biscuitehh / pam-watchid Goto Github PK

When I try to build this on an Apple Silicon Mac it fails to build with the following error:

swiftc watchid-pam-extension.swift -o pam_watchid.so -target x86_64-apple-macosx10.15 -emit-library
<unknown>:0: error: unable to load standard library for target 'x86_64-apple-macosx10.15'
make: *** [all] Error 1

The TARGET needs to be platform-sensitive and use the right value for the given OS and architecture, I think.

After each beta I run my script to activate "pam-watchid" but with macOS BS 11.3 beta 3 I have the below error:

wiftc watchid-pam-extension.swift -o pam_watchid.so -target x86_64-apple-macosx10.15 -emit-library
watchid-pam-extension.swift:1:8: error: no such module 'LocalAuthentication'
import LocalAuthentication
^
make: *** [all] Error 1

Am I the only one or it's a common issue?

When I ssh into my servers,
is there a way to forward back, the sudo request, to my apple watch?

in my dreams...:
auth sufficient pam_watchid_fromRemote.so "reason=execute a command as root"

:-)
p.s. Thanks already for this awesome timesaver!
p.s.^2: I do already know of pam_ssh_agent_auth (a PAM module which permits PAM authentication via your keyring in a forwarded ssh-agent) but that doesn't go to my applewatch grrr. https://github.com/jbeverly/pam_ssh_agent_auth

Hello, is it possible to check this? I saw that you already check sudo parameters like "-A".
Obviously this is to prevent asking for Watch unlock while you are on a remote session.
A workaround would be to set a timeout on unlock of 5/10 secs.

Not an issue but just an idea for optimization.
Is it possible to detect the right version for TARGET from the command line?
I used the value of sw_vers -productVersion (TARGET=x86_64-apple-macosx11.2) for my first installation, but swift -version seems to offer a different TARGET (TARGET=x86_64-apple-darwin20.3.0). Both work but the two .so files have different checksums.

I had to append a '.2' to the end of the file name adding to the PAM config, however whenever I try to run sudo after setting this up, I just get a PAM operation permitted error. I figured out how to revert changes (use Finder) but I can't get this library to work.

brew install would be a great addition to this.

Thanks!

I just installed it and the dialog shows up as expected but the apple watch does not react. Do I have to perform another step apart from ticking the checkbox in the security settings stating "Use your Apple Watch to unlock apps and your Mac"?

Just to be sure, installing works, adding to /etc/pam.d/sudo works and the dialog shows up asking for Apple Watch verification, but then I cannot verify anything on my watch.

It was working for 11.0. But, it seems to stop working after I upgraded to 11.1.

I rebuilt "pam_watchid.so" and edited "sudo". It still asks for the password.

I am pretty sure my apple watch can unlock my MacBook after sleep.

Hi,
Using Mojave 10.14.6 (18G5033) built without issues but now every time I try to sudo I got

*** First throw call stack:
(
	0   CoreFoundation                      0x00007fff3c2cb9a9 __exceptionPreprocess + 256
	1   libobjc.A.dylib                     0x00007fff669d3a17 objc_exception_throw + 48
	2   CoreFoundation                      0x00007fff3c2cb7db +[NSException raise:format:] + 201
	3   SharedUtils                         0x00007fff403ee1a1 +[LAErrorHelper raiseExceptionOnError:] + 182
	4   LocalAuthentication                 0x00007fff4040aade -[LAClient evaluatePolicy:options:uiDelegate:reply:] + 479
	5   LocalAuthentication                 0x00007fff4040ad86 -[LAClient evaluatePolicy:options:reply:] + 99
	6   LocalAuthentication                 0x00007fff4040f065 __42-[LAContext evaluatePolicy:options:reply:]_block_invoke + 131
	7   libdispatch.dylib                   0x00007fff6815563d _dispatch_client_callout + 8
	8   libdispatch.dylib                   0x00007fff68158374 _dispatch_block_invoke_direct + 256
	9   libdispatch.dylib                   0x00007fff68158254 dispatch_block_perform + 124
	10  LocalAuthentication                 0x00007fff4040ef3e -[LAContext evaluatePolicy:options:reply:] + 226
	11  LocalAuthentication                 0x00007fff4040f567 -[LAContext evaluatePolicy:options:error:] + 244
	12  LocalAuthentication                 0x00007fff40410a10 __37-[LAContext canEvaluatePolicy:error:]_block_invoke + 425
	13  LocalAuthentication                 0x00007fff40410b8d __37-[LAContext canEvaluatePolicy:error:]_block_invoke.103 + 16
	14  libsystem_trace.dylib               0x00007fff683b4714 _os_activity_initiate_impl + 53
	15  LocalAuthentication                 0x00007fff404107c6 -[LAContext canEvaluatePolicy:error:] + 264
	16  pam_watchid.so.2                    0x000000010e111d1e pam_sm_authenticate + 1438
	17  libpam.2.dylib                      0x00007fff67157d64 openpam_dispatch + 500
	18  libpam.2.dylib                      0x00007fff671590ba pam_authenticate + 35
	19  sudo                                0x000000010e02b4af sudo + 62639
	20  sudo                                0x000000010e032704 sudo + 91908
	21  sudo                                0x000000010e0337c7 sudo + 96199
	22  sudo                                0x000000010e01e66e sudo + 9838
	23  sudo                                0x000000010e042c98 sudo + 158872
	24  sudo                                0x000000010e0230ea sudo + 28906
	25  libdyld.dylib                       0x00007fff681a23d5 start + 1
)
libc++abi.dylib: terminating with uncaught exception of type NSException

Build using

Apple Swift version 5.1.3 (swiftlang-1100.0.282.1 clang-1100.0.33.15)
Target: x86_64-apple-darwin18.7.0

It seems that Apple Watch authentication for sudo on macOS Sonoma 14.0 is supported out-of-the-box now.. This doesn't need to be installed for it to work. Seems they've also added support for /etc/pam.d/sudo_local to persist the pam_tid.so line, which is pre-loaded in the OS, but commented out..

I tried running this. I still get a password prompt with no apple watch prompt. Then after entering the password the apple watch prompt appears and if the password is wrong, it doesn't authenticate. Am I doing something wrong?

This pam module doesn't seem to work with the new macOS big sur any more.

Everytime I updated macOS, the line I added to /etc/pam.d/sudo to enable pam_watchid gets removed.