pallotron / yubiswitch

OSX status bar application to enable/disable Yubikey Nano
Other
881 stars 65 forks source link
objective-c osx statusbar yubico yubikey

yubiswitch

Overview

yubiswitch is an OSX status bar application to enable/disable a Yubikey Nano or Neo from Yubico.

Yubico is the producer of the Yubikeys: a hardware authentication device, designed to provide an easy to use and secure compliment to the traditional username and password.

By touching the exposed gold edge, a YubiKey Nano emits a One Time Password (OTP) as if it was typed in from a keyboard. The unique passcode is verified by a YubiKey compliant application.

Yubikey Nano picture

So far all looks great doesn't it? :D

flnurfrdjvfrlutthjtjvcbcrlbbnnuu
ejehlrlrclcllukjgehhrttbknnbjdfn
njlvvnherbjvnljdvvvnihrfikufjucr
jhgkhrubrnuchhhbhrugvbenrhkcvich

Whooops! You see? I brought my laptop (lid opened) with me for a walk to a meeting room holding it with my right hand touching the golden stripe and this caused the Nano to start sending random OTP passwords to my Vim session, and to the FB chat window I had opened with my wife, and right now she's been asking WTF I've been writing :P

This status bar app allows you to avoid sending those accidental OTP passwords by allowing you to enable or disable the yubikey using a convenient global keyboard hot key that you can configure yourself.

Download

Download the latest version in DMG format from github release page here.

Running

This application needs to run with escalated privileges in order to exclusively grab the USB HID interface that drives the NANO/NEO-n Yubikey. Running the main app as root is a p.i.t.a. so YubiSwitch installs an helper daemon with root privileges which contains the logic to grab the USB HID interface, the main application talks to this daemon via XPC calls. When you start YubiSwitch for the first time it will ask for your user's password, this is expected to install the helper before mentioned.

If you use your Yubikey as part of multi-factor authentication for Mac then you might want to make sure that the option "Enable yubikey when system locks/sleeps" is enabled.

If want yubiswitch to lock your computer when you unplug the key make sure that your security settings are as follow:

Security settings for screensaver

Accessibility and Input Monitoring Access (Catalina and above)

If you are running macOS Catalina (10.15) or later, open System Preferences and go to Security & Privacy, Privacy. Under Accessibility, click the lock to make changes and then use the + button to add /Applications/yubiswitch.app.. Repeat under Input Monitoring.

[!IMPORTANT]
Yubiswitch is signed/notarised by the "Supratude Limited" developer account (@drothera) and so if you see this then this is expected.

Accessibility settings

Integration with shell

The application supports two basic AppleScript commands:

You can switch your yubikey on and off using this basic osacript commands:

$ osascript -e 'tell application "yubiswitch" to KeyOn'
$ osascript -e 'tell application "yubiswitch" to KeyOff'

How to find ProductID and VendorID

To find the product and vendor IDs you can use any of the following methods:

  1. Use the GUI:

    • Open the System Information app (CMD + Space) type System Information
    • On the left sidebar click on USB -> Find your OTP/FIDO/CCID System Information app Screenshot
  2. Do the following in the terminal:

$ ioreg -p IOUSB -l -w 0 -x | grep -i Yubikey -A10 | grep 'idProduct\|idVendor'
          "idProduct" = 0x116
          "idVendor" = 0x1050

note: the -x for ioreg is important for displaying the idProduct field in hexadecimal.

  1. If you have brew installed and prefer lsusb-style output:
$ brew update && brew tap jlhonora/lsusb && brew install lsusb

$ lsusb | grep -i Yubikey
Bus 020 Device 022: ID 1050:0116 1050 Yubikey NEO OTP+U2F+CCID

Screenshots

Menu items in the status bar:

Menu items screenshot

Preference window:

Menu items screenshot

Known Issues

TODO and future plans

How to create DMG for distribution

You need to make sure that you sign all applications and frameworks, also you need to make sure the dmg file is signed (the bash script createdmg.sh does this for you). You need to sign the app with an official Mac developer profile.

When you want to create a release:

Dependencies

yubiswitch uses ShortcutRecoder to implement global hot key and shortcuts recording in the the preference window.

How to uninstall

Uninstallation process is pretty manual. Execute this as root:

Kill all processes:

# pkill -f com.pallotron.yubiswitch.helper

Tell launchctl to stop the helper daemon:

# launchctl stop com.pallotron.yubiswitch.helper
# launchctl remove com.pallotron.yubiswitch.helper

Check that launchctl service is no longer there:

# launchctl list | grep -i yubi

Remove files from filesystem:

# sudo rm /Library/PrivilegedHelperTools/com.pallotron.yubiswitch.helper
# sudo rm -r /Applications/yubiswitch.app/

Maybe one day I will provide a script to do this.

Credits

Credits: