Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

sufficient in Mac OS X pam.conf causes hijack warning #80

Open
vdm opened this issue Sep 21, 2015 · 0 comments
Open

sufficient in Mac OS X pam.conf causes hijack warning #80

vdm opened this issue Sep 21, 2015 · 0 comments

Comments

@vdm
Copy link

vdm commented Sep 21, 2015

On 10.11 with pam_yubico 2.19, when I change control-flag in a working configuration to sufficient from required, I can login with password and no Yubikey inserted, and this appears in the console log:

21/09/2015 17:03:01.737 com.apple.xpc.launchd[1]: (com.apple.xpc.launchd.domain.user.501) Service "com.apple.xpc.launchd.unmanaged.loginwindow.87271" tried to hijack endpoint "com.apple.tsm.uiserver" from owner: com.apple.SystemUIServer.agent

When I change it back, it starts working again. This means it is not possible to unlock by only inserting the Yubikey, without entering a password. /etc/pam.d/screensaver:

# screensaver: auth account
auth       optional       pam_krb5.so use_first_pass use_kcminit
auth       required       pam_opendirectory.so use_first_pass nullok
auth       required       /usr/local/lib/pam_yubico.so mode=challenge-response debug
account    required       pam_opendirectory.so
account    sufficient     pam_self.so
account    required       pam_group.so no_warn group=admin,wheel fail_safe
account    required       pam_group.so no_warn deny group=admin,wheel ruser fail_safe
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

No branches or pull requests

1 participant