Aleksandar's Blog

Random ramblings

yubikey/touch id sudo on osx

Posted at — Dec 24, 2023

This is a bit expanded version of the gist, with some updated instructions to also accommodate TouchID and manual compilation of pam_yubico.

Setup

  1. Dependencies
brew install ykman pam_yubico
  1. Generate a new, random challenge-response secret in slot 2, require touch (-t)
ykman otp chalresp 2 -g -t
  1. Create required directory w/ required permissions
mkdir -m0755 -p ~/.yubico
  1. Generate the initial challenge from the Yubikey
kpamcfg -2
  1. Create the sudo_local file and edit it.

⚠️ Warning

Save the file first and try it out before exiting, as you can lock yourself out of sudo if you make a mistake.

  1. If locked out: open /etc/pam.d/ -> Right click -> Get Info on sudo_local -> Sharing & Permissions -> Unlock ->
  2. Change to Read & Write -> Save -> Edit your mistakes and save again -> Change back to Read only
sudo cp /etc/pam.d/sudo_local.template /etc/pam.d/sudo_local
sudo -e /etc/pam.d/sudo_local
  1. The content should look like this:
auth       sufficient     pam_tid.so
auth       sufficient     pam_smartcard.so
auth       sufficient     /usr/local/lib/security/pam_yubico.so mode=challenge-response

Make sure that the /opt/homebrew/opt/pam_yubico/lib/security/pam_yubico.so file exists. If installed with hombrew you can also find the path at $(brew --prefix pam_yubico)/lib/security/pam_yubico.so

Otherwise, if compiled manually, the path is /usr/local/lib/security/pam_yubico.so.

  1. Give it a test
sudo ls

Manually compiling pam_yubico

brew install automake

for i in yubico-c-client yubico-c yubico-pam yubikey-personalization; do
    git clone https://github.com/Yubico/$i.git
    pushd $i
    autoreconf --install
    ./configure --disable-documentation
    make check
    sudo make install
    popd
done

--disable-documentation is optional, but it has dependencies that we don’t particularly care about.