PAM on Mac OS X
As you may know, PAM is used everywhere on modern UNIX systems. Linux and Mac OS X use it to authenticate users. If you are a Mac user who likes to install weird stuff and edit PAM, you may have discovered that PAM under Mac OS X is totally undocumentated. Really, the only thing that you can have from Apple is a man page. You can't see which services use which file in /etc/pam.d/. This is a big pain when you want to edit stuff on your Mac without fearing being locked out.
Fortunately, there are some services that can be discovered easily. /etc/pam.d/sudo is obviously the file for the sudo utility. If you want to edit stuff about it, just edit this file and don't forget to keep a root tab opened if you mess it up. The same for sshd. Just edit the file.
But I wanted to discover how to modify the login screen behaviour with PAM.
A little bit of background before
As I said on this blog (in an article written in French) I own a Yubikey. This awesome device is used to generate One Time Password among other amazing stuff. I personnaly use it to login on my Mac, ssh onto my server and use sudo without typing any password. This is really great when you are somewhere and people can look at your keyboard. A password generated by a Yubikey looks like vvcubkglngtjjnkjlhjvgfdinferfkjldcffulgnbnjt (In fact, this is a valid one, but used. You can't do anything with it now. This the meaning of a One Time Password)
To setup your Yubikey with your services, you need to edit PAM. Thanks to Yubico we have a PAM plugin for Yubikey. I will not describe how to setup it here, just explain my config. I added this tiny line auth sufficient pam_yubico.so id=42 key=THISPARTISSECRET url=http://yk.cubox.me/wsapi/2.0/verify?id=%d&otp=%s verbose_otp in /etc/pam.d/ssh on my server, among other things. When I try to login, I get prompted with Yubikey for 'cubox': and I can touch my Yubikey in order to log in. I love it.
Well, but how to setup my Mac with it?
I described how to use it, it's the same under Linux and Mac OS X. But only for sudo and sshd.
If you want to use it with your login screen, you need to add this line in /etc/pam.d/authorization.
Unfortunatly, this does not use the PAM plugin to unlock my locked screen (You know, the thing you have when you lock your session, with your wallpaper and your image). If someone have an answer, please contact me! /etc/pam.d/screensaver does not help.
Yeah, I am not joking. All this bloody article for just this line of important information. But as I said, this is documentated nowhere. I asked an Apple Genius and he was unable to answer me. Now, when I got prompted for my password, I just type enter and... Magic. It took me almost half of a year to find this. Thanks Apple.
Enjoy your secure login screen with Yubikey on your Mac! You don't need to buy the Rohos software for 32$. Just grab a root access and do some magic!