Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Question:

Question: Big Sur and smart cards

I have been using a YubiKey nano 5 for smart card login to MacOS Catalina for several months. I upgraded to Big Sur yesterday and since then, I've been having intermittent problems.


When I take an action in the GUI that requires root privileges, I get the normal prompt "XXX wants to make changes. Enter your PIN to allow this." However, this dialog gets stuck and the action never completes. After I enter my PIN, the dialog hangs with the buttons and PIN field disabled. If I remove the smart card, the dialog becomes active again and switches to asking for password. If I enter my password, the dialog hangs again. If I insert my YubiKey again, the dialog becomes active and asks for my PIN, but after I provide my PIN, the dialog hangs.


Smart Card login to Mac OS works fine. I have not touched the smart card configuration at all. Smart card PIN at terminal prompts for root privilege seems to work fine. Re-launching Finder does not solve the problem. Rebooting solves the problem for a short time, then it returns.


I'd appreciate any help.


macOS Big Sur

Version 11.0.1

Mac Pro (Late 2013)

Posted on Nov 14, 2020 3:44 PM

Reply
Question marked as Solved
Answer:
Answer:

OK guys, I think that I solved it for my computer, but the solution *****. I'm still waiting on Apple support.


What I did was unmap the smart card from my user - yes, I know that this means that I'm not doing smart card auth anymore. But, I haven't gotten the hung login window issue anymore.


Unplug your Yubikey, then from a terminal, type:

sc_auth unpair -u $(whoami)


I did this without su and the command hung, so I did it again under su in a new terminal.


Then I rebooted, been fine ever since.


Posted on Dec 8, 2020 4:41 PM

Question marked as Helpful

Nov 27, 2020 5:28 AM in response to johnchlorophyll In response to johnchlorophyll

I can now reproduce the issue. Killing windowsserver do not helped for me.

And I assume, I know why I did not get the issue on my first tests. The first machine I used for testing uses the openSC framework and NOT the apple CTK. So, I assume using openSC helps for not getting this issue.

I have a second machine where I was able to reproduce the issue. There I do not have the openSC installed. I know update the machine with openSC and will give a feedback in some days if the error perists.


Nov 27, 2020 5:28 AM

Question marked as Helpful

Nov 16, 2020 5:55 AM in response to robertfromaldie In response to robertfromaldie

Same here on MacBook Pro 13 (2020). On reddit a user wrote: To avoid the force restarts, I discovered that you can SSH into the machine (needs Remote Login enabled) and 'killall loginwindow', then use password login. Doesn't help of course if you have Smartcard only enabled.

Nov 16, 2020 5:55 AM

There’s more to the conversation

Read all replies
Question marked as Helpful

Nov 16, 2020 5:55 AM in response to robertfromaldie In response to robertfromaldie

Same here on MacBook Pro 13 (2020). On reddit a user wrote: To avoid the force restarts, I discovered that you can SSH into the machine (needs Remote Login enabled) and 'killall loginwindow', then use password login. Doesn't help of course if you have Smartcard only enabled.

Nov 16, 2020 5:55 AM

Reply Helpful (1)

Nov 17, 2020 3:04 AM in response to robertfromaldie In response to robertfromaldie

I also have the problem, but in a different was. Before tell it, I use an user with smartcard for login which do NOT have admin privileges. So, when I do an action which needs admin privileges an extra GUI prompt asking me for my PIN. But it did not work, because, I do not have the admin privileges. And I'm not able to insert a different username.

But when I remove my Smartcard, I'm able to change the username. So I enter the username of an administrator and the corresponding password. After that the action is authorized.

I assume that there is bug in macOS that the changing of the username is not possible if the smartcard is inserted.



Nov 17, 2020 3:04 AM

Reply Helpful

Nov 25, 2020 10:02 AM in response to robertfromaldie In response to robertfromaldie

Same problem, but worse. I can't login into Big Sur with Yubikey sometimes.

The login window froze there (with the right pin) for a long time and later it got unfreezed. After that click anything will only play 'Funky' sound effect...


The only way to solve this for me will be killing the windowserver (which force logout the user) via ssh.

Or by doing a force shutdown and restart.


I think for your problem, maybe you can find the process named "security" (not 100% sure now) and kill it to remove the front most window.

Nov 25, 2020 10:02 AM

Reply Helpful
Question marked as Helpful

Nov 27, 2020 5:28 AM in response to johnchlorophyll In response to johnchlorophyll

I can now reproduce the issue. Killing windowsserver do not helped for me.

And I assume, I know why I did not get the issue on my first tests. The first machine I used for testing uses the openSC framework and NOT the apple CTK. So, I assume using openSC helps for not getting this issue.

I have a second machine where I was able to reproduce the issue. There I do not have the openSC installed. I know update the machine with openSC and will give a feedback in some days if the error perists.


Nov 27, 2020 5:28 AM

Reply Helpful (2)

Dec 3, 2020 8:42 PM in response to robertfromaldie In response to robertfromaldie

I am experiencing the exact same issue with macOS Big Sur 11.0.1 and a Yubikey 4 Nano on a 2017 iMac Pro.


Additional details I can provide... it is intermittent, and a forced restart works again for some period of time (usually a few hours to a few days...) but invariably, the root privilege GUI will freeze. This is preventing software installs (which require elevated permissions) and will cause my machine to lock overnight (regardless of the Energy and/or Screensaver settings) such that I can't unlock the computer in the morning by entering the Smartcard PIN, and my only option is to force restart my iMac.


I also notice that whenever I enter the PIN code in the root privilege GUI, my screensaver flashes on, which makes me think that it is smart card related, since the computer automatically locks and shows the screensaver if the Yubikey is physically removed.


Details about pairing the Yubikey with macOS as a smartcard can be found here:


https://support.yubico.com/hc/en-us/articles/360016649059-Using-Your-YubiKey-as-a-Smart-Card-in-macOS


I'm thinking about following the instructions under the heading, "How to Unpair Your YubiKey and PIV Login from macOS" but I'm hesitant to do anything that might lock me out entirely or make the situation worse.


Has anyone else done this? I'm anxiously looking forward to a solution!

Dec 3, 2020 8:42 PM

Reply Helpful

Dec 4, 2020 12:58 AM in response to vready In response to vready

I have unpaired my Yubikey from my macbook pro and now simply log in with my password. I disabled the Smartcard Pairing notification, which you will receive each time you plug it into the machine, just because it got annoying. The Yubikey still works for any other website or service that you have 2FA set up against.


So far everything has been working well, except for the annoyance of having to type in a password for root and login :)

Dec 4, 2020 12:58 AM

Reply Helpful
Question marked as Solved

Dec 8, 2020 4:41 PM in response to mr_drlove In response to mr_drlove

OK guys, I think that I solved it for my computer, but the solution *****. I'm still waiting on Apple support.


What I did was unmap the smart card from my user - yes, I know that this means that I'm not doing smart card auth anymore. But, I haven't gotten the hung login window issue anymore.


Unplug your Yubikey, then from a terminal, type:

sc_auth unpair -u $(whoami)


I did this without su and the command hung, so I did it again under su in a new terminal.


Then I rebooted, been fine ever since.


Dec 8, 2020 4:41 PM

Reply Helpful

Dec 10, 2020 12:59 AM in response to robertfromaldie In response to robertfromaldie

@robertfromaldie,

I'm not sure, if I got your right. So, yes this is clear if you disable smartcard pairing the problem is solved.

But for me the question is, how to let smartcard enabled and do not get the freezed machine.


In my setup it is NOT necessary to unpair the smartcard. It is enough not to USE the smartcard. When I'm logged in using username/password and enable the screensaver. I tested this scenario over 2 days and the screensaver did not get freezed. Unlocking the screensaver worked with username/password aswell with smartcard/PIN (with adding the smartcard shortly before).


So, my question is: did you really disabled smartcard pairing or did you mean disabling and enabling again?


Thanks for the clarification.


Dec 10, 2020 12:59 AM

Reply Helpful

Dec 10, 2020 2:27 PM in response to mr_drlove In response to mr_drlove

Hi @mr_drlove,


Yes, I really did just disable smart card pairing. I did NOT re-enable. I tried reinstalling MacOS, but that didn't fix the problem, and I needed to get my computer back in working order, so I just deleted the SC pairing.



Dec 10, 2020 2:27 PM

Reply Helpful

Dec 11, 2020 2:22 AM in response to robertfromaldie In response to robertfromaldie

Hi @robertfromaldie,

thanks for the clarification. This is quite interesting. Because it looks like that you had the error EVERY time. I only have problem when I use the smartcard. When I use username/password for login and NOT inserting the smartcard everything works without any issue.

Dec 11, 2020 2:22 AM

Reply Helpful
User profile for user: robertfromaldie

Question: Big Sur and smart cards