As described in the blog "Exploring Hard Tokens", the combination of a username/password for acces control has some "big" disadvantages. Passwords can be cracked, retrieved by social engineering, read from faulty systems, retrieved from unsecured internet access, etc.
Yet authentication on a workstation usually is done by using a username/password combination. This method has been in use for years and everybody understands it.
When an attacker retrieves a username/password combination, this often grants him access to all sorts of company-wide information. E.g. email and other locally stored passwords (application, database). Furthermore, it is almost impossible to detect when an attacker accesses a system. Therefore it is important to strengthen your authentication by adding a second step to your authentication process. This can be done in several ways, this blog describes how I secured my OSX with a YubiKey.
A YubiKey provides the possibility to authenticate yourself with a second factor.
How it works
The configuration consists of three steps:
- Prepare your YubiKey
- Prepare your OSX (register your YubiKey with your account)
- Change OSX authentication
Setting up your YubiKey
Install the "YubiKey Personalization Tool"
Set a challenge-response (HMAC-SHA1) on the second slot of your YubiKey
- Select Configuration Slot 2
- Select Variable input for HMAC-SHA1 Mode
- Click Generate to generate a new Secret Key (20 bytes Hex)
- Click Write Configuration
Your YubiKey is now ready.
P.S. It is recommended to protect your YubiKey configuration by setting an Access Code
Prepare your Mac to use your YubiKey
Open a terminal session as root. Do not close this session until you verified the new authentication process works. In case an error occurs this session comes to help:
Open a new terminal session as user and install the YubiKey pam module (with brew):
Generate a challenge in the user homedir:
A new challenge will be written in the directory ~/.yubico/
Change the authentication process for screensaver
It is advisable to start with requiring a YubiKey for screensaver login and verify your changes before continuing with other authentication modules. This case, if an error occurs, you can still login using the normal login screen.
From the root terminal, add the line
auth required pam_yubico.so mode=challenge-response to the following file:
Edit the file:
Add the line:
Verify the authentication process
- Detach the YubiKey and enable screensaver
- Enter your username/password, access should be blocked.
- Now insert your YubiKey and login, access should be granted.
If these steps succeed, you can finish the changes to the authentication process
P.S. If login still fails, click Switch User and retry logging in. A different authentication module is used during this login.
Change the authentication process for sudo and user-login
Again from the root terminal, add the line
auth required pam_yubico.so mode=challenge-response to the following files:
Edit the file:
Add the line:
From this point on, you need to insert your YubiKey before entering your username/password combination. Only when both steps are correct you are logged in.