This is a bit expanded version of the gist, with some
updated instructions to also accommodate TouchID and manual compilation of pam_yubico
.
brew install ykman pam_yubico
-t
)ykman otp chalresp 2 -g -t
mkdir -m0755 -p ~/.yubico
kpamcfg -2
sudo_local
file and edit it.⚠️ Warning
Save the file first and try it out before exiting, as you can lock yourself out of sudo if you make a mistake.
- If locked out:
open /etc/pam.d/
-> Right click -> Get Info onsudo_local
-> Sharing & Permissions -> Unlock ->- Change to Read & Write -> Save -> Edit your mistakes and save again -> Change back to Read only
sudo cp /etc/pam.d/sudo_local.template /etc/pam.d/sudo_local
sudo -e /etc/pam.d/sudo_local
auth sufficient pam_tid.so
auth sufficient pam_smartcard.so
auth sufficient /usr/local/lib/security/pam_yubico.so mode=challenge-response
Make sure that the /opt/homebrew/opt/pam_yubico/lib/security/pam_yubico.so
file exists. If installed with hombrew you
can also find the path
at $(brew --prefix pam_yubico)/lib/security/pam_yubico.so
Otherwise, if compiled manually, the path is /usr/local/lib/security/pam_yubico.so
.
sudo ls
brew install automake
for i in yubico-c-client yubico-c yubico-pam yubikey-personalization; do
git clone https://github.com/Yubico/$i.git
pushd $i
autoreconf --install
./configure --disable-documentation
make check
sudo make install
popd
done
--disable-documentation
is optional, but it has dependencies that we don’t particularly care about.