Quick recap of what we saw in the first and second parts of this series. We started out by seeing how to setup your Macbook so that only one account is allowed to decrypt FileVault2, effectively creating two different passwords for mass storage decryption and user login authentication. After that we saw how to further compartmentalize by creating an account with administrative privileges, used only for administrative tasks like installing new software, adding new accounts or changing system preferences, and demoting our own user to standard account in order to make it harder for an attacker that has compromised it to escalate privileges and gain full control of the device.
In this part of the series we will see how to use a Yubikey to obtain a form of two factor authentication (2FA) at user login. The end result will be that to access your account you will have to provide your password and have the Yubikey inserted in your laptop. This measure can be also applied to secure the use of the command
CAUTION: make sure you repeat this procedure twice with two different Yubikeys, you don't want to lose the only one you have and get locked out of your own machine.
NOTE: it's possible to use the Yubikey as a PIV-compatible smart card with a pin for user login instead of the password. While some people and organizations use it that way I don't think it's really a good idea as the pin is at best a 8-character-long number, I think it's better to use a strong password and the Yubikey as a physical token.
These are the steps we will follow in order to achive our goal:
- Configure the Yubikey second slot to provide a challenge-response authentication mechanism
- Setup the challenge-response for every account
- Modify PAM configuration files to require the Yubikey.
1. Configure the Yubikey second slot to provide a challenge-response authentication mechanism
NOTE: if you went through the second part of this series you shouldn't be able to run
sudo directly from the terminal. That means that everytime you will read a command prepended by
sudo you will need to run
su admin_accout in order to then run the command with
First things first, we need the right software. We will install the Yubikey Manager tool by Yubico and the Yubikey module for Pluggable Authentication Modules (PAM). The first can be downloaded by the link provided above and installed through the GUI while the second requires the installation through MacPorts.
NOTE: if you haven't installed MacPorts yet go to the link and install it. I've had a bad experience on Mojave using brew to install the yubico-pam module so I suggest you use MacPorts.
To install the module needed to interface the Yubikey with PAM we will run the following command:
sudo port install yubico-pam
We have got all the software we need, now we will proceed to setup the Yubikey. It can be done via the CLI but I think using Yubikey Manager is a bit more intuitive.
Insert the Yubikey in your Macbook, then open up Yubikey Manager. Click on Applications and select OTP. Where it says Long Touch (Slot 2) click Configure. Select Challenge-response and click Next. Now click Generate in order to generate a new secret that will be stored on your Yubikey. Optionally you can select Require touch if you want your Yubikey to be triggered and answer the challenge only if you touch the button on it.
2. Setup the challenge-response for every account
Now it’s time to setup the challenge-response mechanism for every user. Remove and insert again your Yubikey, then fire up the terminal and write the following command:
$ ykpamcfg -2
NOTE: there's a good chance the command will fail with the following error if you have demoted your user to standard account:
last@lastBook: ~ $ ykpamcfg -2
USB error: kIOReturnSuccess
If that's the case run the following commands:
$ mkdir -m0700 .yubico
$ cd .yubico
$ sudo ykpamcfg -2
$ cp /var/root/.yubico/challenge-* ./
$ sudo chown $(pwd | cut -d/ -f 3) ./challenge-*
These commands basically
cd in your home directory, create the
.yubico directory where the files for your challenge-response will be stored,
cd inside the directory, create the challenge-response files with
sudo ykpamcfg -2, move them from where they are first created to the users's
.yubico directory and change the owner of the files from root to the user that owns the directory.
Alright, now you have the challenge files in the
.yubico directory inside your home directory. Repeat the procedure for every account in your laptop (this INCLUDES the administrative account and the decryption account). Once you have done that it’s time to move to the third step.
3. Modify PAM configuration files to require the Yubikey.
This is the most delicate part of this tutorial, be sure to double check what you write because there’s a high chance of getting locked out of your account(s) if you get sloppy. Before modifying the most important files we are going to test if the configuration has been done correctly. Fire up the terminal and write the following commands
sudo nano /etc/pam.d/screensaver
A CLI editor will show up, navigate to the line that says
auth required pam_opendirectory.so use_first_pass nullok and add the following code on a newline
auth required /opt/local/lib/pam/pam_yubico.so mode=challenge-response
Save and exit (CTRL-O and then CTRL-X). In this way we have required the Yubikey only for unlocking the lockscreen of your laptop, now it’s time to test it: remove the Yubikey, then lock the screen (either wait or press CTRL-CMD-Q) and try to login again WITHOUT inserting the Yubikey. If you didn’t make any errors you should not be able to login. Now try inserting the Yubikey and logging in again, it should allow you in (remember to touch the Yubikey if you checked the “Require touch” option back in Step 1).
If all worked flawlessly, fire up another terminal and spawn a root shell. Then go back to the other terminal and add the same line you added to
/etc/pam.d/sudo. Keep the root shell open, we will need it to edit the files in case something goes wrong.
Now, remove the Yubikey, open a third terminal and try first logging into the administrative account through
su <username>. If it fails, good. Insert the Yubikey and try again, if it works it means you have successfully edited
/etc/pam.d/authorization. Now remove the Yubikey and try from there
sudo su. If it fails, good. Insert it again and run the command again, if it works it means that
/etc/pam.d/sudo has been edited successfully too. You can now close the root shell.
CAUTION: remember to go through this process again with a second Yubikey. The steps until the creation of
.yubico included must not be repeated, only the
sudo ykpamcfg -2 and the following ones. Remember that the Yubikey will be required even for GUI authorization, when installing applications and editing system preferences for example.
SUCCESS: you have successfully enabled 2FA for unlocking the screen, running
sudo and logging in with users.
NOTE: for troubleshooting I suggest you head up to Yubico's official guide @ https://support.yubico.com/support/solutions/articles/15000015045-macos-logon-tool-configuration-guide