yubiswitch
is an OSX status bar application to enable/disable a Yubikey Nano or Neo from Yubico.
Yubico is the producer of the Yubikeys: a hardware authentication device, designed to provide an easy to use and secure compliment to the traditional username and password.
By touching the exposed gold edge, a YubiKey Nano emits a One Time Password (OTP) as if it was typed in from a keyboard. The unique passcode is verified by a YubiKey compliant application.
So far all looks great doesn't it? :D
flnurfrdjvfrlutthjtjvcbcrlbbnnuu
ejehlrlrclcllukjgehhrttbknnbjdfn
njlvvnherbjvnljdvvvnihrfikufjucr
jhgkhrubrnuchhhbhrugvbenrhkcvich
Whooops! You see? I brought my laptop (lid opened) with me for a walk to a meeting room holding it with my right hand touching the golden stripe and this caused the Nano to start sending random OTP passwords to my Vim session, and to the FB chat window I had opened with my wife, and right now she's been asking WTF I've been writing :P
This status bar app allows you to avoid sending those accidental OTP passwords by allowing you to enable or disable the yubikey using a convenient global keyboard hot key that you can configure yourself.
Download the latest version in DMG format from github release page here.
This application needs to run with escalated privileges in order to exclusively grab the USB HID interface that drives the NANO/NEO-n Yubikey. Running the main app as root is a p.i.t.a. so YubiSwitch installs an helper daemon with root privileges which contains the logic to grab the USB HID interface, the main application talks to this daemon via XPC calls. When you start YubiSwitch for the first time it will ask for your user's password, this is expected to install the helper before mentioned.
If you use your Yubikey as part of multi-factor authentication for Mac then you might want to make sure that the option "Enable yubikey when system locks/sleeps" is enabled.
If want yubiswitch
to lock your computer when you unplug the key make sure that your security settings are as follow:
If you are running macOS Catalina (10.15) or later, open System Preferences and go to Security & Privacy, Privacy. Under Accessibility, click the lock to make changes and then use the + button to add /Applications/yubiswitch.app.
. Repeat under Input Monitoring.
[!IMPORTANT]
Yubiswitch is signed/notarised by the "Supratude Limited" developer account (@drothera) and so if you see this then this is expected.
The application supports two basic AppleScript commands:
You can switch your yubikey on and off using this basic osacript commands:
$ osascript -e 'tell application "yubiswitch" to KeyOn'
$ osascript -e 'tell application "yubiswitch" to KeyOff'
To find the product and vendor IDs you can use any of the following methods:
Use the GUI:
CMD + Space
) type System Information
Do the following in the terminal:
$ ioreg -p IOUSB -l -w 0 -x | grep -i Yubikey -A10 | grep 'idProduct\|idVendor'
"idProduct" = 0x116
"idVendor" = 0x1050
note: the
-x
for ioreg is important for displaying the idProduct field in hexadecimal.
$ brew update && brew tap jlhonora/lsusb && brew install lsusb
$ lsusb | grep -i Yubikey
Bus 020 Device 022: ID 1050:0116 1050 Yubikey NEO OTP+U2F+CCID
Menu items in the status bar:
Preference window:
Preferences
by clicking on the menu icon, then set the the Product ID
to 0x0114
(or whatever your ProductID is) see: How to find ProductID and VendorID.Product ID
and Vendor ID
follow the how to find your ProductID and VendorID steps belowProduct ID
and Vendor ID
are correct but the app is not working then please follow the uninstall instructions and update to the latest release version.Switch off Yubikey after __ seconds
(under preferences) causes trouble for Automatically switch off Yubikey
option. Converting this value to int fixes it. You need to make sure that you sign all applications and frameworks, also you need to make sure the dmg
file is signed (the bash script createdmg.sh
does this for you). You need to sign the app with an official Mac developer profile.
When you want to create a release:
git tag -a -m 'comment that describe the changes' v0.2
cd dmg/ && bash createdmg.sh <PATH TO APP>
/tmp/yubiswitch\_$VERSION.dmg
and attach the binary to the release in the new release in the github pageyubiswitch
uses ShortcutRecoder to implement global hot key and shortcuts recording in the the preference window.
Uninstallation process is pretty manual. Execute this as root:
Kill all processes:
# pkill -f com.pallotron.yubiswitch.helper
Tell launchctl
to stop the helper daemon:
# launchctl stop com.pallotron.yubiswitch.helper
# launchctl remove com.pallotron.yubiswitch.helper
Check that launchctl
service is no longer there:
# launchctl list | grep -i yubi
Remove files from filesystem:
# sudo rm /Library/PrivilegedHelperTools/com.pallotron.yubiswitch.helper
# sudo rm -r /Applications/yubiswitch.app/
Maybe one day I will provide a script to do this.
Credits: