Two-factor authentication on OSX (a YubiKey example)

Jeroen Veldhorst

Jeroen Veldhorst

Published: 6 May, 2014

Authentication

As described in the blog "Exploring Hard Tokens", the combination of a username/password for acces control has some "big" disadvantages. Passwords can be cracked, retrieved by social engineering, read from faulty systems, retrieved from unsecured internet access, etc.

Yet authentication on a workstation usually is done by using a username/password combination. This method has been in use for years and everybody understands it.

When an attacker retrieves a username/password combination, this often grants him access to all sorts of company-wide information. E.g. email and other locally stored passwords (application, database). Furthermore, it is almost impossible to detect when an attacker accesses a system. Therefore it is important to strengthen your authentication by adding a second step to your authentication process. This can be done in several ways, this blog describes how I secured my OSX with a YubiKey.

YubiKey

A YubiKey provides the possibility to authenticate yourself with a second factor.

  1. Something you know: username/password
  2. Something you have: yubikey
    yubikey

How it works

The configuration consists of three steps:

  1. Prepare your YubiKey
  2. Prepare your OSX (register your YubiKey with your account)
  3. Change OSX authentication

Setting up your YubiKey

Install the "YubiKey Personalization Tool"

yubico

Set a challenge-response (HMAC-SHA1) on the second slot of your YubiKey

  • Select Configuration Slot 2
  • Select Variable input for HMAC-SHA1 Mode
  • Click Generate to generate a new Secret Key (20 bytes Hex)
  • Click Write Configuration

Your YubiKey is now ready.

P.S. It is recommended to protect your YubiKey configuration by setting an Access Code

Prepare your Mac to use your YubiKey

Open a terminal session as root. Do not close this session until you verified the new authentication process works. In case an error occurs this session comes to help:

terminal (root)
sudo su

Open a new terminal session as user and install the YubiKey pam module (with brew):

terminal (user)
brew install pam_yubico
sudo cp /usr/local/Cellar/pam_yubico/ 2.16 /lib/security/pam_yubico.so /usr/lib/pam/pam_yubico.so

Generate a challenge in the user homedir:

terminal (user)
mkdir ~/.yubico
ykpamcfg - 2

A new challenge will be written in the directory ~/.yubico/

Change the authentication process for screensaver

It is advisable to start with requiring a YubiKey for screensaver login and verify your changes before continuing with other authentication modules. This case, if an error occurs, you can still login using the normal login screen.

From the root terminal, add the line auth required pam_yubico.so mode=challenge-response to the following file:

/etc/pam.d/screensaver
For example

Edit the file:

terminal (root)
vi /etc/pam.d/screensaver

Add the line:

auth required pam_yubico.so mode=challenge-response

Verify the authentication process

  • Set your OSX to require a password on screen saver
    screensaver
  • Detach the YubiKey and enable screensaver
  • Enter your username/password, access should be blocked.
  • Now insert your YubiKey and login, access should be granted.

If these steps succeed, you can finish the changes to the authentication process

P.S. If login still fails, click Switch User and retry logging in. A different authentication module is used during this login.

Change the authentication process for sudo and user-login

Again from the root terminal, add the line auth required pam_yubico.so mode=challenge-response to the following files:

/etc/pam.d/authorization
/etc/pam.d/sudo
For example

Edit the file:

terminal (root)
vi /etc/pam.d/authorization

Add the line:

auth required pam_yubico.so mode=challenge-response

Done

From this point on, you need to insert your YubiKey before entering your username/password combination. Only when both steps are correct you are logged in.

Did you enjoy reading?

Share this blog with your audience!