Skip to content

Instantly share code, notes, and snippets.

@tresni
Created September 8, 2020 17:49
Show Gist options
  • Save tresni/1da3a1dcd0abbd9591e739b0b59cbf5f to your computer and use it in GitHub Desktop.
Save tresni/1da3a1dcd0abbd9591e739b0b59cbf5f to your computer and use it in GitHub Desktop.
Enabling Yubikey for sudo on OSX

Intro

Primarily, I use TouchID for sudo authentication on OSX, but I also tend to be connected to a CalDigit TS3 Plus dock and external monitors with my laptop lid closed. TouchID does not work in that situation.

In my quest to have another solution I found the instructions from Yubikey[1][2]. Unfortunately, the instructions are not well laid out, with formatting issues and some necessary information just missing. I hope to rectify that with this document.

Prerequisites

This has been tested on MacOS 10.14.6 and should work on MacOS 10.15. This README assumes you are using Homebrew; it should be possible to configure everything with MacPorts, but paths are likely to be different.

We will be configuring slot 2 on the yubikey (the long-press slot.) I personally use slot 1 for Challenge Response and slot 2 for yubikey-otp as I fnd this minimizes accidental activations and OTP printouts. To move your yubikey-otp to slot 2 simple issue a swap (ykman otp swap) and replace all instances of 2 in the Setup instructions with 1.

Setup

  1. Generate a new, random challenge-response secret in slot 2, require touch (-t)

     ykman otp chalresp 2 -g -t  
    
  2. Create required directory w/ required permissions

     mkdir -m0755 -p ~/.yubico
    
  3. Generate the initial challenge from the Yubikey

     ykpamcfg -2
    
  4. Add the following line to /etc/pam.d/sudo. This must be edited as a superuser.

     auth       sufficient     /usr/local/lib/security/pam_yubico.so mode=challenge-response
    

    Before you close the file out completely, make sure to verify the path to pam_yubico.so is correct. If you fail to do so, you may lock yourself out of sudo completely.

    I recommend placing the line near the top. In my case, I have it after a line using pam_tid.so which is the first line of the file. This means pam will use TouchID first, and then Yubikey if TouchID is unavailable or fails.

    If you are using MacPorts, you likely do not need the path and can just list it as follows:

     auth sufficient pam_yubico.so mode=challenge-response
    
  5. Give it a test

     sudo -k
     sudo echo test
    

    If you have TouchID enabled for sudo, cancel the dialog for TouchID. Your Yubikey should start to blink, that will be your only indicator that it can be used for authentication. Touch the Yubikey to authenticate.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment