Secure your OS X logins with Fido U2F Yubikey, then your Mac with Filevault

The $9 Fido U2F Yubikey (after 50% Google Apps for Work discount) is super inexpensive compared to the other OTP usb keys out there. The official Yubico guide for OS X logins requires you to have more expensive versions of their Yubikeys. I explain how to setup the pam-u2f module for OS X logins, so that one could use the FIDO U2F keys just as effortlessly.

Early Tip: If you are reading this before deciding to get some U2F keys, I suggest buying in pairs, so that you could authorise the second key, then lock it in a safe place somewhere in case you lose the primary key.

Motivation

I’m never a big fan of backups and security. My security policy is just to never put my Macbook in harms way. I had dabbled in full-disk encryption occasionally on netbooks and older laptops (with spinning drives), and the performance (hit) was ludicrous. With newer laptops providing excessive compute power, and SSDs. I truly believe that full-disk encryption is possible and practical.

While encryption keeps you safe through to boot-up, the safe way to use it is to: 1. not lose the computer while it’s running, and 2. keep your password secret. Unfortunately, MacBook batteries last at least forever, and it is not difficult to capture the password that I use - I type it each time I recover from screensaver.

As of writing, I believe Filevault and U2F don’t combine well, but it is possible to securely login with a usb key. I found an interesting configuration that would provide increased security and convenience:

  1. Filevault with long password so my drives are tamper-proof
  2. Same long password initial login, requiring U2F to be present
  3. Only U2F is necessary to resume my session from screensaver/ sleep

With a scheme like this, my drives are encrypted, my passwords remain secret, and I can safely lose my laptop as long as I keep the Yubikey with me at all times. Furthermore, I never have to type passwords when recovering from screensaver, so I can choose extremely challenging passwords. It’s like using a password manager for the entire laptop. Amazing!

Requirements

1. Time machine backup - While the steps are easy and it is unlikely to screw up royally, it is possible to lock yourself out of your own laptop attempting this, otherwise, a way to boot into recovery or another OS X computer around might be sufficient. That being said, you’ve just made your laptop safely dispensable, at least keep a backup of your data somewhere.

2. Fido U2F Yubikey - I recommend getting the cheap one because it works for all the things I need it for (SSH, Login). NFC does not work with iOS at the moment.

3. Homebrew for OS X - It’s the simplest way to install pam-u2f. Homebrew Installation how to

Setup

Install PAM-U2F via Homebrew

Installing pam-u2f should be simple as running brew install pam-u2f.

bash#1-~$ brew install pam-u2f
==> Downloading https://homebrew.bintray.com/bottles/pam-u2f-1.0.4.yosemite.bott
Already downloaded: /Library/Caches/Homebrew/pam-u2f-1.0.4.yosemite.bottle.tar.gz
==> Pouring pam-u2f-1.0.4.yosemite.bottle.tar.gz
==> Caveats
To use a U2F key for PAM authentication, specify the full path to the
module (/usr/local/Cellar/pam-u2f/1.0.4/lib/pam/pam_u2f.so) in a PAM
configuration. You can find all PAM configurations in /etc/pam.d.

For further installation instructions, please visit
https://developers.yubico.com/pam-u2f/#installation.
==> Summary
🍺  /usr/local/Cellar/pam-u2f/1.0.4: 10 files, 78.5K

Specifying the full path in PAM settings works just as well. Another option is to symlink to /usr/lib/pam/, where PAM usually looks for modules. This can be achieved by running

ln -s /usr/local/Cellar/pam-u2f/1.0.4/lib/pam/pam_u2f.so /usr/lib/pam/

Setup PAM-U2F credentials in your home directory

Run pamu2fcfg in terminal to obtain U2F credentials. We will place the credentials in ~/.config/Yubico/u2f_keys, which the PAM service will look for when authenticating users. (Yes the output ends without a newline, omit the trailing % for zsh users, copy carefully)

When setting up a first key for the first time, here are some shortcut commands:

mkdir -p ~/.config/Yubico/
pamu2fcfg > ~/.config/Yubico/u2f_keys
cat ~/.config/Yubico/u2f_keys # should output <your username>:<really long hash>

Test U2F using the screensaver

We start by checking out some PAM config files.

bash#1-~$ ls /etc/pam.d/
authorization cups    login.term  rshd        sshd
checkpw       ftpd    other       screensaver su
chkpasswd     login   passwd      smbd        sudo

The ones to pay attention to are

  • screensaver - for logging in from sleep/ screensaver
  • authorization - for logging in when creating a session, e.g. startup, switch user
  • su - for su (for viewing debugging information on the U2F process)

For the first demonstration, prepend /etc/pam.d/screensaver with auth sufficient pam_u2f.so, or auth sufficient /usr/local/Cellar/pam-u2f/1.0.4/lib/pam/pam_u2f.so, so that mine looks like:

# screensaver: auth account
auth       sufficient     pam_u2f.so
auth       optional       pam_krb5.so use_first_pass use_kcminit
...
... and so on

There should be no need to restart, as PAM configurations are always read dynamically. To test, simply turn on the screensaver, or try from sleep mode.

With auth sufficient pam_u2f.so, there is no need to use a password, but you still need to enter a blank password because the prompt should not clue that the password is not required, for security. Because of the way the rule is written, it is possible to unlock using the login password as well, when in absence of the U2F key.

By changing it to auth required pam_u2f.so, both the login password and U2F keys are required to complete the login process. I find that if this fails enough times, I get logged out by the system.

Wrap up with OS X Login

To complete the U2F setup, we intend to add auth required pam_u2f.so to /etc/pam.d/authorization.

Tip: This might end up with you getting locked out of your computer, so I recommend to create a new admin user for recovery. Another way is to use sufficient while testing, then switch later on.

# authorization: auth account
auth       required     pam_u2f.so
auth       optional       pam_krb5.so use_first_pass use_kcminit
...

Restart to complete the process and see it in action! (Restart not actually required by PAM, though, but I had to make sure it boots nicely).

In the demo I actually wrote my first password wrongly (sorry guys).

(Optional) View U2F in debugging action

By prepending /etc/pam.d/su with auth sufficient pam_u2f.so debug. Some interesting messages can be viewed in terminal when you run su <username>.

Conclusion

All I can say is that the grass is definitely greener on this side. Losing my own data would upset me, but I would be extremely nervous if I lose a laptop with work credentials possibly accessible by a stranger. Now my enhanced security laptop is something to be proud of.

I won’t complain because I get to play with new devices, too :)

Next Step: Filevault

I won’t really go into setting up Filevault because it’s just following some wizards. However, do change to a longer, better password, since you no longer have to type the password all the time.