Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

A script for secure login with thumbwheel drive System
So I've been trying to come up with a way to use my USB thumbdrive to secure my login to OS X. Basically, I want to make sure I can't login unless the drive is in the machine (as a security precaution).

Here's what I've managed to do. I wrote a script that detects the presence/absence of a specified volume, then kills everything back to login if that volume isn't present. I'm sure it could be modified to look for a file on the drive, or the contents of a file on the drive, as well.

Also the script needs to be set as a loginhook to make it execute on startup. I haven't actually done this yet, because what I really want is to prevent login of a specific user, not anyone -- this will let me login as root if something goes wrong. Anyway, here's the script (thanks to Will Ray for the advice on writing the kill command):
#!/bin/sh

mounted=$(df | grep "/Volumes/insertvolumenamehere");
if [ ! "$mounted" ];
then
kill -9 -1
echo KILLING
else
echo NOT KILLING
exit
fi
To get the above to run as loginhook (root), in Terminal do:
sudo defaults write com.apple.loginwindow LoginHook /path/to/script
[robg adds: I have not tested this script! If you do so, exercise caution as it will more than likely work and boot you back to the login screen.]
    •    
  • Currently 1.00 / 5
  • 1
  • 2
  • 3
  • 4
  • 5
  (1 vote cast)
 
[7,444 views]  

A script for secure login with thumbwheel drive | 19 comments | Create New Account
Click here to return to the 'A script for secure login with thumbwheel drive' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Why would you ever want this?
Authored by: trentdavies on Sep 28, '04 01:50:07PM

I've also developed a method to secure my login to OS X. What I do is configure my computer to bring up the login screen at startup. I pick an obscure and randomized password. I then enter said username and password while no one is looking. And voila! Secure access to my user account.



[ Reply to This | # ]
Why would you ever want this?
Authored by: evildrbob on Sep 28, '04 02:39:01PM

I use it because I'm paranoid. :)

Truly, a good password is usually all you need. But if you don't change passwords often, or if you "recycle" passwords (e.g. use the same password in many different places), the probability of your password getting compromised increases. Also, if for some reason someone installs a keycapture utility on your machine when you aren't looking (you *do* leave your desk once in a while, don't you?), they might get the password, but unless they're really OS X saavy it'll take them just that much longer to get around the script.

I use this script for my personal machine which I leave at work - just as a redundant means of securing down my personal account.


---
It is by Caffeine alone that I set my mind in motion,
By the Beans of java, my thoughts aquire speed,
My hands acquire the shakes, the shakes are a warning,



[ Reply to This | # ]
A script for secure login with thumbwheel drive
Authored by: webbix on Sep 28, '04 03:37:53PM

That was reply was a little harsh but also simplistic.

While only blocking a user from logging in without the USB storage device would provide marginal additional security to the unit configuring the unit to prevent booting without the USB drive inserted is something that would provide stronger security. There are portables (only aware of windows units) that encrypt the entire drive and will not boot without a dongle or USB device inserted. This provides ultimate security even in the event of theft or drive removal. I have no idea what it would take to emulate that but would have no interest personally in using it. Too much that could happen with all data encrypted.



[ Reply to This | # ]
Cool... and another idea
Authored by: azraq27 on Sep 29, '04 12:45:28AM
I'm totally with you on the paranoia thing. As much as I keep my passwords secure and try to use good passwords, holes always seems to happen eventually.

So, I like the idea, but personally I'd expand the verification beyond just a volume name. It would be cool to do a quick public key verification using a keychain on the USB drive.

Furthermore, beyond what I think we can throw together with scripts... I think it would be awesome to add the same verification as an optional add-on to any password prompt in OSX. I'm thinking of being able to set my system password, and then check an option that links my private key to it (on my USB drive). Then every time I need to enter my password, I would need to also plug in my USB drive. I have no idea how to implement that or how to keep it compatible with Unix... but just a thought

[ Reply to This | # ]

Cool... and another idea
Authored by: FACEMILK on Sep 29, '04 03:53:34AM

Maybe put your keychain file on the thumbdrive create a link at the expected location (~/Library/Keychains). Then if the drive isn't mounted the keychain isn't accessible so no passwords are available.

re one of the following posts... this might also work with the ssh keys files. I never got that whole ssh mechanism in my head so I'm not sure how it would work.



[ Reply to This | # ]
Cool... and another idea
Authored by: ibroughton on Sep 29, '04 04:31:49AM

I cant get this script to work, am I doing something wrong somewhere along the line?

---
The server is up but the site is down and I don't know which direction you are trying to go



[ Reply to This | # ]
Cool... and another idea
Authored by: ibroughton on Sep 29, '04 05:42:01AM

Well the script works fine, but I've added it to my start-up items as I can't get it to be recognsed as a loginhook

---
The server is up but the site is down and I don't know which direction you are trying to go



[ Reply to This | # ]
A script for secure login with thumbwheel drive
Authored by: pecosbill on Sep 29, '04 01:18:17AM

Although this will protect you from a GUI login, would it also do so from SSH (if it's on)? I would think not.

---
Pecos Bill



[ Reply to This | # ]
A script for secure login with thumbwheel drive
Authored by: tomcool420 on Sep 29, '04 07:41:11AM

would it be possible to have the login dialogue disappear when you insert your usb flashdrive?



[ Reply to This | # ]
A script for secure login with thumbwheel drive
Authored by: Deeeep on Sep 29, '04 08:19:58AM

Cool thing would be if you could do this limitation only for say the admin/root account... Add another criteria to the if then, if uid=501....



[ Reply to This | # ]
A script for secure login with thumbwheel drive
Authored by: ibroughton on Sep 29, '04 10:30:14AM

Wow if either of these above two things were possible I would be so amazed, even better if it could be setup to ony allow login via that manner, almost like the CAC module discussed elsewhere on this site, but that never really took off for USB authentication

---
The server is up but the site is down and I don't know which direction you are trying to go



[ Reply to This | # ]
Flaws
Authored by: VRic on Sep 29, '04 01:21:48PM

A physical key protects against someone with physical access to the machine, which is almost pointless. Only encryption does that. There are Firewire disks with on-the-fly hardware encryption for real paranoids.

I suppose there's a deterring effect on bozo spys, but who cares about bozo intelligence ? It's not like anyone relies on them for matters of war or something. Oh, wait.

With access to the mac I wouldn't try to get your login/pass: unless it has a firmware password I could boot it in firewire target disk mode and hook it to mine in less time than a login, browse its disk as root, then restart and leave it waiting for login, which if your script killed everything would be indistinguishable from the state you left it in.

So this is worse than nothing if you don't advise the use of a firmware password first: not only would a low-tech spying have occured in no time, but the owner couldn't even tell (unlike current sessions turning out to be changed or closed).

Of course a firmware pass only works if the bad guy doesn't have 5 min to remove the disk from the mac, hook it to his via a Wiebetech Super DriveDock (bare bus-powered hot-pluggable ATA-FireWire bridge), then put it back. Which is also essentially low-tech and requires no OS X knowledge at all.

Against that there's only (a) encryption or (b) using a clamshell iBook, which takes half a day, a coffe machine and 5 sq meters of desk space to get to the hard drive, at what point he will probably yell with joy and relief, which will get him noticed.



[ Reply to This | # ]
Flaws
Authored by: Gabs on Sep 29, '04 03:29:33PM

Changing the amount of installed RAM will reset a firmware pass - so not even the old Clamshell is safe... Back to encryption then. Ain't that a beach.



[ Reply to This | # ]
A script for secure login with thumbwheel drive
Authored by: Landru on Sep 29, '04 07:58:23PM

There is also a commercial product for Mac OS X available here:

http://www.securikey.com

It also uses a USB token approach.

---
"You will all be of the body soon."



[ Reply to This | # ]
A script for secure login with thumbwheel drive
Authored by: mproud on Sep 29, '04 09:49:20PM

I'm assuming one would want to expand on this and analyze contents... maybe even encrypted files as people have suggested. Otherwise, I could just be able to name my drive whateverthehell the script is looking for, and WOW! Instant access!

But a novel idea, nonetheless.



[ Reply to This | # ]
You know what else would suck?
Authored by: mproud on Sep 29, '04 09:50:44PM

But you know what else would suck? Losing the drive. OUCH.



[ Reply to This | # ]
You know what else would suck?
Authored by: strike3 on Sep 30, '04 01:48:14AM

Or accidentally changing its name!

(unless you have a 2nd computer nearby to change it back)



[ Reply to This | # ]
A script for secure login with thumbwheel drive
Authored by: ibroughton on Sep 30, '04 03:00:02AM

Y'know, some people take security seriously, others would see this idea as a toy to play with.

The original script is merely a toy to play with as any system with a removable drive called 'X' will allow it to log in. Nice, and fun to have but it doesn't offer any real security.

I have 3 USB Key drives, what I would like to see is something that allows me to secure my system without having to buy another drive!

---
The server is up but the site is down and I don't know which direction you are trying to go



[ Reply to This | # ]
A script for secure login with thumbwheel drive
Authored by: GlowingApple on Oct 11, '04 02:41:40AM

Would just setting this script as a login item work for individual user names? Is there some way to skip loading those items on login that would be a work-around? My thought is to put this script on the profile for my root user so that I can still log in as myself without the jump drive, but to do real dammage to my system but logging in as root would require the drive. Does anyone see any failings of this?

---
Jayson

When Microsoft asks you, "Where do you want to go today?" tell them "Apple."



[ Reply to This | # ]