menduz · October 6, 2020 12:37
diff --git a/index.sh b/index.sh

 # install dependencies
 brew install pam_yubico


 if sc_auth identities | grep PIV --quiet 
 then
  # run lock with sudo
  sudo bash ./lockpan-1.sh
 else
  echo 'First follow this tutorial to create a smart card identity'
  echo '  https://support.yubico.com/hc/en-us/articles/360016649059-Using-Your-YubiKey-as-a-Smart-Card-in-macOS'
 fi
diff --git a/lockpan-1.sh b/lockpan-1.sh
 #!/bin/bash

 mkdir "$HOME/.backup" || true
 mkdir "$HOME/.backup/pam.d/" || true

 buf() {
  # buf :  Backup file with time stamp
  local filename
  local filetime
  local name


  filename="${1}"
  filetime=$(date +%Y%m%d_%H%M%S)
  name=$(basename $filename)
  cp -a "${filename}" "$HOME/.backup/pam.d/${name}_${filetime}"
 }

 if [ -s "/usr/local/lib/security/pam_yubico.so" ]; then
  echo 'pam_yubico detected!'
 else
  echo 'Error: pam_yubico NOT detected! run brew install pam_yubico'
  exit 1
 fi

 if sc_auth identities | grep PIV --quiet 
 then
  echo 'Configuring smart card options...'

  # To turn off automatic login when FileVault is on, enter this command in Terminal:
  sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES
  
  defaults write com.apple.screensaver askForPassword -bool TRUE
  # screen saver on remove token
  defaults write com.apple.screensaver tokenRemovalAction -int 1
 else 
  echo '!!!!!!!!!!!! SMART CARD NOT PRESENT CONFIGURE SMART CARD AND RUN THIS FILE AGAIN !!!!!!!!!!!'
  exit 1
 fi

 if [ `whoami` != root ]; then
    echo 'Please run this script as root or using sudo'
    exit 1
 fi

 # !!!!!!!!!!!!!!!!!!!!!!!! write out a new sudo file
 buf /etc/pam.d/sudo
 cat > /etc/pam.d/sudo << SUDO_END
 # sudo: auth account password session
 auth        sufficient    pam_smartcard.so
 auth        required      pam_opendirectory.so
 auth        required      pam_deny.so
 account     required      pam_permit.so
 password    required      pam_deny.so
 session     required      pam_permit.so
 SUDO_END

 # Fix new file ownership and permissions
 chmod 444 /etc/pam.d/sudo
 chown root:wheel /etc/pam.d/sudo

 # !!!!!!!!!!!!!!!!!!!!!!!! write out a new su file
 buf /etc/pam.d/su
 cat > /etc/pam.d/su << SU_END
 # su: auth account password session
 auth        sufficient    pam_smartcard.so
 auth        required      pam_rootok.so
 auth        required      pam_group.so no_warn group=admin,wheel ruser root_only fail_safe
 account     required      pam_permit.so
 account     required      pam_opendirectory.so no_check_shell
 password    required      pam_opendirectory.so
 session     required      pam_launchd.so
 SU_END

 # Fix new file ownership and permissions
 chmod 444 /etc/pam.d/su
 chown root:wheel /etc/pam.d/su


 # !!!!!!!!!!!!!!!!!!!!!!!! write out a new login file
 buf /etc/pam.d/login
 cat > /etc/pam.d/login << LOGIN_END
 # login: auth account password session
 auth        sufficient    pam_smartcard.so
 auth        optional      pam_krb5.so use_kcminit
 auth        optional      pam_ntlm.so try_first_pass
 auth        optional      pam_mount.so try_first_pass
 auth        required      pam_opendirectory.so try_first_pass
 auth        required      pam_deny.so
 account     required      pam_nologin.so
 account     required      pam_opendirectory.so
 password    required      pam_opendirectory.so
 session     required      pam_launchd.so
 session     required      pam_uwtmp.so
 session     optional      pam_mount.so
 LOGIN_END

 # Fix new file ownership and permissions
 chmod 644 /etc/pam.d/login
 chown root:wheel /etc/pam.d/login

 # !!!!!!!!!!!!!!!!!!!!!!!! write out a new authorization file
 buf /etc/pam.d/authorization
 cat > /etc/pam.d/authorization << AUTHORIZATION_END
 # authorization: auth account
 auth       optional       pam_krb5.so use_first_pass use_kcminit
 auth       optional       pam_ntlm.so use_first_pass
 auth       required       pam_opendirectory.so use_first_pass nullok
 account    required       pam_opendirectory.so
 auth       required       /usr/local/lib/security/pam_yubico.so mode=challenge-response
 AUTHORIZATION_END

 # Fix new file ownership and permissions
 chmod 644 /etc/pam.d/authorization
 chown root:wheel /etc/pam.d/authorization

 # !!!!!!!!!!!!!!!!!!!!!!!! write out a new screensaver file
 buf /etc/pam.d/screensaver 
 cat > /etc/pam.d/screensaver << SCREENSAVER_END 
 # screensaver: auth account
 auth       optional       pam_krb5.so use_first_pass use_kcminit
 auth       required       pam_opendirectory.so use_first_pass nullok
 account    required       pam_opendirectory.so
 auth       required       /usr/local/lib/security/pam_yubico.so mode=challenge-response
 account    sufficient     pam_self.so
 account    required       pam_group.so no_warn group=admin,wheel fail_safe
 account    required       pam_group.so no_warn deny group=admin,wheel ruser fail_safe
 SCREENSAVER_END

 # Fix new file ownership and permissions
 chmod 644 /etc/pam.d/screensaver
 chown root:wheel /etc/pam.d/screensaver


 profiles install --path pamlock.mobileconfig
diff --git a/pamlock.mobileconfig b/pamlock.mobileconfig
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
 <key>PayloadContent</key>
 <array>
 <dict>
 <key>PayloadDescription</key>
 <string>Configures smart card-only</string>
 <key>PayloadDisplayName</key>
 <string>Smart card-only</string>
 <key>PayloadIdentifier</key>
 <string>com.apple.configprofile.78.</string>
 <key>PayloadOrganization</key>
 <string>Apple</string>
 <key>PayloadType</key>
 <string>com.apple.security.smartcard</string>
 <key>PayloadUUID</key>
 <string>5A15247B-899C-474D-B1D7-DBD82BDE5678</string>
 <key>PayloadVersion</key>
 <integer>1</integer>
 <key>UserPairing</key>
 <false/>
 <key>allowSmartCard</key>
 <true/>
 <key>checkCertificateTrust</key>
 <false/>
 <key>enforceSmartCard</key>
 <true/>
 </dict>
 </array>
 <key>PayloadDescription</key>
 <string>Smartcard profile.</string>
 <key>PayloadDisplayName</key>
 <string>Smart card-only</string>
 <key>PayloadIdentifier</key>
 <string>com.apple.configprofile.77</string>
 <key>PayloadOrganization</key>
 <string></string>
 <key>PayloadRemovalDisallowed</key>
 <false/>
 <key>PayloadType</key>
 <string>Configuration</string>
 <key>PayloadScope</key>
 <string>system</string>
 <key>PayloadUUID</key>
 <string>7D34CC86-C707-44D2-9A9F-C5F6E347BD77</string>
 <key>PayloadVersion</key>
 <integer>1</integer>
 </dict>
 </plist>

	# install dependencies
	brew install pam_yubico


	if sc_auth identities \| grep PIV --quiet
	then
	# run lock with sudo
	sudo bash ./lockpan-1.sh
	else
	echo 'First follow this tutorial to create a smart card identity'
	echo ' https://support.yubico.com/hc/en-us/articles/360016649059-Using-Your-YubiKey-as-a-Smart-Card-in-macOS'
	fi
	#!/bin/bash

	mkdir "$HOME/.backup" \|\| true
	mkdir "$HOME/.backup/pam.d/" \|\| true

	buf() {
	# buf : Backup file with time stamp
	local filename
	local filetime
	local name


	filename="${1}"
	filetime=$(date +%Y%m%d_%H%M%S)
	name=$(basename $filename)
	cp -a "${filename}" "$HOME/.backup/pam.d/${name}_${filetime}"
	}

	if [ -s "/usr/local/lib/security/pam_yubico.so" ]; then
	echo 'pam_yubico detected!'
	else
	echo 'Error: pam_yubico NOT detected! run brew install pam_yubico'
	exit 1
	fi

	if sc_auth identities \| grep PIV --quiet
	then
	echo 'Configuring smart card options...'

	# To turn off automatic login when FileVault is on, enter this command in Terminal:
	sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES

	defaults write com.apple.screensaver askForPassword -bool TRUE
	# screen saver on remove token
	defaults write com.apple.screensaver tokenRemovalAction -int 1
	else
	echo '!!!!!!!!!!!! SMART CARD NOT PRESENT CONFIGURE SMART CARD AND RUN THIS FILE AGAIN !!!!!!!!!!!'
	exit 1
	fi

	if [ `whoami` != root ]; then
	echo 'Please run this script as root or using sudo'
	exit 1
	fi

	# !!!!!!!!!!!!!!!!!!!!!!!! write out a new sudo file
	buf /etc/pam.d/sudo
	cat > /etc/pam.d/sudo << SUDO_END
	# sudo: auth account password session
	auth sufficient pam_smartcard.so
	auth required pam_opendirectory.so
	auth required pam_deny.so
	account required pam_permit.so
	password required pam_deny.so
	session required pam_permit.so
	SUDO_END

	# Fix new file ownership and permissions
	chmod 444 /etc/pam.d/sudo
	chown root:wheel /etc/pam.d/sudo

	# !!!!!!!!!!!!!!!!!!!!!!!! write out a new su file
	buf /etc/pam.d/su
	cat > /etc/pam.d/su << SU_END
	# su: auth account password session
	auth sufficient pam_smartcard.so
	auth required pam_rootok.so
	auth required pam_group.so no_warn group=admin,wheel ruser root_only fail_safe
	account required pam_permit.so
	account required pam_opendirectory.so no_check_shell
	password required pam_opendirectory.so
	session required pam_launchd.so
	SU_END

	# Fix new file ownership and permissions
	chmod 444 /etc/pam.d/su
	chown root:wheel /etc/pam.d/su


	# !!!!!!!!!!!!!!!!!!!!!!!! write out a new login file
	buf /etc/pam.d/login
	cat > /etc/pam.d/login << LOGIN_END
	# login: auth account password session
	auth sufficient pam_smartcard.so
	auth optional pam_krb5.so use_kcminit
	auth optional pam_ntlm.so try_first_pass
	auth optional pam_mount.so try_first_pass
	auth required pam_opendirectory.so try_first_pass
	auth required pam_deny.so
	account required pam_nologin.so
	account required pam_opendirectory.so
	password required pam_opendirectory.so
	session required pam_launchd.so
	session required pam_uwtmp.so
	session optional pam_mount.so
	LOGIN_END

	# Fix new file ownership and permissions
	chmod 644 /etc/pam.d/login
	chown root:wheel /etc/pam.d/login

	# !!!!!!!!!!!!!!!!!!!!!!!! write out a new authorization file
	buf /etc/pam.d/authorization
	cat > /etc/pam.d/authorization << AUTHORIZATION_END
	# authorization: auth account
	auth optional pam_krb5.so use_first_pass use_kcminit
	auth optional pam_ntlm.so use_first_pass
	auth required pam_opendirectory.so use_first_pass nullok
	account required pam_opendirectory.so
	auth required /usr/local/lib/security/pam_yubico.so mode=challenge-response
	AUTHORIZATION_END

	# Fix new file ownership and permissions
	chmod 644 /etc/pam.d/authorization
	chown root:wheel /etc/pam.d/authorization

	# !!!!!!!!!!!!!!!!!!!!!!!! write out a new screensaver file
	buf /etc/pam.d/screensaver
	cat > /etc/pam.d/screensaver << SCREENSAVER_END
	# screensaver: auth account
	auth optional pam_krb5.so use_first_pass use_kcminit
	auth required pam_opendirectory.so use_first_pass nullok
	account required pam_opendirectory.so
	auth required /usr/local/lib/security/pam_yubico.so mode=challenge-response
	account sufficient pam_self.so
	account required pam_group.so no_warn group=admin,wheel fail_safe
	account required pam_group.so no_warn deny group=admin,wheel ruser fail_safe
	SCREENSAVER_END

	# Fix new file ownership and permissions
	chmod 644 /etc/pam.d/screensaver
	chown root:wheel /etc/pam.d/screensaver


	profiles install --path pamlock.mobileconfig
	<?xml version="1.0" encoding="UTF-8"?>
	<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
	<plist version="1.0">
	<dict>
	<key>PayloadContent</key>
	<array>
	<dict>
	<key>PayloadDescription</key>
	<string>Configures smart card-only</string>
	<key>PayloadDisplayName</key>
	<string>Smart card-only</string>
	<key>PayloadIdentifier</key>
	<string>com.apple.configprofile.78.</string>
	<key>PayloadOrganization</key>
	<string>Apple</string>
	<key>PayloadType</key>
	<string>com.apple.security.smartcard</string>
	<key>PayloadUUID</key>
	<string>5A15247B-899C-474D-B1D7-DBD82BDE5678</string>
	<key>PayloadVersion</key>
	<integer>1</integer>
	<key>UserPairing</key>
	<false/>
	<key>allowSmartCard</key>
	<true/>
	<key>checkCertificateTrust</key>
	<false/>
	<key>enforceSmartCard</key>
	<true/>
	</dict>
	</array>
	<key>PayloadDescription</key>
	<string>Smartcard profile.</string>
	<key>PayloadDisplayName</key>
	<string>Smart card-only</string>
	<key>PayloadIdentifier</key>
	<string>com.apple.configprofile.77</string>
	<key>PayloadOrganization</key>
	<string></string>
	<key>PayloadRemovalDisallowed</key>
	<false/>
	<key>PayloadType</key>
	<string>Configuration</string>
	<key>PayloadScope</key>
	<string>system</string>
	<key>PayloadUUID</key>
	<string>7D34CC86-C707-44D2-9A9F-C5F6E347BD77</string>
	<key>PayloadVersion</key>
	<integer>1</integer>
	</dict>
	</plist>