Aug 20, 2019 Yubico's new YubiKey 5Ci is the company's first hardware authentication device with a Lightning adapter for the iPhone. YubiKey provides security that reduces the potential of password-based account hijacking. Just like a second-factor token sent via text message or generated by an authentication app like Google Authenticator.
I largely followed Florin's blog post, but have a few notes to add regarding issues I encountered:
Basic setup notes
- I used a YubiKey 4, while the blog describes using a YubiKey NEO. I'm sure a YubiKey 5 would also work. I'm also running macOS 10.13.6.
- I installed GPGTools as recommended. However, as I'll note later, it seems that
gpg-agentonly automatically starts when gpg is used; for ssh, you'll need to ensure it's running. - Before generating your keys, decide what key size you want to use. If you run the
listcommand insidegpg --edit-card, look for theKey attributesline to see what is currently selected. On my YubiKey 4, it defaulted to 2048 bits for all keys:
These correspond to the signature key, encryption key, and authentication key. (I believe only the authentication key is used for ssh.)
Running the key-attr admin subcommand lets you change these:
(Note that the OpenPGP applet only works with RSA, not ECC, so don't choose that.)
- After generating keys,
ssh-add -Lmay not initially show anything:
This is because gpg-agent changed how it works a few years ago, removing some options such as write-env-file (per this comment, which Florin's instructions use.
To get gpg-agent and ssh-agent to work together, you can use a simplified /.gnupg/gpg-agent.conf:
and then kill any running gpg-agent process so that it picks up the new configuration.
Since the .gpg-agent-info file is no longer created by gpg-agent, you must also change your .bash_profile to use the GPG agent ssh socket directly. I also added a line here to ensure that the gpg-agent is running:
(This is taken from @drduh's YubiKey guide.)
After updating this, launch a new shell, and ssh-add -L should now show you your public key, and you can follow the rest of the directions provided.
Requiring touch
I wanted to require a touch any time I tried to use my YubiKey for ssh authentication to prevent rogue processes from using the key while it's plugged in.
You can use the YubiKey Manager CLI to require this; I installed it via Homebrew.
After installed, use the ykman openpgp touch subcommand to configure the touch settings:
(Again, you control the three keys separately.)
Problems with certain versions of the YubiKey 4
I attempted to add my SSH public key to my GitHub account and came across this perplexing error:
Key is weak. GitHub recommends using ssh-keygen to generate a RSA key of at least 2048 bits.
I'd initially used a 2048-bit RSA key, so using the key-attr subcommand I described above, I tried generating a 4096-bit key, but GitHub gave the same error message.
After some searching, I came across this issue. Basically, due to a security issue in certain versions of the YubiKey 4 (4.2.6-4.3.4), GitHub rejects keys generated on these YubiKeys as weak. There are basically two workarounds:
- Generate a keypair off of the card and then load it onto the YubiKey.
- Replace the YubiKey with a newer one. Thankfully, Yubico will replace your affected YubiKey 4 for free.
Even more details
@drduh's YubiKey Guide is a great reference, going into even more detail and best practices.
There is a bunch of customizations you can do to the standard macOS Login Window. All of them work on macOS 10.14 Mojave. All of them I didn’t know about until I did. Now it is your turn. See how many you already know and tweet the results to @tperfitt for honor and glory.
1. Switch between picture and user/password mode
Press option-return to switch between user icons and username & password.
Switching between username / password and icons of users.
Submitting a form normally means that the browser navigates to the page indicated by the form’s action attribute, using either a GET or a POST request. Type ); // → password console. Form form ); // → true. Type ); // → password console. Eloquent 2.6.3 free download for mac. Elements 1.
2. Secret Commands
Instead of entering in a username, there are some secret commands that can be entered (all of them start with “>”):
Shut down the Mac:
>power
Restart the Mac:
>restart
Shut down the Mac:
>shutdown
Sleep the Mac:
>sleep
Restart the Login Window:
>exit
3. Hostinfo
You can enable a secret status menu item that shows computer info. Example values include: “HostName”, “SystemVersion”, “SystemBuild”, “SerialNumber”, “IPAddress”, “DSStatus”, “Time”. To enable, run this command in the terminal, with the last option being the one that you want displayed first. Then click on the clock in the login window.
sudo defaults write /Library/Preferences/com.apple.loginwindow AdminHostInfo IPAddress
Che-ez camera driver for mac download. Super secret hostinfo status item.
4. Log in with a PIN instead of a password
macOS has support for smart cards, and the YubiKey can be set up as a smart card. If you insert a configured Yubikey, you can pair the Yubikey authentication to the user account. The next time you log in, you use a PIN rather than a password.
5. Show Login Window with Full Disk Encryption
If you enabled Full Disk Encryption (File Vault), you enter your password at first startup to unlock the disk, and you never see the Login Window. To have your Mac show the Login Window instead of automatically logging in, enter this command in Terminal:
sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutologin -bool YES
7. Hide the Buttons
The Shutdown/Restart/Sleep buttons can be hidden. Head over to System Preferences -> Users & Groups and click Login Options. You can turn off the buttons right there (after clicking the lock to authenticate, of course!).
If you want to turn some of the buttons off but leave some on, select the appropriate command to turn them off:
sudo defaults write /Library/Preferences/com.apple.loginwindow ShutDownDisabled -bool true
sudo defaults write /Library/Preferences/com.apple.loginwindow RestartDisabled -bool true
sudo defaults write /Library/Preferences/com.apple.loginwindow SleepDisabled -bool true
and to turn them back on:
sudo defaults write /Library/Preferences/com.apple.loginwindow ShutDownDisabled -bool false
sudo defaults write /Library/Preferences/com.apple.loginwindow RestartDisabled -bool false
sudo defaults write /Library/Preferences/com.apple.loginwindow SleepDisabled -bool false
8. Login Window Text
You can add in some text to appear on the Login Window using a defaults command in Terminal:
To remove the message, delete the LoginwindowText key:
Not my phone number. Ask Tommy.
9. Run a script
You can easily run a script after each login by running a terminal command and giving a path to the script:
sudo defaults write com.apple.loginwindow LoginHook /path/to/script
I use it to send me a push notification via a zapier webhook every time someone logs into my computer. $1 is the short name of the user logging in, and $HOSTNAME is the name of the computer:
#!/bin/sh
curl “https://hooks.zapier.com/hooks/catch/8675/309/?name=$1&computer=$HOSTNAME”
Now when someone logs into my computer, I get a push notification on iOS:
Advanced note for nitpicky admins: Yes, I know login hooks have been replaced by LaunchAgents which also run at login, but Login Hooks still work in Mojave, so settle down.
10. Turn on / off keyboard navigation
If you press control-f7 (or control-fn-f7 on portables), tab switches from going to all controls to just username and password.
11. Show keyboard
If your brother accidentally drops a chocolate covered cherry onto your keyboard and all the keys are stuck together*, you can activate an on-screen keyboard to log in with an onscreen keyboard. To turn on the onscreen keyboard, go to System Preferences->Users & Groups, and click on Login Options. Select Accessibility Options… and turn on the Accessibility Keyboard.
*Not a made up story.
12. Usage Policy
macOS has a simple way to put up a usage policy that requires you to click Accept prior to logging in. It allows you to customize it with graphics and text and setting it up is simple:
- Open TextEdit and add text and graphics to a document.
- Resize the TextEdit window to be the size you want to the usage policy.
- Save the document as PolicyBanner to the Desktop.
- Drag the PolicyBanner to /Library/Security
That’s it! Now when the Login Window shows, the Usage Policy will show over it. You have to accept prior to being allowed to log in.
There you go! 12 different customizations to the Login Window in macOS 10.14 Mojave (and earlier). If you like these blog posts, follow me on twitter (@tperfitt) or sign up for our newsletter (I do list of blog post when the newsletter comes out, which is about every month). Also, check out our software at https://twocanoes.com. Or head over to the main blog page.
- Author: admin
- Category: Category
Aug 20, 2019 Yubico's new YubiKey 5Ci is the company's first hardware authentication device with a Lightning adapter for the iPhone. YubiKey provides security that reduces the potential of password-based account hijacking. Just like a second-factor token sent via text message or generated by an authentication app like Google Authenticator.
I largely followed Florin's blog post, but have a few notes to add regarding issues I encountered:
Basic setup notes
- I used a YubiKey 4, while the blog describes using a YubiKey NEO. I'm sure a YubiKey 5 would also work. I'm also running macOS 10.13.6.
- I installed GPGTools as recommended. However, as I'll note later, it seems that
gpg-agentonly automatically starts when gpg is used; for ssh, you'll need to ensure it's running. - Before generating your keys, decide what key size you want to use. If you run the
listcommand insidegpg --edit-card, look for theKey attributesline to see what is currently selected. On my YubiKey 4, it defaulted to 2048 bits for all keys:
These correspond to the signature key, encryption key, and authentication key. (I believe only the authentication key is used for ssh.)
Running the key-attr admin subcommand lets you change these:
(Note that the OpenPGP applet only works with RSA, not ECC, so don't choose that.)
- After generating keys,
ssh-add -Lmay not initially show anything:
This is because gpg-agent changed how it works a few years ago, removing some options such as write-env-file (per this comment, which Florin's instructions use.
To get gpg-agent and ssh-agent to work together, you can use a simplified /.gnupg/gpg-agent.conf:
and then kill any running gpg-agent process so that it picks up the new configuration.
Since the .gpg-agent-info file is no longer created by gpg-agent, you must also change your .bash_profile to use the GPG agent ssh socket directly. I also added a line here to ensure that the gpg-agent is running:
(This is taken from @drduh's YubiKey guide.)
After updating this, launch a new shell, and ssh-add -L should now show you your public key, and you can follow the rest of the directions provided.
Requiring touch
I wanted to require a touch any time I tried to use my YubiKey for ssh authentication to prevent rogue processes from using the key while it's plugged in.
You can use the YubiKey Manager CLI to require this; I installed it via Homebrew.
After installed, use the ykman openpgp touch subcommand to configure the touch settings:
(Again, you control the three keys separately.)
Problems with certain versions of the YubiKey 4
I attempted to add my SSH public key to my GitHub account and came across this perplexing error:
Key is weak. GitHub recommends using ssh-keygen to generate a RSA key of at least 2048 bits.
I'd initially used a 2048-bit RSA key, so using the key-attr subcommand I described above, I tried generating a 4096-bit key, but GitHub gave the same error message.
After some searching, I came across this issue. Basically, due to a security issue in certain versions of the YubiKey 4 (4.2.6-4.3.4), GitHub rejects keys generated on these YubiKeys as weak. There are basically two workarounds:
- Generate a keypair off of the card and then load it onto the YubiKey.
- Replace the YubiKey with a newer one. Thankfully, Yubico will replace your affected YubiKey 4 for free.
Even more details
@drduh's YubiKey Guide is a great reference, going into even more detail and best practices.
There is a bunch of customizations you can do to the standard macOS Login Window. All of them work on macOS 10.14 Mojave. All of them I didn’t know about until I did. Now it is your turn. See how many you already know and tweet the results to @tperfitt for honor and glory.
1. Switch between picture and user/password mode
Press option-return to switch between user icons and username & password.
Switching between username / password and icons of users.
Submitting a form normally means that the browser navigates to the page indicated by the form’s action attribute, using either a GET or a POST request. Type ); // → password console. Form form ); // → true. Type ); // → password console. Eloquent 2.6.3 free download for mac. Elements 1.
2. Secret Commands
Instead of entering in a username, there are some secret commands that can be entered (all of them start with “>”):
Shut down the Mac:
>power
Restart the Mac:
>restart
Shut down the Mac:
>shutdown
Sleep the Mac:
>sleep
Restart the Login Window:
>exit
3. Hostinfo
You can enable a secret status menu item that shows computer info. Example values include: “HostName”, “SystemVersion”, “SystemBuild”, “SerialNumber”, “IPAddress”, “DSStatus”, “Time”. To enable, run this command in the terminal, with the last option being the one that you want displayed first. Then click on the clock in the login window.
sudo defaults write /Library/Preferences/com.apple.loginwindow AdminHostInfo IPAddress
Che-ez camera driver for mac download. Super secret hostinfo status item.
4. Log in with a PIN instead of a password
macOS has support for smart cards, and the YubiKey can be set up as a smart card. If you insert a configured Yubikey, you can pair the Yubikey authentication to the user account. The next time you log in, you use a PIN rather than a password.
5. Show Login Window with Full Disk Encryption
If you enabled Full Disk Encryption (File Vault), you enter your password at first startup to unlock the disk, and you never see the Login Window. To have your Mac show the Login Window instead of automatically logging in, enter this command in Terminal:
sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutologin -bool YES
7. Hide the Buttons
The Shutdown/Restart/Sleep buttons can be hidden. Head over to System Preferences -> Users & Groups and click Login Options. You can turn off the buttons right there (after clicking the lock to authenticate, of course!).
If you want to turn some of the buttons off but leave some on, select the appropriate command to turn them off:
sudo defaults write /Library/Preferences/com.apple.loginwindow ShutDownDisabled -bool true
sudo defaults write /Library/Preferences/com.apple.loginwindow RestartDisabled -bool true
sudo defaults write /Library/Preferences/com.apple.loginwindow SleepDisabled -bool true
and to turn them back on:
sudo defaults write /Library/Preferences/com.apple.loginwindow ShutDownDisabled -bool false
sudo defaults write /Library/Preferences/com.apple.loginwindow RestartDisabled -bool false
sudo defaults write /Library/Preferences/com.apple.loginwindow SleepDisabled -bool false
8. Login Window Text
You can add in some text to appear on the Login Window using a defaults command in Terminal:
To remove the message, delete the LoginwindowText key:
Not my phone number. Ask Tommy.
9. Run a script
You can easily run a script after each login by running a terminal command and giving a path to the script:
sudo defaults write com.apple.loginwindow LoginHook /path/to/script
I use it to send me a push notification via a zapier webhook every time someone logs into my computer. $1 is the short name of the user logging in, and $HOSTNAME is the name of the computer:
#!/bin/sh
curl “https://hooks.zapier.com/hooks/catch/8675/309/?name=$1&computer=$HOSTNAME”
Now when someone logs into my computer, I get a push notification on iOS:
Advanced note for nitpicky admins: Yes, I know login hooks have been replaced by LaunchAgents which also run at login, but Login Hooks still work in Mojave, so settle down.
10. Turn on / off keyboard navigation
If you press control-f7 (or control-fn-f7 on portables), tab switches from going to all controls to just username and password.
11. Show keyboard
If your brother accidentally drops a chocolate covered cherry onto your keyboard and all the keys are stuck together*, you can activate an on-screen keyboard to log in with an onscreen keyboard. To turn on the onscreen keyboard, go to System Preferences->Users & Groups, and click on Login Options. Select Accessibility Options… and turn on the Accessibility Keyboard.
*Not a made up story.
12. Usage Policy
macOS has a simple way to put up a usage policy that requires you to click Accept prior to logging in. It allows you to customize it with graphics and text and setting it up is simple:
- Open TextEdit and add text and graphics to a document.
- Resize the TextEdit window to be the size you want to the usage policy.
- Save the document as PolicyBanner to the Desktop.
- Drag the PolicyBanner to /Library/Security
That’s it! Now when the Login Window shows, the Usage Policy will show over it. You have to accept prior to being allowed to log in.
There you go! 12 different customizations to the Login Window in macOS 10.14 Mojave (and earlier). If you like these blog posts, follow me on twitter (@tperfitt) or sign up for our newsletter (I do list of blog post when the newsletter comes out, which is about every month). Also, check out our software at https://twocanoes.com. Or head over to the main blog page.