Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

10.7: Unlock screens using any admin password Apps
Under Lion, the screen saver authentication dialog box does not allow you to enter a username. So even if you've made the changes detailed in this Snow Leopard hint there is no way to put in alternate credentials to unlock a user's screen.

First, edit /etc/pam.d/screensaver as per the original Snow Leopard hint:
  • Open /Applications/Utilities/Terminal.app
  • Type cd /etc/pam.d
  • 3. sudo cp screensaver screensaver.bak
  • 4. sudo nano screensaver
  • 5. Find the line:
    account required pam_group.so no_warn group=admin,wheel fail_safe
    and change it to:
    account sufficient pam_group.so no_warn group=admin,wheel fail_safe
  • Press Control+X to save /etc/pam.d/screensaver and exit nano.
Then, still in Terminal, we make a wholly unintuitive change to /etc/authorization:
  • cd /etc
  • sudo cp authorization authorization.bak
  • sudo nano authorization
  • Press Control+W and search for unlock the screensaver
  • Change the line:
    <string>The owner or any administrator can unlock the screensaver.</string>
    to:
    <string> (Use SecurityAgent.) The owner or any administrator can unlock the screensaver.</string>
  • Press Control+X to save /etc/authorization and exit nano.
  • Reboot the Mac

[crarko adds: I haven't tested this one, but the original Snow Leopard hint was good. Be sure to make the file backups before doing any editing, and if it were me, I'd want to do this on a test machine (with a full system backup) before deploying it. If you try this and find any errors/omissions please post them in the comments, and I'll correct the hint.

Note: Changed references to /etc/authentication to the correct file /etc/authorization and other cleanup.]
    •    
  • Currently 4.33 / 5
  You rated: 4 / 5 (6 votes cast)
 
[10,234 views]  

10.7: Unlock screens using any admin password | 17 comments | Create New Account
Click here to return to the '10.7: Unlock screens using any admin password' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.7: Unlock screens using any admin password
Authored by: sigmaris on Jan 24, '12 08:06:19AM
Having tried this, I'm pretty sure /etc/authentication is meant to be /etc/authorization - the file /etc/authentication doesn't exist while /etc/authorization contains the strings mentioned.

[ Reply to This | # ]
10.7: Unlock screens using any admin password
Authored by: Seemone on Jan 24, '12 08:51:28AM

I have no /etc/authentication, but I have /etc/authorization.
As I don't have a 10.7 to fiddle with, I'd appreciate some testing on this :)



[ Reply to This | # ]
10.7: Unlock screens using any admin password
Authored by: dhoit on Jan 24, '12 10:56:15AM
Be careful modifying the pam.d screensaver module. Apple fixed the issue with admins not being able to unlock the screen around 10.6.6 or so, and changing the pam module can result in /anyone/ being able to unlock your screen saver. Also, when modifying /etc/authorization, you should use the security tool. The man page is long, but has pretty good documentation of how to use it. In this case, you would do something like this:
security authorizationdb read system.login.screensaver > /path/to/temp.plist 
Edit the temp.plist with whatever tool you like, but ensure the plist is still valid using plutil afterwards. Use the security tool again to write the changes back to authorization. You will need to use sudo to edit the file.
sudo security authorizationdb write system.login.screensaver < /path/to/temp.plist 
---
--DH


[ Reply to This | # ]
10.7: Unlock screens using any admin password
Authored by: stevenzanko on Oct 31, '13 04:15:43PM
Has anyone gotten
security authorizationdb read system.login.screensaver
working with Mavericks? It seems to read the database and then write the modification back, but doesn't use the SecurityAgent even after reboot.

[ Reply to This | # ]
10.7: Unlock screens using any admin password
Authored by: mooreluc on Jan 24, '12 12:27:21PM

Worked fine for me. Only exception was that the file wasn't /etc/authentication it was /etc/authorization.



[ Reply to This | # ]
10.7: Unlock screens using any admin password
Authored by: jcurrin on Jan 24, '12 12:59:03PM

I got the first stage. But there is no authentication folder or authentication.bak file. Is there something I am missing?



[ Reply to This | # ]
10.7: Unlock screens using any admin password
Authored by: jcurrin on Jan 24, '12 01:03:19PM

authentication.bak doesn't exist. Is there something I am missing?



[ Reply to This | # ]
10.7: Unlock screens using any admin password
Authored by: hellomrzebra415 on Jan 24, '12 01:32:30PM

I think sudo cp authentication authentication.bak should be authorization not authentication!



[ Reply to This | # ]
10.7: Unlock screens using any admin password
Authored by: flognoth on Jan 24, '12 01:36:48PM

This should be /etc/authorization

Also the syntax for what needs to be changed in /etc/authorization is also unclear.



[ Reply to This | # ]
10.7: Unlock screens using any admin password
Authored by: cashxx on Jan 24, '12 04:58:06PM

Yea it should be authorization.

And what is up with the [raw] and [/raw2] stuff too. That doesn't belong there.

Confusing to me with that stuff in there.



[ Reply to This | # ]
10.7: Unlock screens using any admin password
Authored by: skinlayers on Jan 25, '12 01:08:42PM
I apologize. I should have double checked a few things before submitting this.
1) all references to "/etc/authentication" should be changed to "/etc/authorization".
2) The instructions for sending in a hint recommend using both the webform as well as emailing the hint. The "raw" tags where the only way I could find to keep the "string" tag in the XML from being omitted when I submitted the hint via the webform.

Here's a fixed version of the instructions:

First, edit /etc/pam.d/screensaver as per the original Snow Leopard hint:

Open /Applications/Utilities/Terminal.app
Type cd /etc/pam.d
sudo cp screensaver screensaver.bak
sudo nano screensaver
Find the line:
account required pam_group.so no_warn group=admin,wheel fail_safe
and change it to:
account sufficient pam_group.so no_warn group=admin,wheel fail_safe
Press Control+X to save /etc/pam.d/screensaver and exit nano.

Then, still in Terminal, we make a wholly unintuitive change to /etc/authorization:

cd /etc
sudo cp authorization authorization.bak
sudo nano authorization
Press Control+W and search for "unlock the screensaver"
Change the line:
<string>The owner or any administrator can unlock the screensaver.</string>
to:
<string>(Use SecurityAgent.) The owner or any administrator can unlock the screensaver.</string>
Press Control+X to save /etc/authorization and exit nano.
Reboot the Mac


Sorry for the confusion!!!

[ Reply to This | # ]
10.7: Unlock screens using any admin password
Authored by: crarko on Jan 26, '12 05:40:47AM

OK, I've corrected the hint to match this. Thanks very much.

Craig A.



[ Reply to This | # ]
10.7: Unlock screens using any admin password
Authored by: joelbruner on Feb 13, '12 04:10:39PM
Thanks, awesome hint and totally bizarre that a comment string affects behavior?!
Also when I was testing this one liner version of your hint, I found I didn't need to apply the first modification from the previous hint?

/usr/libexec/PlistBuddy -c "Set :rights:system.login.screensaver:comment \"(Use SecurityAgent.) The owner or any administrator can unlock the screensaver.\"" /etc/authorization

Cheers!

[ Reply to This | # ]
10.7: Unlock screens using any admin password
Authored by: kaltekar on Sep 06, '12 06:48:34AM

Just tested this hint on Mountain Lion (10.8.1) and it still works.



[ Reply to This | # ]
10.7: Unlock screens using any admin password
Authored by: ghoward on Oct 31, '13 10:42:34AM

Recently attempted this hint under Mac OS X 10.9 (aka Mavericks) and it no longer seems to be valid. It actually made logging in more difficult as not even the account's password would unlock the screen saver. Fortunately I was able to restore the previous unmodified file. Anyone have any success with this?



[ Reply to This | # ]
10.7: Unlock screens using any admin password
Authored by: Chanfan on Nov 13, '13 04:33:58PM
I have yet to test, but I'm thinking that the following has the info for what changed in 10.9 (as I noted my script to set this fails on 10.9 systems as well).

http://www.dssw.co.uk/blog/2013/10/26/authorization-rights-and-mavericks/

In it, they note that the /etc/authorization file is depreciated, and that the settings now appear to reside in /var/db/auth.db.

I tried out the authbuddy util (on my 10.8.5 system, which has been modified), and it does report, if you do a "get 'system.login.screensaver', that it's set to

{ class = rule;
comment = "(Use SecurityAgent.) The owner or any administrator can unlock the screensaver.";
rule = "authenticate-session-owner-or-admin";
}

Hopefully, I'll get to test this out on new 10.9 system in short order.

[ Reply to This | # ]

10.7: Unlock screens using any admin password
Authored by: Chanfan on Dec 18, '13 05:25:55PM
OK, a bit if info.

Authbuddy is not needed, in fact, the authorizationdb should be modified with the security authorizationdb command. One can use "read" on system.login.screensaver to get the plist, and redirect it to a file for editing. Then redirect back using "write" to modify the plist. While I was able to edit the plist - requires both the listed "(Use SecurityAgent.) " change, and modifying another line - and it works as per the hint, this is apparently not the recommenced way to allow admins to unlock the screensaver since 10.7.

The recommended way is detailed here:

http://support.apple.com/kb/HT5145t

I can confirm that just commenting out the recommended line (by adding a # at the beginning) works for me in 10.9. It enables the Option+Return to bring up the user/pass screen, and an admin user/pass combo will unlock another admin's screen.

Edited on Dec 18, '13 05:26:40PM by Chanfan


[ Reply to This | # ]