CTK/SmartAuth Question #5
Comments
|
Thanks for reporting this. We don't use SmartAuth / CryptoTokenKit, so our ability to build support for this may be limited. Two questions:
|
|
The fdesetup error doesn’t prevent login, but it does not send a new key to Jamf.
I logged in to both FileVault and the OS with my PIV-D credential, and, when I run the command, it prompts for username/password. At that point I am able to enter the password. If I enter my PIN there (as I do for login), it states that the user cannot be authenticated.
With my password:
```
***@***.*** ~ % sudo fdesetup changerecovery -personal -verbose
Enter PIN for 'Certificate For PIV Authentication (ELIZABETH SMITH (Affiliate))':
fdesetup: use personal recovery key
fdesetup: device path = /
Enter the user name:elsmith
Enter the password for user 'elsmith':
New personal recovery key = 'LVU9-OZ58-EEO2-O28G-JOBF-Q8M7'
```
With my PIN as the password:
```
***@***.*** ~ % sudo fdesetup changerecovery -personal -verbose
fdesetup: use personal recovery key
fdesetup: device path = /
Enter the user name:elsmith
Enter the password for user 'elsmith':
Error: User could not be authenticated.
Error: Unable to unlock or authenticate to FileVault.
***@***.*** ~ %
```
From: Elliot Jordan ***@***.***>
Date: Monday, October 23, 2023 at 2:21 PM
To: macadmins/escrow-buddy ***@***.***>
Cc: Smith, Liz ***@***.***>, Author ***@***.***>
Subject: [EXTERNAL] Re: [macadmins/escrow-buddy] CTK/SmartAuth Question (Issue #5)
Thanks for reporting this. We don't use SmartAuth / CryptoTokenKit, so our ability to build support for this may be limited.
Two questions:
1. If I understand correctly, the fdesetup error does not prevent a successful login from occurring. Is that right?
2. After logging in with a SmartAuth user, what output does sudo fdesetup changerecovery -personal -verbose produce in the Terminal?
—
Reply to this email directly, view it on GitHub<#5 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AIPO7LKZGOOOSPKIZDWLDITYA3GTZAVCNFSM6AAAAAA6MTKRJSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTONZVHE2TQNJQGU>.
You are receiving this because you authored the thread.Message ID: ***@***.***>
|
|
Understood, thank you. I'm happy to hear that you're not prevented from logging in — Escrow Buddy is designed to "fail open" for these types of situations. I'll seek some advice from peers who use SmartAuth and see if there's a way to solve this. |
|
Awesome thank you!! I really appreciate your help - this is an awesome little app!
…________________________________
From: Elliot Jordan ***@***.***>
Sent: Monday, October 23, 2023 3:41:01 PM
To: macadmins/escrow-buddy ***@***.***>
Cc: Smith, Liz ***@***.***>; Author ***@***.***>
Subject: [EXTERNAL] Re: [macadmins/escrow-buddy] CTK/SmartAuth Question (Issue #5)
Understood, thank you. I'm happy to hear that you're not prevented from logging in — Escrow Buddy is designed to "fail open" for these types of situations.
I'll seek some advice from peers who use SmartAuth and see if there's a way to solve this.
—
Reply to this email directly, view it on GitHub<#5 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AIPO7LJMU37O25PQTJ2DVWTYA3P63AVCNFSM6AAAAAA6MTKRJSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTONZWGA3DKOJSGY>.
You are receiving this because you authored the thread.Message ID: ***@***.***>
|
|
Hi @elstalk - Unfortunately, we're not able to commit the development resources needed to support smart cards at this time. This could be one situation in which a user-facing password prompt might still be appropriate, for now. Pull requests are welcome if anybody wants to add this feature, but doing so would also require ongoing testing commitment that we're not able to provide as we don't use smart cards for Mac authentication. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Summary
I have only tested on a few machines in our fleet, but it does not seem to work if the account that logs in is using enforced SmartAuth login with CTK. The local admin account logs in and it works, but my account with CTK enforcement gives these errors:
"ERROR: fdesetup terminated with a non-zero exit status: 11"
"fdesetup Standard Error: Optional("Error: User could not be authenticated.\nError: Unable to unlock or authenticate to FileVault.\n"
"Caught error trying to generate a new key: The operation couldn't be completed. (Escrow.Buddy.Invoke.FileVaultError error 0.)"
Steps to Reproduce
Log out and log back in with a two-factor enabled account (so username/PIN instead of username/password) and it won't work. Log out and log back in with a local account that does not have two-factor enforced (can log in with username/password) and it works. Additionally, if I disable the enforcement of CTK and log in with the username/password on my personal account, it works, as well. I have attached the output from that machine (ran log show --predicate 'subsystem == "com.netflix.Escrow-Buddy"' --style syslog --debug --info --last 24h and ported to a ".log" file)
logCapture.log
Expected Behavior
I would expect that it would work, but it is not.
Environment
Additional Context
Add any screenshots, logs, or additional details about the problem here. Include which troubleshooting steps you've already taken.
The text was updated successfully, but these errors were encountered: