Customize Login Screen Mac OSX (SFAuthorizationPluginView)

Question

I'm trying to extend the login screen in MacOSX 10.9.1 (Mavericks). As I found out, this is possible by implementing a new authentication plugin and install it in to the authorization database.

I've downloaded the NameAndPassword example which shows how to implement the interface and overwrite / extend the SFAuthorizationPluginView. But the problem is that I can't build it under Mavericks. So I decided to download the second example which is called NullAuthPlugin. This one compiles but I didn't find out how to install it.

So my question one is, if there is a good and updated tutorial for this (TechNotes are form 2008-09-16)?

And question number two is, if this could be developed with C# (Xamarin.Mac / MonoMac) because I'm not very good in developing Objective-C / C / C++.

Thank you!

Answer 1

Well, the bugs have been reported to Apple multiple times but they didn't do anything about it so far. The simplest answer is: you need a patched version of the NameAndPassword plugin - the official one is broken. I put my fixed plugin on GitHub: https://github.com/skycocker/NameAndPassword

It is important that you replace the

<string>loginwindow:login</string>

line in the authorization policy database with

<string>NameAndPassword:invoke</string>

Otherwise it won't log you in. I wouldn't figure this out without Merlin69 help.

Answer 2

First of all: Never, EVER, EVER begin debugging a login plugin by placing it within the console login right. You need to create a special test "dummy" right in the auth db, completely independent of any other right that the OS might need to invoke during its operation. Call it anything like "MyTestRight-RemoveMeAfterTest".

Create a plist file that looks something like:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>class</key>
    <string>evaluate-mechanisms</string>
    <key>comment</key>
    <string>Used to validate a terminal user.</string>
    <key>mechanisms</key>
    <array>
        <string>NameAndPassword:invoke</string>
    </array>
</dict>
</plist>

Install it with the "security" command from the terminal:

"security authorizationdb write MyTestRight-RemoveMeAfterTest < MyTestRight-RemoveMeAfterTest_plist_file"

DO NOT EVER edit the auth db by hand, even if you can still do it, which is the case on osx prior to 10.9. If you make a mistake, and the OS can't parse the file, you will be in a world of hurt. I have been there. I've been doing these plugins for years. If the os can't read the file, you will be in the same situation if your plugin hangs on login - up the creek without a paddle. If you have not had the foresight to enable SSH, you'll have to boot into another partition or boot up from a time machine backup. In the latter case, you had better have saved your very recent edits on some external drive.

After you have installed the right in the db, you should test it from an external program.

You need to call into the security infrastructure like is demonstrated in the readme file included with the name and password example and request your right, just like the OS would do.

Be cautious when using any of Apples samples. Use them only as a guide. NameAndPassword has errors and never could have run. It was last updated in 2006 and uses many features that are now obsolete. It actually does not do anything, but is just a shell.