Cannot turn on FileVault with a custom authorization plug-in

When an authorization plug-in (like NameAndPassword or so on) is enabled for the system authorization right "authenticate", FileVault cannot be enabled from UI.

Clicking on the button "Turn on FileVault..." has no effect.
In the system logs I see the error that SecureToken was not found. Without an authorization plug-in, the button "Turn on FileVault..." works as expected, and I see no complaints in the logs regarding the SecureToken.

If to do the following:

  1. Disable a custom authorization plug-in.

  2. Unlock the "FileVault" tab in "Security&Privacy", by clicking on the "lock" icon, using the native authenticaion UI.

  3. Enable a custom authorization plug-in again.

  4. Hit the button "Turn on FileVault..."

In this case the button works as expected. Thisobservation makes me think that the native UI client passes the SecureToken and maybe something else as a part of the authorization process, but a custom authorization plug-in does nothing like that.

The question is how to pass the SecureToken or maybe something else what's needed from a custom authorization plug-in? Maybe there is a special undocumented authorization hint for that? Or the observed behavior is a bug?

Up vote post of Lex_A Down vote post of Lex_A
1.3k views
Posted by
Lex_A
Reply
Add a Comment

Replies

Some update...
I was wrong about the bug reason. By clicking "Turn on FileVault..." with a custom authrorization plug-in, I see the following error:
Code Block 
default	01:05:58.196222+0300	opendirectoryd	While verifying password: user <private> (<private>) is a SecureToken user
default	01:05:58.196247+0300	opendirectoryd	While verifying password: user <private> (<private>) is a ShadowHash user
default	01:05:58.196268+0300	opendirectoryd	While verifying password: using both SecureToken and ShadowHash
error	01:05:58.272387+0300	opendirectoryd	Failed SecureToken authentication for AC6D2888-891E-4720-82F0-503A5D598030 other domain: invalid credentials

What is interesting, by unlocking the Preferences I see the the command above successful 

Code Block 
default	01:13:13.362741+0300	opendirectoryd	While verifying password: user <private> (<private>) is a SecureToken user
default	01:13:13.362768+0300	opendirectoryd	While verifying password: user <private> (<private>) is a ShadowHash user
default	01:13:13.362792+0300	opendirectoryd	While verifying password: using both SecureToken and ShadowHash
default	01:13:13.439127+0300	opendirectoryd	Successful SecureToken authentication for AC6D2888-891E-4720-82F0-503A5D598030 other domain
default	01:13:13.545419+0300	opendirectoryd	Verified password for <private> (AC6D2888-891E-4720-82F0-503A5D598030): SecureToken (ODNoError), Shadowhash (ODNoError)
default	01:13:13.545470+0300	opendirectoryd	Verified password for <private> (AC6D2888-891E-4720-82F0-503A5D598030): SecureToken and Shadowhash results match
default	01:13:13.546567+0300	opendirectoryd	AuthenticationAllowed: Evaluation result for record "<private>", record type "<private>": Success
default	01:13:13.546711+0300	opendirectoryd	Authentication succeeded for <private>: ODNoError
default	01:13:13.546777+0300	opendirectoryd	<private> (815A3688-FFFF-1D01-8C07-000001000000) is eligible for login hashes: SecureTokenOnly feature flag is not enabled
default	01:13:13.624443+0300	opendirectoryd	Successful SecureToken authentication for AC6D2888-891E-4720-82F0-503A5D598030 other domain
default	01:13:13.624550+0300	opendirectoryd	While setting credential for <private>: SecureToken is also set on the credential





Posted by
Lex_A
Up vote reply of Lex_A Down vote reply of Lex_A
Add a Comment
I dug into the problem a bit deeper.
I created a custom authorization plug-in with an empty mechanism that does absolutely nothing.
and inject the mechanism directly after "builtin:authenticate" for the right "authenticate".
In the case after locking the tab FileVault, buttons "Turn off FileVault..." and "Enable Users" work normally.

But if to SetContextValue for the key kAuthorizationEnvironmentUsername, buttons "Turn off FileVault..." and "Enable Users" stop reacting at all. The buttons don't react even if to get the value of the key kAuthorizationEnvironmentUsername from context and put it again with no changes. In the system logs, I see the following:
Code Block 
 com.apple.preference.security.remoteservice  Unlock user (<admin user>) is not found.


What is interesting ... changing kAuthorizationEnvironmentPassword only doesn't break the FileVault buttons.

Is that a known bug? Any workarounds?


Posted by
Lex_A
Up vote reply of Lex_A Down vote reply of Lex_A
Add a Comment