Moving fast and breaking things with Yubikey and macOS

Right. Last time I wrote about how to configure your Mac to optionally use a Yubikey as a hardware authentication device – you plug the Yubikey in to a free USB port and you can then use the PIN for that key to log in to your user account – which is handy if you don’t want to have to mess around with your regular password. However, allowing it as an optional method of authentication isn’t the same thing as requiring it as a method of authentication. In other words, if you didn’t have your Yubikey handy then you could type in your password and still be able to use your computer, but maybe there are times and circumstances where you’d like to disable the ability to use a password entirely and substitute it with a Yubikey.

Yes. It really is this tiny.

This isn’t as crazy as it seems. Gather around the fire, friends, and let me recount a tale from the long, long ago; a fragment from a distant time, a ghostly antiquity from the Turn Of The Century.

A long time ago I worked at a design/branding agency where I had the unenviable duty of acting as a sort of media archivist as well as general IT factotum. This translated to being the guy who – if you needed to pull a work file from an archived job from three years ago – knew where to find the DVD with the data burned onto it. (This was almost twenty years ago. Storage space was expensive and DVDs were cheap. It was a different time, whippersnapper!) I didn’t particularly enjoy this condition of my employ, but it was fine. We used an obscure media-tracking application that had been put into effect some years beforehand and was full of an enormous amount of data that we were stuck with – we tried a lot of abortive attempts to shunt the massive, proprietarily-created weird database that the application used into some kind of form that we could slap on the office intranet with no real effect, so I was stuck doing it by hand; now and again I’d have someone show up and give me a time and a project name and I’d go dig through the archive and pull out the data, and everyone would be happy. To a degree. Okay, all parties would be equally frustrated, but would at least be good-natured and mutually apologetic about it.

Except for one guy, who was kind of a jerk. He thought that this was a ridiculous arrangement – and while I agreed with this in both theory and practice I at least understood that you can’t cram two hundred gigabytes of data into a one hundred gigabyte RAID and that being as this was the case it a necessary evil that it took a few minutes to go dig up old work. He didn’t. And he didn’t like waiting for me to go find the data for him, so because he wasn’t long on confrontation and trying to be proactive he thought the logical first move was that he should try and break into my computer and go find the data for himself.

I don’t think it’s controversial to run the following opinion up the flagpole: This was a dick move. But he was pretty sneaky about it – it took me a while to figure this out, but as the IT guy I’d usually be one of the first people in the office each morning and there were plenty of times that I’d find him there already, in a vile mood, loitering around my office. Sometimes my desk was in disarray (inasmuch as that was possible considering I’d spent years perfecting the platonic ideal of disarray). Once or twice I caught him sitting at my desk with my computer turned on and at the login screen. Just waiting for me to get there, he’d say.

And then, one day, I went to fix… I don’t remember. Probably something to do with QuarkXpress (because it was twenty years ago and QuarkXpress broke so badly and so often that whole careers were made out of fixing the thing), but that’s not important. I was at his desk and saw, stuck on a post-it note, my login password for my computer. He’d been watching me type on the keyboard when I logged in and I think he’d piecemealed it together over time.

This stuck in my craw because it was my computer. As in, not the-computer-that-work-issued-me because all the budget went into gear for the design teams and the computer they gave me had some serious hardware defects, but my computer as in the-one-that-I-bought-with-my-own-money-and-kept-at-my-office-desk. Still, things being as they were, there was little I could do about this except be creative about it, so I was creative about it. For one thing, I changed all my passwords. For another, I put my boot volume on a fast external drive and took it home with me every night. With no operating system there was nothing for him to snoop on. Effective, but drastic, and horribly insecure because if something terrible had happened to that drive (lost, stolen, destroyed) it would have significantly impacted my job performance. Everything was backed up, but it would have cost some time to restore things to their former glory.

Still, while he was a fairly senior person in the company there was a lot of information on that drive that for one reason or another couldn’t live on a server share and also was not for his eyes – after all, as well as finding DVDs and fixing QuarkXpress I also supported the CEO and had a couple of projects I was working on for her on there that the rest of the rank and file should absolutely not know anything about.

(Sidebar: On the slim chance that the offending party might ever read this – you know who you are and I’m still mad about it.)

If there’d been a way to secure login to that computer with a token that I could have kept on a keychain – say, a Yubikey – then this would have been a considerably simpler problem to navigate. That guy could have written passwords or PIN numbers down all day long, but without my hardware token plugged into the thing he’d have been pulling his hair out in frustration. And that would have been a thing of beauty.

It turns out that setting up macOS to only allow authentication via Yubikey/Smartcard isn’t terribly complicated. There are a few hoops to jump through, but the procedure itself isn’t vastly involved. However, there are a few caveats that I’d encourage you bear in mind before going forward.

Firstly, enable the root user (open /System/Library/CoreServices/Applications/Directory Utility and choose “enable root access). Having root enabled on your Mac is generally regarded as A Bad Thing for many excellent reasons, but we’re about to go mucking around at the bottom of the Marianas Trench of the operating system, so having God Mode on tap in case things go awry is a must. You can (and should) always turn it off again once we’re done.

Secondly, make sure you have a good backup before you start anything. If something unexpected happens (bizarre system crash, power cut, bad stick of RAM, freak Act of God) then you could incur significant loss of data – or more precisely, significant loss of access to your data.

Assuming you’ve taken both of these into account, we’ll need to change some things in /etc/pam.d – which I wrote about a few weeks back and took a run at an explanation of the mechanics of the thing that might be worth a read.

In case things go awry we’ll do some backing up in /etc/pam.d – I have my Yubikey set up and enabled for sudo and login, so to make a copy of the default, non-tinkered-with configurations for each you should enter the following two commands:

sudo cp /etc/pam.d/login /etc/pam.d/login_backup_`date "+%Y-%m-%d_%H:%M"`

sudo cp /etc/pam.d/sudo /etc/pam.d/sudo_backup_`date "+%Y-%m-%d_%H:%M"`

Note: It is important to back these up prior to changing anything. If you mis-type something and don’t have these files backed up then you’re in a world of hurt, but if you have these files backed up and root access enabled then you can log in as root at the loginwindow and copy these files back to their default names/locations.

Next, if you want to use your PIN instead of your password when executing sudo then replace the contents of /etc/pam.d/sudo with this text:

# sudo: auth account password session
auth        sufficient    pam_smartcard.so
auth        required      pam_opendirectory.so
auth        required      pam_deny.so
account     required      pam_permit.so
password    required      pam_deny.so
session     required      pam_permit.so

At this point you’ll now be required to use your Yubikey PIN instead of your password whenever you want to use sudo – it’s not for everyone, but my PIN is deep in my muscle memory and it’s a lot faster than typing in my password. If you want to change it back then I implore you to make sure that you open the backup you created and then sudo pico /etc/pam.d/sudo and manually make the changes you want rather than deleting the /etc/pam.d/sudo file, because it’s awfully hard to use your keys to unlock your front door when you’ve just chucked the things in the drain.

If you want to force the use of a PIN/Yubikey to log in to the computer then you’ll need to likewise change the contents of /etc/pam.d/login to this:

# login: auth account password session
auth        sufficient    pam_smartcard.so
auth        optional      pam_krb5.so use_kcminit
auth        optional      pam_ntlm.so try_first_pass
auth        optional      pam_mount.so try_first_pass
auth        required      pam_opendirectory.so try_first_pass
auth        required      pam_deny.so
account     required      pam_nologin.so
account     required      pam_opendirectory.so
password    required      pam_opendirectory.so
session     required      pam_launchd.so
session     required      pam_uwtmp.so
session     optional      pam_mount.so

Finally, create a new file on your Desktop by firing off touch ~/Desktop/smartcard.mobileconfig and then pico ~/Desktop/smartcard.mobileconfig and copy in this wall of text:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDescription</key>
<string>Configures smart card-only</string>
<key>PayloadDisplayName</key>
<string>Smart card-only</string>
<key>PayloadIdentifier</key>
<string>com.apple.configprofile.78.</string>
<key>PayloadOrganization</key>
<string>Apple</string>
<key>PayloadType</key>
<string>com.apple.security.smartcard</string>
<key>PayloadUUID</key>
<string>5A15247B-899C-474D-B1D7-DBD82BDE5678</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>UserPairing</key>
<false/>
<key>allowSmartCard</key>
<true/>
<key>checkCertificateTrust</key>
<false/>
<key>enforceSmartCard</key>
<true/>
</dict>
</array>
<key>PayloadDescription</key>
<string>Smartcard profile.</string>
<key>PayloadDisplayName</key>
<string>Smart card-only</string>
<key>PayloadIdentifier</key>
<string>com.apple.configprofile.77</string>
<key>PayloadOrganization</key>
<string></string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadScope</key>
<string>system</string>
<key>PayloadUUID</key>
<string>7D34CC86-C707-44D2-9A9F-C5F6E347BD77</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>

Close out of the Terminal, find the smartcard.mobileconfig file you just created, double-click on it and install it.

All things being equal, you should now have your computer set up to require the Yubikey for logging in. If you pull the key out and try and log in you’ll get a password prompt, but neither your password nor your PIN will work until you plug the key in. Likewise, unlocking System Preference Panes or any other task that requires an admin password.

Leave a Reply

Your email address will not be published. Required fields are marked *