Locked Console issues

Posted by

0

When Apple updated to Mac OS X 10.7.x, they changed the way the authentication dialog box works when the console is locked by a user.

In the past, in OS versions 10.6 and older, if the screensaver was set to Ask For Password, when a user wanted to get back to the desktop, they would get a Name and Password field, usually with their name pre-filled in. In many cases, if an administrator had to get into the user’s session, the credentials of a local administrator (I have never tried it with a domain administrator with administration rights on the computer) could be entered instead, thus gaining access to the desktop.

Uses vary, from needing to fix stuff, or log the user off so others can use the computer, etc… This was also useful if the user forgot their password or for some reason was locked out from the domain services, and needed to gain access to save their work, etc…

Enter Mac OS 10.7+ (Lion.) Since then, the authentication dialog box has the user’s name in a non editable field, with only the password field allowing entry. Thus, only the logged in user can gain desktop access. If other users need that user to be logged off, draconian methods needs to be applied to forcibly boot the user off, one of such method is to forcibly reboot the system.

Just to clarify, in our environment we don’t use Fast User Switching.

I’m not a big fan of forcibly rebooting the computer. Unsaved work can get lost, and file corruption can happen, along with a host of other things.

While I was searching for something completely unrelated, I came across this Apple KB article HT5145 (http://support.apple.com/kb/HT5145).

Once the /private/etc/pam.d/screensaver is altered, it will allow a local administrator to gain desktop access if the user locks the console with the screensaver. In order to do so, the administrator can then press the Option-Return key, and be rewarded with a full authentication dialog box.

After reading the article, I came up with a script to implement the listed change. Here is a link to my script: https://github.com/awjohnso/UnlockScreenSaver.

If the script is stored on the computer, and say an Apple update reverses the changes, an administrator can remotely fire off the script with remote software such as ARD (Apple Remote Desktop).

Leave a Reply

Your email address will not be published. Required fields are marked *