7

I need to create a plugin for OS X login mechanism so that I can unlock the screen other way than by typing a password. I know things like this already exist - Knock to unlock or Rohos USB key logon are examples.

I found the sample code on ADC called "NameAndPassword" (https://developer.apple.com/library/mac/samplecode/NameAndPassword/Introduction/Intro.html), and after some struggle (Custom login/lock screen in OS X Mavericks) I managed to build and install it on Mavericks. The problem is that the whole plugin is apparently a little outdated and does not log me in after I type the password (I need to reboot the machine through SSH). I'm an xcode/objective-c beginner and cannot fix the problem by myself.

Basically, my question is: how to modify the sample NameAndPassword code so that I could log in with input other than keyboard? I want to create an app that will provide the password, but not through keyboard - that's pretty much how I believe Knock to unlock works.

Community
  • 1
  • 1
Michał Siwek
  • 794
  • 1
  • 10
  • 25
  • Hi, thanks to your guidance, I've managed to run this authorizationPlugin myself. However, if I set false combination of username and password, I simply regain back to the login screen again ... perhaps do you know if there's anyway to get the failure reason from the context ? thanks ! – Zohar81 Apr 28 '20 at 11:47

2 Answers2

7

There are some bugs in Apple's official code. I patched them and put on my Github: https://github.com/skycocker/NameAndPassword

This version of the plugin should work fine, as long as you replace 

<string>loginwindow:login</string>

line in authorization policy database with 

<string>NameAndPassword:invoke</string>

Otherwise it won't log you in.

Michał Siwek
  • 794
  • 1
  • 10
  • 25
  • Did that, and the plugin is not working... any ideas? – Oscar Swanros May 23 '14 at 20:03
  • Did you do it this way? http://stackoverflow.com/questions/21582995/custom-login-lock-screen-in-os-x-mavericks/21618085#21618085 – Michał Siwek May 23 '14 at 20:18
  • I did it, and now I got the plugin working. However, its only working when you log out from the Apple Menu/Log Out menu... Is there a way it can be set as the main login mechanism, so it is displayed when the computer turns on? – Oscar Swanros May 23 '14 at 20:36
  • 2
    @OscarSwanros it depends on whether you have FileVault enabled. If you do, then the boot-up login screen cannot be altered. You can however turn on fast user switching, and then just run `/System/Library/CoreServices/Menu\ Extras/User.menu/Contents/Resources/CGSession -suspend` or pick "login screen" from the top bar menu labeled with your username. – Michał Siwek May 24 '14 at 10:20
  • Siwek, I do have FileVault enabled... Thanks for the heads up, man! :D – Oscar Swanros May 24 '14 at 14:18
  • Siwek, is there any way this would work with FileVault turned on? – Oscar Swanros May 26 '14 at 20:32
  • @OscarSwanros Not really - FileVault logon is running on EFI level, there's not much you can alter there, at least not that I know about. It's a common problem - products like Rohos also don't provide any way to bypass the FileVault EFI logon. – Michał Siwek May 26 '14 at 21:57
  • 1
    @OscarSwanros A few years late, but you can use your AuthPlugin if you disable Auto Login. It will show two screens on boot. One to unlock the disk, then another to login as a user. `sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES` – MikeKusold Apr 14 '16 at 19:52
  • Hi, is there a possibility in authorization-plugin to differentiate if a user is logging in with password or fingerprint (That's inbuilt in new versions of mac) @MichałSiwek – Mohit Jan 09 '20 at 07:21
  • No idea - haven't tried it recently; you're going to have to figure it out yourself. Good luck! – Michał Siwek Jan 09 '20 at 12:49
  • @MikeKusold, Hi.. another few years late ... but perhaps you remember something from dealing with the authorizationPlugins.. I've successfully manage to launch the plugin from this question, but if I type wrong password/username combination, I simply go back to the same screen. do you know if there's any way to extract the exact error which cause this plugin ? – Zohar81 Apr 28 '20 at 12:46
  • @Zohar81 sorry, too much time has passed since I last worked on this. Good luck though. – MikeKusold Apr 29 '20 at 13:12
0

I am working on the same problem, I'm also Obj-C beginner. I've done some analyzing on the Knock to unlock app and it doesn't authorize the system.login.console right, it is defining its own rule AND on locking the computer it calls the Screen Saver with locking right to it's self. It is not an authorization plugin like the NameAndPassword sample. It is not installed to the SecurityAuthorizationPlugins system folder, it is registered as loginAgent to the user.

And I am also stuck on the problem with the NameAndPassword plugin. Did you succeeded in logging in using (even with keyboard) NameAndPassword plugin?

Jugoslav M.
  • 76
  • 5
  • I didn't manage to fix the NameAndPassword **yet**, but I'm planning to use another Mac and [debug it remotely with Xcode](https://developer.apple.com/library/mac/technotes/tn2108/_index.html) somewhere this week. – Michał Siwek Feb 17 '14 at 17:50
  • Well, after some effort I put into debugging the NameAndPassword plugin I have to admit it didn't work out so far - it requires Xcode < 4 to debug remotely, and when I managed to install Xcode 3.2.6 on a VM with 10.9 I'm unable to build the plugin there. You can see some more discussion about it going on [here](http://stackoverflow.com/questions/21056322/customize-login-screen-mac-osx-sfauthorizationpluginview#comment33224960_21056322). Do you know anything more about this loginAgent? I can't google it. Looks like it would be a better approach - the auth plugins seem deprecated. – Michał Siwek Feb 23 '14 at 00:43
  • I fixed the problems. Take a look at the answer http://stackoverflow.com/a/22050896/2113110 – Michał Siwek Feb 26 '14 at 19:10
  • Great! For the remote debugging - the only solution that I found till now is to modify the logger to throw logs in /var/log/somelog.log And using another machine - tail that log file. – Jugoslav M. Nov 28 '14 at 12:28