80% broken.
@klali I really believe you guys need to talk to Apple about this. I don’t think such kind of technical feedback from individual customers who are not familiar with either macOS entitlements or yubico-pam per se like me would attract much attention from them.