search

macadmins / escrow-buddy

A macOS authorization plugin that helps MDM administrators ensure valid FileVault keys are escrowed for all their Macs.
Apache License 2.0
181 stars 9 forks source link

CTK/SmartAuth Question #5

Closed elstalk closed 5 months ago

elstalk commented 8 months ago

Summary

I have only tested on a few machines in our fleet, but it does not seem to work if the account that logs in is using enforced SmartAuth login with CTK. The local admin account logs in and it works, but my account with CTK enforcement gives these errors: "ERROR: fdesetup terminated with a non-zero exit status: 11" "fdesetup Standard Error: Optional("Error: User could not be authenticated.\nError: Unable to unlock or authenticate to FileVault.\n" "Caught error trying to generate a new key: The operation couldn't be completed. (Escrow.Buddy.Invoke.FileVaultError error 0.)"

Steps to Reproduce

Log out and log back in with a two-factor enabled account (so username/PIN instead of username/password) and it won't work. Log out and log back in with a local account that does not have two-factor enforced (can log in with username/password) and it works. Additionally, if I disable the enforcement of CTK and log in with the username/password on my personal account, it works, as well. I have attached the output from that machine (ran log show --predicate 'subsystem == "com.netflix.Escrow-Buddy"' --style syslog --debug --info --last 24h and ported to a ".log" file) logCapture.log

Expected Behavior

I would expect that it would work, but it is not.

Environment

Additional Context

Add any screenshots, logs, or additional details about the problem here. Include which troubleshooting steps you've already taken.

homebysix commented 8 months ago

Thanks for reporting this. We don't use SmartAuth / CryptoTokenKit, so our ability to build support for this may be limited.

Two questions:

  1. If I understand correctly, the fdesetup error does not prevent a successful login from occurring. Is that right?
  2. After logging in with a SmartAuth user, what output does sudo fdesetup changerecovery -personal -verbose produce in the Terminal?
elstalk commented 8 months ago

The fdesetup error doesn’t prevent login, but it does not send a new key to Jamf.

I logged in to both FileVault and the OS with my PIV-D credential, and, when I run the command, it prompts for username/password. At that point I am able to enter the password. If I enter my PIN there (as I do for login), it states that the user cannot be authenticated.

With my password:

***@***.*** ~ % sudo fdesetup changerecovery -personal -verbose
Enter PIN for 'Certificate For PIV Authentication (ELIZABETH SMITH (Affiliate))':
fdesetup: use personal recovery key
fdesetup: device path = /
Enter the user name:elsmith
Enter the password for user 'elsmith':
New personal recovery key = 'LVU9-OZ58-EEO2-O28G-JOBF-Q8M7'

With my PIN as the password:

***@***.*** ~ % sudo fdesetup changerecovery -personal -verbose
fdesetup: use personal recovery key
fdesetup: device path = /
Enter the user name:elsmith
Enter the password for user 'elsmith':
Error: User could not be authenticated.
Error: Unable to unlock or authenticate to FileVault.
***@***.*** ~ %

From: Elliot Jordan @.> Date: Monday, October 23, 2023 at 2:21 PM To: macadmins/escrow-buddy @.> Cc: Smith, Liz @.>, Author @.> Subject: [EXTERNAL] Re: [macadmins/escrow-buddy] CTK/SmartAuth Question (Issue #5)

Thanks for reporting this. We don't use SmartAuth / CryptoTokenKit, so our ability to build support for this may be limited.

Two questions:

  1. If I understand correctly, the fdesetup error does not prevent a successful login from occurring. Is that right?
  2. After logging in with a SmartAuth user, what output does sudo fdesetup changerecovery -personal -verbose produce in the Terminal?

— Reply to this email directly, view it on GitHubhttps://github.com/macadmins/escrow-buddy/issues/5#issuecomment-1775958505, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AIPO7LKZGOOOSPKIZDWLDITYA3GTZAVCNFSM6AAAAAA6MTKRJSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTONZVHE2TQNJQGU. You are receiving this because you authored the thread.Message ID: @.***>

homebysix commented 8 months ago

Understood, thank you. I'm happy to hear that you're not prevented from logging in — Escrow Buddy is designed to "fail open" for these types of situations.

I'll seek some advice from peers who use SmartAuth and see if there's a way to solve this.

elstalk commented 8 months ago

Awesome thank you!! I really appreciate your help - this is an awesome little app!

From: Elliot Jordan @.> Sent: Monday, October 23, 2023 3:41:01 PM To: macadmins/escrow-buddy @.> Cc: Smith, Liz @.>; Author @.> Subject: [EXTERNAL] Re: [macadmins/escrow-buddy] CTK/SmartAuth Question (Issue #5)

Understood, thank you. I'm happy to hear that you're not prevented from logging in — Escrow Buddy is designed to "fail open" for these types of situations.

I'll seek some advice from peers who use SmartAuth and see if there's a way to solve this.

— Reply to this email directly, view it on GitHubhttps://github.com/macadmins/escrow-buddy/issues/5#issuecomment-1776065926, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AIPO7LJMU37O25PQTJ2DVWTYA3P63AVCNFSM6AAAAAA6MTKRJSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTONZWGA3DKOJSGY. You are receiving this because you authored the thread.Message ID: @.***>

homebysix commented 5 months ago

Hi @elstalk - Unfortunately, we're not able to commit the development resources needed to support smart cards at this time. This could be one situation in which a user-facing password prompt might still be appropriate, for now.

Pull requests are welcome if anybody wants to add this feature, but doing so would also require ongoing testing commitment that we're not able to provide as we don't use smart cards for Mac authentication.