Custom login/lock screen in OS X Mavericks

Michał Siwek picture Michał Siwek · Feb 5, 2014 · Viewed 6.9k times · Source

I'm trying to override the default login/lock screen in OS X to allow the user to login in other way than providing a password (think fingerprint scanner or how "Knock to unlock" works), and I'm looking for a way to do it for hours now - all I found that looks useful is the Authorization Plugin ADC reference and this example: https://developer.apple.com/library/mac/samplecode/NameAndPassword/Introduction/Intro.html#//apple_ref/doc/uid/DTS10004022

This NameAndPassword xcode project is a little outdated, but I managed to build it simply by specifying the Base SDK (there was a hardcoded wrong path), then I put the resulting .bundle file into /Library/Security/SecurityAgentPlugins directory. Nothing changed after I locked my screen, but I know I need to add the authorization role to /etc/authorization file, which I know no longer exists in Mavericks (there is this auth.db file and the whole auth API), but I'm therefore stuck here - I don't know how to put NameAndPassword inside this database.

Please let me know how do I do it right, or if you know some other way to achieve my goal.

Answer

Michał Siwek picture Michał Siwek · Feb 7, 2014

I found a way to edit the database - at first, I tried direct /var/private/db/auth.db sqlite modifications, but it didn't work, so after some time I managed to do this easier than I thought I will:

  1. security authorizationdb read system.login.console > outfile.plist

  2. After this, you need to modify the resulting outfile.plist as it's said in the NullAuthPlugin readme:

    <key>mechanisms</key>
      <array>
        <string>NameAndPassword:invoke</string>
    

    (the last line is the one you need to add to the file).

  3. Then, to save it to the database:

    security authorizationdb write system.login.console < outfile.plist

Then the changes should be visible on any login/lock screen of your system, but be careful!

You will not be able to authenticate with current version of NameAndPassword example!

Be sure to estabilish a working SSH connection to your Mac before you modify the database, so you will be able to revert the changes using other device (just repeat the db modification process but this time remove the line you added before).