Breaks in macOS 10.15

[Frederick888]

Hi,

I have just upgraded to macOS 10.15 and it seems yubico-pam no longer works for /etc/pam.d/authorization and /etc/pam.d/screensaver.

/etc/pam.d/authorization

After the upgrade, I re-configured /etc/pam.d/authorization to:

# authorization: auth account
auth       optional       pam_krb5.so use_first_pass use_kcminit
auth       optional       pam_ntlm.so use_first_pass
auth       required       pam_opendirectory.so use_first_pass nullok
auth       required       /usr/local/lib/security/pam_yubico.so mode=challenge-response
account    required       pam_opendirectory.so

This caused me not able to log in or authenticate in e.g. System Preferences -> Security & Privacy. (had to enter recovery mode to unlock, oops!)

/etc/pam.d/screensaver

My /etc/pam.d/screensaver is configured as:

# screensaver: auth account
auth       optional       pam_krb5.so use_first_pass use_kcminit
auth       required       pam_opendirectory.so use_first_pass nullok
auth       required       /usr/local/lib/security/pam_yubico.so mode=challenge-response
account    required       pam_opendirectory.so
account    sufficient     pam_self.so
account    required       pam_group.so no_warn group=admin,wheel fail_safe
account    required       pam_group.so no_warn deny group=admin,wheel ruser fail_safe

It works ok if you don't have a YubiKey plugged in (blocks login successfully) or normally touch YubiKey when prompted. BUT, it crashes and forcibly logs out the user if you unplug YubiKey when the LED is blinking.

And since I cannot use yubico-pam in /etc/pam.d/authorization now, it means the challenge-response can be effectively bypassed since if my password is leaked, one can simply plug in a wrong key to log me out, then use my password to normally log in.

[zero-one-devteam]

You can also use the XML provided in the Apple support docs, save it as .mobileconfig and either trust it unsigned or sign it by yourself e.g. with your Apple Developer Certificate.

[MartinMKD]

@zero-one-devteam that's the one I tried to load in Profile Creator that failed...hm. It might be perfectly functional, just ProfileCreator didn't like it. I used Buda's - now I just need to figure out how to sign and apply it. Apple Dev Certificate? Is this something I get for free on apple.com?

[zero-one-devteam]

I did not try it, mayba you can follow this guide:

https://osxdominion.wordpress.com/2015/04/21/signing-mobileconfig-profiles-with-keychain-certificates/

[MartinMKD]

thank you, I need all the help I can get on this. Really appreciate it.

[zero-one-devteam]

Unfortunatly, Apple Dev Certificate needs an Apple Developer Account which costs 99 € per year. You can also use an own certificate signed by your own Root CA (and set this as trusted).

[MartinMKD]

I am not paying 100 euros for something as simple as this. I'll try the self signed cert approach. I can live w/a smartcard + password login, but I definitely want to learn how to disable login and leave smartcard only enabled.

[andyneff]

@MartinMKD The rest of the instructions mentioned at https://support.apple.com/en-us/HT208372 will guide you through smart card ONLY setup (via editing PAM files). Basically they say "Smart card is sufficient" and then if you go down the password (pam_opendirectory) route it is "denied" (pam_deny)

Warning: There is a bug I've observed in Catalina that trying to unlock "Users & Groups" will not work with a smart card. All other Settings admin unlocks DO work (AFAIK) with a smart card, but that one will not. I have no idea why this is. This means it becomes impossible to access this menu (without editing the pam file first, temporarily, and then using a password to log in. It is the authorization file that controls all the GUI admin unlocks.

[zero-one-devteam]

Whats not quite clear to me: If I've enabled SmartCard only via profile, why should I edit /etc/pam.d/login?

[andyneff]

Unfortunately I'm not sure, as I don't have a clue what a Profile or Configurator is, and I don't know what those profile settings even do. If Configurator edits the pam files for you with those settings, then I suspect no, you don't need to edit /etc/pam.d.

(My use case was setting up with an AD domain, so it's a little different, but I have it working). However, I do understand the PAM changes, and they make sense to me, so I can try and help with that part.

[zero-one-devteam]

No, the profile does not make any changes in the pam files. I do not know what they will do ... my user is an AD user as well but I set up the smartcard outside AD.

[tob1k]

FWIW I just took the config sample from apples documentation here and saved it with a .mobileconfig extension, and applied it using the Profiles prefpane and it's all working hunky dory.

This has enforced smart cards everywhere, sudo, screensaver lock, etc without editing any pam files, or dealing with configurator/profile creator etc.

Granted the profile isn't signed, but for my purposes (a small team of 12 devs or so) this is fine.

Thanks again @MartinMKD for pointing me in the right direction here 🙏

[maxheld83]

not to be pedantic, but any chance the discussion about smartcard config could move somewhere else? As I understand it this issue is about PAM support, not smartcard.

[MartinMKD]

The smartcard discussion is relevant to anyone who is grappling with the PAM issue if nothing else then as a workaround.

[dagheyman]

FYI, we put together a small guide on the macOS smart card support, heavily based on Apples documentation, available here: https://developers.yubico.com/PIV/Guides/Smart_card-only_authentication_on_macOS.html

No updates on the pam module as far as I know.

[MillsapCyber]

Any update on the pam module? I just tested on 10.15.3 and everything seems to work fine, until you reboot. From a reboot you can't log in and the only way to fix it is by booting to recovery mode, mounting your system partition, and removing the yubikey code from the pam files. Also even when everything is working, the yubikey was not required to unlock the system with touchID, the system would just log in even if the key was unplugged.

[andyneff]

@MillsapCyber As far as I know, if you want to enforce 2fa, you need to disable touchID, it will always bypass all other pam security measures.

pam_yubico.so still did not work on the latest Catalina, when I tried on 3/23/2019.

I've looked into this a little more since last time. It seems like only the pam modules that don't exist as actual files on disk work in Catalina. pam_krb5.so, pam_ntlm.so, pam_opendirectory.so, pam_opendirectory.so, etc... won't be found on your filesystem anywhere, it's like they are virtually somewhere else, and only those files will work always. It's almost as if Apple decided these are the only ones that can be trusted, and will only use them, but that's a pure guess on my part. It's a shame this problem has yet to be addressed by Apple...

[ChristopheH-Ekonoo]

Anyone has already tested with the new version 10.15.4? Thanks Any response from Apple?

[TarekMowafy]

@ChristopheH-Ekonoo i am trying to setup my key on 10.15.4 but it keeps failing

➜ ~ ykpamcfg -2 USB error: unknown error

[Frederick888]

(I'm back on macOS, duh...)

I can still confirm this issue on 10.15.5.

Btw I noticed that screen saver does not crash if yubico_pam is not the last one in your PAM auth stack (probably...).

[nevun]

There has been a workaround committed for this in the yubikey-personalization repo.

If you run homebrew, try applying this diff to the ykpers formula: https://github.com/nevun/homebrew-core/commit/8f433b6c2e87d2aeb91a7663f52364d0332b035c

..and then do brew reinstall ykpers. This made it work for me on catalina

% sw_vers 
ProductName:    Mac OS X
ProductVersion: 10.15.7
BuildVersion:   19H2

debug: pam_yubico.c:838 (parse_cfg): called.
debug: pam_yubico.c:839 (parse_cfg): flags -2147483648 argc 3
debug: pam_yubico.c:841 (parse_cfg): argv[0]=mode=challenge-response
debug: pam_yubico.c:841 (parse_cfg): argv[1]=debug
debug: pam_yubico.c:841 (parse_cfg): argv[2]=debug_file=/tmp/lol
debug: pam_yubico.c:842 (parse_cfg): id=0
debug: pam_yubico.c:843 (parse_cfg): key=(null)
debug: pam_yubico.c:844 (parse_cfg): debug=1
debug: pam_yubico.c:845 (parse_cfg): debug_file=5
debug: pam_yubico.c:846 (parse_cfg): alwaysok=0
debug: pam_yubico.c:847 (parse_cfg): verbose_otp=0
debug: pam_yubico.c:848 (parse_cfg): try_first_pass=0
debug: pam_yubico.c:849 (parse_cfg): use_first_pass=0
debug: pam_yubico.c:850 (parse_cfg): nullok=0
debug: pam_yubico.c:851 (parse_cfg): authfile=(null)
debug: pam_yubico.c:852 (parse_cfg): ldapserver=(null)
debug: pam_yubico.c:853 (parse_cfg): ldap_uri=(null)
debug: pam_yubico.c:854 (parse_cfg): ldap_bind_user=(null)
debug: pam_yubico.c:855 (parse_cfg): ldap_bind_password=(null)
debug: pam_yubico.c:856 (parse_cfg): ldap_filter=(null)
debug: pam_yubico.c:857 (parse_cfg): ldap_cacertfile=(null)
debug: pam_yubico.c:858 (parse_cfg): ldapdn=(null)
debug: pam_yubico.c:859 (parse_cfg): user_attr=(null)
debug: pam_yubico.c:860 (parse_cfg): yubi_attr=(null)
debug: pam_yubico.c:861 (parse_cfg): yubi_attr_prefix=(null)
debug: pam_yubico.c:862 (parse_cfg): url=(null)
debug: pam_yubico.c:863 (parse_cfg): urllist=(null)
debug: pam_yubico.c:864 (parse_cfg): capath=(null)
debug: pam_yubico.c:865 (parse_cfg): cainfo=(null)
debug: pam_yubico.c:866 (parse_cfg): proxy=(null)
debug: pam_yubico.c:867 (parse_cfg): token_id_length=12
debug: pam_yubico.c:868 (parse_cfg): mode=chresp
debug: pam_yubico.c:869 (parse_cfg): chalresp_path=(null)
debug: pam_yubico.c:899 (pam_sm_authenticate): pam_yubico version: 2.26
debug: pam_yubico.c:914 (pam_sm_authenticate): get user returned: user
debug: pam_yubico.c:490 (do_challenge_response): Checking for user challenge files
debug: pam_yubico.c:493 (do_challenge_response): Challenge files found
debug: util.c:222 (check_firmware_version): YubiKey Firmware version: 3.5.0

debug: pam_yubico.c:528 (do_challenge_response): Loading challenge from file /Users/user/.yubico/challenge-7346642
debug: util.c:437 (load_chalresp_state): Challenge: 860d5142c4535001d5c6f58ffa6879baf37d9468cbe219561292ef868f0cec258fdc4646cee54707df7bf184c3acc9b2b7a0d2121bd640655c2f539ca71a16, hashed response: cce19f04672c22899c7288ebc4248296d9f9e535, salt: bf26a4e37b149057465e7a23edbcabd6a8a3bdc6dd98bd71894e3311b5a41d9b, iterations: 10000, slot: 2
debug: pam_yubico.c:604 (do_challenge_response): Got the expected response, generating new challenge (63 bytes).
debug: pam_yubico.c:690 (do_challenge_response): Challenge-response success!
debug: pam_yubico.c:1220 (pam_sm_authenticate): done. [success]

[Frederick888]

@nevun May I know if Yubico/yubikey-personalization@7ee7b1131dd7c64848cbb6e459185f29e7ae1502 is the only required patch here?

I'm not able to verify this atm so I'd appreciate it if anyone can backport it and check it out. It can be cherry picked onto v1.20.0 without any merge issues.

[nevun]

@Frederick888 yes. but please be aware of the fact that this is a work around and might stop working at any time.

[rotorstudios-gg]

@nevun We've used the mac login tool pkg from yubico. How do we apply this fix? Do we need homebrew ?

[nevun]

@rotorstudios-gg there has not been a new release of yubico-pam packaged for mac by Yubico and since the package bundles libykpers you either have to build libykpers yourself and replace the dependency lib or remove the mac package and go with homebrew for both. I am not sure about your situation, it might make sense to take this to support@yubico.com?

Note, I am not an official spoke person on this matter for Yubico. I used the homebrew version though when I tested this on Catalina.

[rotorstudios-gg]

@nevun thanks. can you share how you got the homebrew version working? I got as far as installing homebrew via "/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh)" " . Thanks again

[nevun]

@rotorstudios-gg if you have install brew, next step is brew install pam_yubico should be enough to install the pam module and pull in the libykpers library which already has the applied patch required.

Note that you should definitely have a root shell opened in another terminal ready in case you mess up your pam config because sudo might stop working. I cannot stress this enough, as soon as you touch the pam configuration, you need to test it in another terminal before closing the root shell terminal because otherwise you could lock yourself out of your system.

After you installed the pam_yubico module from brew you should update your pam configuration to point to the correct pam module (the one from brew, not the one you had before).

Good luck

[rotorstudios-gg]

@nevun Thanks for that. Where is the patched libykpers library?

[nevun]

@rotorstudios-gg the homebrew repo already includes the patch so you only need to install pam_yubico through brew (https://github.com/Homebrew/homebrew-core/blob/master/Formula/ykpers.rb#L36)

[Frederick888]

By the way has anyone tested pam_yubico on macOS 11 (Big Sur)?

[rotorstudios-gg]

Thanks @nevun . That worked and I am using Big Sur. Now the next question is that if I dont want to use homebrew and create a standalone .pkg to be deployed, how do I find out what files are required? is it just the /usr/local/lib/security/pam_yubico.so file?

PS: I am familiar with creating pkg (via the Packages tool).

[nevun]

@rotorstudios-gg glad to hear it!

You can run otool -L /usr/local/lib/security/pam_yubico.so to see which libraries it depends on that you also need to bundle. libykpers also needs libjson-c for exampel. Feels like a brittle solution to me. Yubico making a yubikey-personalization release and then making a new yubico-pam release using that would be the best solution but I have no pull in getting that done.

[rotorstudios-gg]

Im not sure if this is the right place or not but it seems that although this now works (building/installing yubico via brew); it now breaks in the new M1 apple macbooks. The yubikey is recognized and is able to generate a challenge-response file but when prompting for user and password, the yubikey doesnt flash or anything and is immediately denied login. Just wondering if anyone else has found workarounds to this? Thanks

[andyneff]

@Frederick888 I just had one of my users update to BigSur, and they said the following:

folks, i have managed to elevate, sudo, and login + screensaver using the challenge-response mode of the yubikey this was done by upgrading pam_yubico to version 2.27

By "elevate", they mean graphically, like in System Preferences.

[andyneff]

We were upgrading from Mojave straight to Big Sur:

1. Install Xcode from the Appstore App
2. from the terminal run xcode-select --install
3. brew update
4. git -C /usr/local/Homebrew/Library/Taps/homebrew/homebrew-core fetch --unshallow
5. brew update
6. brew uninstall pam_yubico
7. brew install pam_yubico

Brew needed a little special help. We uninstalled then reinstalled pam_yubico because we were told that both the fixed version and broken version were numbered 2.27, so we didn't know how brew would react to seeing the old 2.27 was already installed.