After updating macOS, you may find that during the update the system has recreated the PAM configuration and screensaver files and deleted the entries that enable the macOS Logon tool to work with challenge-response. To recreate the configuration file and pair the YubiKeys to the PAM module, follow the steps below:
- Open Terminal.
- Delete the .yubico folder and its contents:
rm -Rf ~/.yubico
- Recreate the .yubico folder:
mkdir –m0700 –p ~/.yubico
- Insert your YubiKey and run the following command:
Note: Ensure you touch the YubiKey contact if the LED begins flashing - this will happen if you programmed the Challenge-Response credential to “require user input.” Repeat this step with each YubiKey you wish to enable (if you get a YubiKey Core Error after running this command, ensure that Secure Keyboard Entry is not enabled in Terminal preferences.
- Backup the PAM configuration files:
sudo cp /etc/pam.d/screensaver /etc/pam.d/screensaver_backup_`date "+%Y-%m-%d_%H:%M"` && sudo cp /etc/pam.d/authorization /etc/pam.d/authorization_backup_`date "+%Y-%m-%d_%H:%M"`
- Add the necessary changes to the screensaver file:
sudo echo "auth required /usr/local/lib/security/pam_yubico.so mode=challenge-response" >> /etc/pam.d/screensaver
IMPORTANT: Make sure to lock the computer and test you are able to unlock properly. If this step fails, simply reboot the computer to logon again. If a failure occurs at this step, it is important to not continue to the next step. If the authorization file is incorrectly edited, it is possible to become locked out of your computer. If this happens, it is necessary to boot into recovery mode and edit the files to regain access.
- Once you confirm the screensaver test passes, add the necessary changes to the authorization file:
sudo echo "auth required /usr/local/lib/security/pam_yubico.so mode=challenge-response" >> /etc/pam.d/authorization