Breaks in macOS 10.15 #201
Comments
|
Logs |
|
Just compiled master branch locally and it was the same symptom. |
|
+1 I can confirm the same USB error for /etc/pam.d/authorization on catalina. ssh pgp key management, and pam sudo appear to work ok. The same configurations work working fine on mohave. The screensaver integration will also log you out if you type the wrong user password and touch the yubikey (the expected behavior is for osx to offer another password attempt, not log you out). Here is the log file from a screensaver session with the wrong user password which causes a logout: debug: pam_yubico.c:838 (parse_cfg): called. debug: pam_yubico.c:528 (do_challenge_response): Loading challenge from file /Users/face/.yubico/challenge-xxxx |
|
Can confirm the same problem here. I found this closed issue which describes the same problem happening during the public betas, and then being subsequently fixed 🤔 |
|
@tob1k I don't think that's the same issue tho? I'm not familiar with the macOS entitlements stuff but I can use challenge-response for sudo right now. |
|
@Frederick888 Yeah I'm not 100% sure either. But the log output seemed the same, and if you check the entitlements for sudo, it's missing the usb entitlements as described in #197 |
@Frederick888 I'm not sure. I looked into the same thing but at the very least it looks like you would need an Apple Developer ID (which I don't have) |
|
@tob1k Well, I remembered that I once code signed lldb/gdb to work around the entitlements as described in https://opensource.apple.com/source/lldb/lldb-69/docs/code-signing.txt but apparently a random self-signed root certificate will just break |
|
I've filed an issue regarding the entitlements of But, I mean, where are the Yubico devs? Is this project still maintained? |
We're aware of the issue, unfortunately not with alot of insight to add at this point. authorizationhost has changed entitlements for 10.15, if that's the culprit or not is a good question. This might even be an intentional change from Apple, that the login process should not be able to talk with a USB device. |
|
@klali I really believe you guys need to talk to Apple about this. I don't think such kind of technical feedback from individual customers who are not familiar with either macOS entitlements or yubico-pam per se like me would attract much attention from them. |
|
Still no response from Apple. Can anyone check
Thanks. |
|
I can confirm that this issue can still be reproduced in 10.15.1. And the bloody update reset a bunch of |
|
upvoting this. Worked on El Capitan for both authorization and screensaver PAM. Now only screensaver works on Catalina, but Apple seems to have disabled Yubkey working in 'authorization'.. Any ideas if this is entirely Apple's doing or can Yubi fix this? |
|
Also… the newly released MacBookPro 16" only runs Catalina… |
|
@MartinMKD I'm not 100% sure if Yubico can fix it. But the extra piece of information I'll throw out there is that this does not only affect pam_yubico. I know some others who were using some form of pam kerberos, and it was broken by Catalina too, so this does not bode well. That being said, it may always be possible to have it fixed on the Yubico side, I just don't know enough about the problem to say for sure. |
|
In their zeal to remain "inventive"/ahead of the curve, Apple manages to break things that work such as Yubikey/PAM auth.. along with other useless innovations, like the function key touchbar .... |
|
Any updates on a potential fix for this issue? It's been a while since Catalina was released. |
|
This is still broken in osx 10.15.2. Is Yubico working with Apple to fix this? |
|
Same issue here. |
|
Mostly as an update. Yubico has no more information about this, we've opened a radar with apple and tried to get clarity with no answers so far. |
|
After updating to from 10.15.1 to 10.15.2, logging in with the yubikey worked without issue (It's been working for login only in Catalina this whole time, just not screensaver or privilege elevation). But after a second reboot, it stopped working.
So Apple has at least made it 100% broken instead of 80% broken. |
|
@Frederick888 in regards to you comment about the pam.d files being reset, I always assume that anything I customize on a mac will be reset. I treat OS updates a "firmware" updates. For this reason, I configure a LaunchDaemon that will reprogram anything I ever edit on a mac. In this case I run a carefully crafted awk and sed script that will update pam.d files every time the computer is rebooted, fairly robustly. This has kept my yubikey setting since I started using it a year and a half ago. |
|
Could anyone post instructions on how to remedy this from recovery mode? I’m struggling with Terminal and am locked out. Thank you for any help! |
https://vcsjones.dev/2016/01/21/regaining-access-to-os-x-after-a-lost-yubikey/
|
|
Thanks for the reply @chulander. I forgot to update this thread when my computer was stolen shortly after I posted. Unfortunately, it's moot now. |
|
Yubikeys are now a requirement at our lab, and new Macs come with Catalina. So this issue is affecting our ability to purchase Apple hardware. Can you please point me to the Radar issue, so I can try to escalate this issue with Apple directly? |
|
@GregoryEAllen I got logins to work on Catalina by configuring Yubi to work as a smartcard. It's a bit more involved to set up but at least it works until Apple issues a fix for killing Yubikey PAM based logins. |
|
@MartinMKD could you please provide a link to instructions for this workaround? Does it also support screensaver authorization? Do we know whether this is Apple's bug, or in yubico-pam? |
|
I am not paying 100 euros for something as simple as this. I'll try the self signed cert approach. I can live w/a smartcard + password login, but I definitely want to learn how to disable login and leave smartcard only enabled. |
|
@MartinMKD The rest of the instructions mentioned at https://support.apple.com/en-us/HT208372 will guide you through smart card ONLY setup (via editing PAM files). Basically they say "Smart card is sufficient" and then if you go down the password (pam_opendirectory) route it is "denied" (pam_deny) Warning: There is a bug I've observed in Catalina that trying to unlock "Users & Groups" will not work with a smart card. All other Settings admin unlocks DO work (AFAIK) with a smart card, but that one will not. I have no idea why this is. This means it becomes impossible to access this menu (without editing the pam file first, temporarily, and then using a password to log in. It is the |
|
Whats not quite clear to me: If I've enabled SmartCard only via profile, why should I edit /etc/pam.d/login? |
|
Unfortunately I'm not sure, as I don't have a clue what a Profile or Configurator is, and I don't know what those profile settings even do. If Configurator edits the pam files for you with those settings, then I suspect no, you don't need to edit (My use case was setting up with an AD domain, so it's a little different, but I have it working). However, I do understand the PAM changes, and they make sense to me, so I can try and help with that part. |
|
No, the profile does not make any changes in the pam files. I do not know what they will do ... my user is an AD user as well but I set up the smartcard outside AD. |
|
FWIW I just took the config sample from apples documentation here and saved it with a This has enforced smart cards everywhere, sudo, screensaver lock, etc without editing any pam files, or dealing with configurator/profile creator etc. Granted the profile isn't signed, but for my purposes (a small team of 12 devs or so) this is fine. Thanks again @MartinMKD for pointing me in the right direction here 🙏 |
|
not to be pedantic, but any chance the discussion about smartcard config could move somewhere else? |
|
The smartcard discussion is relevant to anyone who is grappling with the PAM issue if nothing else then as a workaround. |
|
FYI, we put together a small guide on the macOS smart card support, heavily based on Apples documentation, available here: https://developers.yubico.com/PIV/Guides/Smart_card-only_authentication_on_macOS.html No updates on the pam module as far as I know. |
|
Any update on the pam module? |
|
@MillsapCyber As far as I know, if you want to enforce 2fa, you need to disable touchID, it will always bypass all other pam security measures.
I've looked into this a little more since last time. It seems like only the pam modules that don't exist as actual files on disk work in Catalina. |
|
Anyone has already tested with the new version 10.15.4? |
|
@ChristopheH-Ekonoo i am trying to setup my key on 10.15.4 but it keeps failing
|
|
(I'm back on macOS, duh...) I can still confirm this issue on 10.15.5. Btw I noticed that screen saver does not crash if yubico_pam is not the last one in your PAM auth stack (probably...). |
|
There has been a workaround committed for this in the yubikey-personalization repo. If you run homebrew, try applying this diff to the ykpers formula: ..and then do |
|
@nevun May I know if Yubico/yubikey-personalization@7ee7b11 is the only required patch here? I'm not able to verify this atm so I'd appreciate it if anyone can backport it and check it out. It can be cherry picked onto |
|
@Frederick888 yes. but please be aware of the fact that this is a work around and might stop working at any time. |
|
@nevun We've used the mac login tool pkg from yubico. How do we apply this fix? Do we need homebrew ? |
|
@rotorstudios-gg there has not been a new release of yubico-pam packaged for mac by Yubico and since the package bundles libykpers you either have to build libykpers yourself and replace the dependency lib or remove the mac package and go with homebrew for both. I am not sure about your situation, it might make sense to take this to support@yubico.com? Note, I am not an official spoke person on this matter for Yubico. I used the homebrew version though when I tested this on Catalina. |
|
@nevun thanks. can you share how you got the homebrew version working? I got as far as installing homebrew via "/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh)" " . Thanks again |
|
@rotorstudios-gg if you have install Note that you should definitely have a root shell opened in another terminal ready in case you mess up your pam config because sudo might stop working. I cannot stress this enough, as soon as you touch the pam configuration, you need to test it in another terminal before closing the root shell terminal because otherwise you could lock yourself out of your system. After you installed the pam_yubico module from brew you should update your pam configuration to point to the correct pam module (the one from brew, not the one you had before). Good luck |
|
@nevun Thanks for that. Where is the patched libykpers library? |
|
@rotorstudios-gg the homebrew repo already includes the patch so you only need to install pam_yubico through brew (https://github.com/Homebrew/homebrew-core/blob/master/Formula/ykpers.rb#L36) |
|
By the way has anyone tested pam_yubico on macOS 11 (Big Sur)? |
|
Thanks @nevun . That worked and I am using Big Sur. Now the next question is that if I dont want to use homebrew and create a standalone .pkg to be deployed, how do I find out what files are required? is it just the /usr/local/lib/security/pam_yubico.so file? PS: I am familiar with creating pkg (via the Packages tool). |
|
@rotorstudios-gg glad to hear it! You can run |
|
Im not sure if this is the right place or not but it seems that although this now works (building/installing yubico via brew); it now breaks in the new M1 apple macbooks. The yubikey is recognized and is able to generate a challenge-response file but when prompting for user and password, the yubikey doesnt flash or anything and is immediately denied login. Just wondering if anyone else has found workarounds to this? |
|
@Frederick888 I just had one of my users update to BigSur, and they said the following:
By "elevate", they mean graphically, like in System Preferences. |
|
We were upgrading from Mojave straight to Big Sur:
Brew needed a little special help. We uninstalled then reinstalled |
and others
Hi,
I have just upgraded to macOS 10.15 and it seems yubico-pam no longer works for
/etc/pam.d/authorizationand/etc/pam.d/screensaver./etc/pam.d/authorizationAfter the upgrade, I re-configured
/etc/pam.d/authorizationto:This caused me not able to log in or authenticate in e.g. System Preferences -> Security & Privacy. (had to enter recovery mode to unlock, oops!)
/etc/pam.d/screensaverMy
/etc/pam.d/screensaveris configured as:It works ok if you don't have a YubiKey plugged in (blocks login successfully) or normally touch YubiKey when prompted. BUT, it crashes and forcibly logs out the user if you unplug YubiKey when the LED is blinking.
And since I cannot use yubico-pam in
/etc/pam.d/authorizationnow, it means the challenge-response can be effectively bypassed since if my password is leaked, one can simply plug in a wrong key to log me out, then use my password to normally log in.The text was updated successfully, but these errors were encountered: