Recovering access to a Yubikey-protected MacOS X

Mar 19, 2019 20:17 · 266 words · 2 minute read yubikey macos FIDO U2F 2FA recovery

I received today a new toy: a Yubikey from Yubico. It is a small USB key which contains multiples security protocols. The most famous is FIDO U2F.

Let’s see how it works: on websites supporting the Two-Factor authentication and the FIDO U2F protocol, you can use a Yubikey to connect to your account. The list of supported websites is not really insane but contains the most popular websites.

So I started to play with the Yubikey by using it to connect to my Mac. But the manipulation went wrong. I was out of my own computer, I cannot connect to my two accounts.

Here is how I solved this issue.

Recovering access to MacOS X after a loss or destruction of the Yubikey (or a wrong manipulation)

Note: this procedure will ask you the disk password many times. Enter the password of an admin user.

The goal is to modify your two files used to the connection process:

  • /etc/pam.d/authorization
  • /etc/pam.d/screensaver

First, you have to go to the recovery mode by pressing CMD+R when the MacBook is starting up. Then open a terminal and type:

# List your disks
$ diskutil list

# Try to find a disk called `Macintosh HD` and get the identifier 
# Mount it (mine is `disk1s1`)
$ diskutil mount disk1s1

# Go there
$ cd /Volumes/Macintosh\ HD/

# Modify your `authorization` file
$ vim etc/pam.d/authorization

# Remove or comment the line `auth       required       /usr/local/lib/security/pam_yubico.so mode=challenge-response`
# Save and close

# Modifiy you `screensaver` file
$ vim etc/pam.d/screensaver

# Remove or comment the line `auth       required       /usr/local/lib/security/pam_yubico.so mode=challenge-response`
# Save and close

Done!

tweet Share