This is a bit expanded version of the gist, with some updated instructions to also accommodate TouchID and manual compilation of pam_yubico.

Setup

1. Dependencies

brew install ykman pam_yubico

1. Generate a new, random challenge-response secret in slot 2, require touch (-t)

ykman otp chalresp 2 -g -t

1. Create required directory w/ required permissions

mkdir -m0755 -p ~/.yubico

1. Generate the initial challenge from the Yubikey

kpamcfg -2

1. Create the sudo_local file and edit it.

⚠️ Warning

Save the file first and try it out before exiting, as you can lock yourself out of sudo if you make a mistake.

1. If locked out: open /etc/pam.d/ -> Right click -> Get Info on sudo_local -> Sharing & Permissions -> Unlock ->
2. Change to Read & Write -> Save -> Edit your mistakes and save again -> Change back to Read only

sudo cp /etc/pam.d/sudo_local.template /etc/pam.d/sudo_local
sudo -e /etc/pam.d/sudo_local

1. The content should look like this:

auth       sufficient     pam_tid.so
auth       sufficient     pam_smartcard.so
auth       sufficient     /usr/local/lib/security/pam_yubico.so mode=challenge-response

Make sure that the /opt/homebrew/opt/pam_yubico/lib/security/pam_yubico.so file exists. If installed with hombrew you can also find the path at $(brew --prefix pam_yubico)/lib/security/pam_yubico.so

Otherwise, if compiled manually, the path is /usr/local/lib/security/pam_yubico.so.

1. Give it a test

sudo ls

Manually compiling pam_yubico

brew install automake

for i in yubico-c-client yubico-c yubico-pam yubikey-personalization; do
    git clone https://github.com/Yubico/$i.git
    pushd $i
    autoreconf --install
    ./configure --disable-documentation
    make check
    sudo make install
    popd
done

--disable-documentation is optional, but it has dependencies that we don’t particularly care about.