Touch the Yubikey to authenticate.Enable Smart Card authentication using YubiKey 5Ci security key on macOS Your Yubikey should start to blink, that will be your only indicator that it can be used for authentication. If you have TouchID enabled for sudo, cancel the dialog for TouchID. If you are using MacPorts, you likely do not need the path and can just list it as follows: auth sufficient pam_yubico.so mode=challenge-response This means pam will use TouchID first, and then Yubikey if TouchID is unavailable or fails. In my case, I have it after a line using pam_tid.so which is the first line of the file. I recommend placing the line near the top. If you fail to do so, you may lock yourself out of sudo completely. auth sufficient /usr/local/lib/security/pam_yubico.so mode=challenge-responseīefore you close the file out completely, make sure to verify the path to pam_yubico.so is correct. Generate the initial challenge from the Yubikey ykpamcfg -2Īdd the following line to /etc/pam.d/sudo. Generate a new, random challenge-response secret in slot 2, require touch ( -t) ykman otp chalresp 2 -g -tĬreate required directory w/ required permissions mkdir -m0755 -p ~/.yubico To move your yubikey-otp to slot 2 simple issue a swap ( ykman otp swap) and replace all instances of 2 in the Setup instructions with 1. We will be configuring slot 2 on the yubikey (the long-press slot.) I personally use slot 1 for Challenge Response and slot 2 for yubikey-otp as I fnd this minimizes accidental activations and OTP printouts. This README assumes you are using Homebrew it should be possible to configure everything with MacPorts, but paths are likely to be different. This has been tested on MacOS 10.14.6 and should work on MacOS 10.15. I hope to rectify that with this document. Unfortunately, the instructions are not well laid out, with formatting issues and some necessary information just missing. In my quest to have another solution I found the instructions from Yubikey. Primarily, I use TouchID for sudo authentication on OSX, but I also tend to be connected to a CalDigit TS3 Plus dock and external monitors with my laptop lid closed.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |