13 December 2015

Mac OS X Two Factor Authentication Demo with Yubikey

With today's security threats, passwords alone may not be a strong enough defense against security incidents and many of you might want a little extra to secure your Apple Macintosh computer against such threats.  Yubico has an affordable solution you might like to try.  Yubico already provides excellent documentation on how to do this, but I have a few tweaks of my own which you can see in the video below or continue reading.

First, the video opens with demo number one.  This demo shows logins with the Yubikey inserted and removed.  Additionally, you can see the substitute user command (su) and superuser do command  in the demo.  The demo doesn't show the standard GUI based Mac OS X authentication challenge, but it too will require the Yubikey to be used in addition to the password.

Demo number two is pretty much the same, but Yubico suggests you uncheck the "Require user input (button press)" box when you set the challenge response feature.  I prefer to leave it checked.  The only pain from doing so comes from the ykpamcfg command which seems to have a short wait when it queries the key during setup.  You have to be Johnny on the spot and hit the button pretty quick, which I don't show in the video.  But once you get past doing so, the Yubikey with button press is very easy to use. 

Next up, the video shows the installation which requires the easy to install Homebrew application.  As mentioned above, Yubico writes really good documents perhaps so you'll buy lots of Yubikeys.  I think the confusing part of their guide is the PAM config section is a bit too wordy and repetitive, listing the same steps over and over again for the same files. Yubico's guide could be condensed to mention editing the files su, sudo, authorization, and screensaver in /etc/pam.d and adding the entry "require       auth mode=challenge-response" line above the first line beginning with "account," but the guide assumes you might not know vi very well and spells out the extra steps.

The last note about their guide is how there is little discussion on the other /etc/pam.d files you could use a Yubikey with. Savvy Yubikey experts will notice I added the /etc/pam.d/su file to my list. Also, you might want to do something with /etc/pam.d/sshd either by adding Yubikey protection or using SSH keys, if you wish to enable remote logins on your Mac.  If you are remotely logging in with Secure Shell, you can't insert your key, so certificate based authentication is, IMHO a nice substitute.

You might want to use Apple's Filevault along with your Yubikey so your computer is encrypted and its data is protected at rest.

No comments:

Post a Comment