CTK/SmartAuth Question

Question

CTK/SmartAuth Question

Closed this issue 9 months ago · 5 comments

Summary

I have only tested on a few machines in our fleet, but it does not seem to work if the account that logs in is using enforced SmartAuth login with CTK. The local admin account logs in and it works, but my account with CTK enforcement gives these errors:
"ERROR: fdesetup terminated with a non-zero exit status: 11"
"fdesetup Standard Error: Optional("Error: User could not be authenticated.\nError: Unable to unlock or authenticate to FileVault.\n"
"Caught error trying to generate a new key: The operation couldn't be completed. (Escrow.Buddy.Invoke.FileVaultError error 0.)"

Steps to Reproduce

Log out and log back in with a two-factor enabled account (so username/PIN instead of username/password) and it won't work. Log out and log back in with a local account that does not have two-factor enforced (can log in with username/password) and it works. Additionally, if I disable the enforcement of CTK and log in with the username/password on my personal account, it works, as well. I have attached the output from that machine (ran log show --predicate 'subsystem == "com.netflix.Escrow-Buddy"' --style syslog --debug --info --last 24h and ported to a ".log" file)
logCapture.log

Expected Behavior

I would expect that it would work, but it is not.

Environment

Escrow Buddy version: [e.g. 1.0.0] - 1.0.0
macOS version: [e.g. Ventura 13.4] - macOS 14.0 Sonoma
MDM version: [e.g. Jamf 10.46.0] - Jamf Pro 10.50.0

Additional Context

Add any screenshots, logs, or additional details about the problem here. Include which troubleshooting steps you've already taken.

Answer 1 · 2023-10-23T20:21:06.000Z

Thanks for reporting this. We don't use SmartAuth / CryptoTokenKit, so our ability to build support for this may be limited.

Two questions:

If I understand correctly, the fdesetup error does not prevent a successful login from occurring. Is that right?
After logging in with a SmartAuth user, what output does sudo fdesetup changerecovery -personal -verbose produce in the Terminal?

Answer 2 · 2023-10-23T20:33:51.000Z

The fdesetup error doesn’t prevent login, but it does not send a new key to Jamf. I logged in to both FileVault and the OS with my PIV-D credential, and, when I run the command, it prompts for username/password. At that point I am able to enter the password. If I enter my PIN there (as I do for login), it states that the user cannot be authenticated. With my password: ``` ***@***.*** ~ % sudo fdesetup changerecovery -personal -verbose Enter PIN for 'Certificate For PIV Authentication (ELIZABETH SMITH (Affiliate))': fdesetup: use personal recovery key fdesetup: device path = / Enter the user name:elsmith Enter the password for user 'elsmith': New personal recovery key = 'LVU9-OZ58-EEO2-O28G-JOBF-Q8M7' ``` With my PIN as the password: ``` ***@***.*** ~ % sudo fdesetup changerecovery -personal -verbose fdesetup: use personal recovery key fdesetup: device path = / Enter the user name:elsmith Enter the password for user 'elsmith': Error: User could not be authenticated. Error: Unable to unlock or authenticate to FileVault. ***@***.*** ~ % ``` From: Elliot Jordan ***@***.***> Date: Monday, October 23, 2023 at 2:21 PM To: macadmins/escrow-buddy ***@***.***> Cc: Smith, Liz ***@***.***>, Author ***@***.***> Subject: [EXTERNAL] Re: [macadmins/escrow-buddy] CTK/SmartAuth Question (Issue #5) Thanks for reporting this. We don't use SmartAuth / CryptoTokenKit, so our ability to build support for this may be limited. Two questions: 1. If I understand correctly, the fdesetup error does not prevent a successful login from occurring. Is that right? 2. After logging in with a SmartAuth user, what output does sudo fdesetup changerecovery -personal -verbose produce in the Terminal? — Reply to this email directly, view it on GitHub<#5 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AIPO7LKZGOOOSPKIZDWLDITYA3GTZAVCNFSM6AAAAAA6MTKRJSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTONZVHE2TQNJQGU>. You are receiving this because you authored the thread.Message ID: ***@***.***>

Answer 3 · 2023-10-23T21:40:51.000Z

Understood, thank you. I'm happy to hear that you're not prevented from logging in — Escrow Buddy is designed to "fail open" for these types of situations.

I'll seek some advice from peers who use SmartAuth and see if there's a way to solve this.

Answer 4 · 2023-10-23T21:56:31.000Z

Awesome thank you!! I really appreciate your help - this is an awesome little app!

…

________________________________ From: Elliot Jordan ***@***.***> Sent: Monday, October 23, 2023 3:41:01 PM To: macadmins/escrow-buddy ***@***.***> Cc: Smith, Liz ***@***.***>; Author ***@***.***> Subject: [EXTERNAL] Re: [macadmins/escrow-buddy] CTK/SmartAuth Question (Issue #5) Understood, thank you. I'm happy to hear that you're not prevented from logging in — Escrow Buddy is designed to "fail open" for these types of situations. I'll seek some advice from peers who use SmartAuth and see if there's a way to solve this. — Reply to this email directly, view it on GitHub<#5 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AIPO7LJMU37O25PQTJ2DVWTYA3P63AVCNFSM6AAAAAA6MTKRJSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTONZWGA3DKOJSGY>. You are receiving this because you authored the thread.Message ID: ***@***.***>

Answer 5 · 2024-01-31T02:32:56.000Z

Hi @elstalk - Unfortunately, we're not able to commit the development resources needed to support smart cards at this time. This could be one situation in which a user-facing password prompt might still be appropriate, for now.

Pull requests are welcome if anybody wants to add this feature, but doing so would also require ongoing testing commitment that we're not able to provide as we don't use smart cards for Mac authentication.