13 December 2015

Mac OS X Two Factor Authentication Demo with Yubikey

With today's security threats, passwords alone may not be a strong enough defense against security incidents and many of you might want a little extra to secure your Apple Macintosh computer against such threats.  Yubico has an affordable solution you might like to try.  Yubico already provides excellent documentation on how to do this, but I have a few tweaks of my own which you can see in the video below or continue reading.

First, the video opens with demo number one.  This demo shows logins with the Yubikey inserted and removed.  Additionally, you can see the substitute user command (su) and superuser do command  in the demo.  The demo doesn't show the standard GUI based Mac OS X authentication challenge, but it too will require the Yubikey to be used in addition to the password.

Demo number two is pretty much the same, but Yubico suggests you uncheck the "Require user input (button press)" box when you set the challenge response feature.  I prefer to leave it checked.  The only pain from doing so comes from the ykpamcfg command which seems to have a short wait when it queries the key during setup.  You have to be Johnny on the spot and hit the button pretty quick, which I don't show in the video.  But once you get past doing so, the Yubikey with button press is very easy to use. 

Next up, the video shows the installation which requires the easy to install Homebrew application.  As mentioned above, Yubico writes really good documents perhaps so you'll buy lots of Yubikeys.  I think the confusing part of their guide is the PAM config section is a bit too wordy and repetitive, listing the same steps over and over again for the same files. Yubico's guide could be condensed to mention editing the files su, sudo, authorization, and screensaver in /etc/pam.d and adding the entry "require       auth mode=challenge-response" line above the first line beginning with "account," but the guide assumes you might not know vi very well and spells out the extra steps.

The last note about their guide is how there is little discussion on the other /etc/pam.d files you could use a Yubikey with. Savvy Yubikey experts will notice I added the /etc/pam.d/su file to my list. Also, you might want to do something with /etc/pam.d/sshd either by adding Yubikey protection or using SSH keys, if you wish to enable remote logins on your Mac.  If you are remotely logging in with Secure Shell, you can't insert your key, so certificate based authentication is, IMHO a nice substitute.

You might want to use Apple's Filevault along with your Yubikey so your computer is encrypted and its data is protected at rest.

17 October 2015

Mac OS X El Capitan Non User Encrypted FileVault Boot

You can choose a disk encryption FileVault password as an alternative encryption option available for your Mac OS instead of  unlocking FileVault with your user account.  For years on many platforms, full disk encryption was unlocked using one password typically not associated with the user's login.  You can achieve this today on the Macintosh platform, not as easily as you could from normally enabling FileVault encryption, almost as easily as the preferred method.

To do this, you can follow the steps below and/or watch the video.

The first step is to make a Mac OS bootable USB drive which is outside the scope of this blog but easy to find with a Google Search.  

The next step is to boot the bootable drive.  Insert it into a USB port, reboot your Mac, and hold down the Option (ALT) key on start choosing the USB installer disk.

The next step assumes you are willing to erase the Mac completely assuming you have it all backed up on Apple's time machine or a similar program.  Once the installer loads, choose the Utiliies -> Disk Utility option.  From there we'll setup encryption, erase the disk and choose the encrypted journaled option.  Pick the password you want for your drive and select Erase and remember the password chosen here.

After it is setup with the encryption key, begin the installation process.

The Mac will reboot after installation.  If all went well, you would be asked for the password you chose above.  Enter your disk password at the password entry prompt and the Mac should begin booting up. You must go through the configuration steps and may optionally recover from your Time Machine drive when prompted or start over with a blank install.

And that is all there is to it.  It is pretty much as easy as using File Vault normally. 

31 May 2015

TV, Ubuntu, and AMD's TV Wonder 600 USB Installation

The ATI TV Wonder 600 USB is not supported on Windows 7 or later but is still supported on GNU/Linux.  The best thing to know is that it's really quick and easy to setup and install on Ubuntu.  All you need to do is execute three steps and you can watch TV in less than 5 minutes.  The instructions on the Linux TV website are all you need and always up to date.  To be brief,  open a terminal window and perform the following commands:

  1. cd /lib/firmware
  2. sudo wget
  3. sudo apt-get install me-tv
And that's all there really to is to it.  Just start Me Tv and scan for stations.

The short video below shows you the steps.