5

I want to be able to unlock screen, or login to physical user while I'm connected with ssh connection. I know this might be unsafe etc. However that's ok for me at the moment. What options do I have to do this?

Shortman
  • 73
  • What exactly do you want to achieve? The machine is in the login screen and you want to login (create GUI session) as a user using SSH connection? – Mateusz Szlosek Mar 07 '18 at 09:13
  • I'm not sure to understand what you want. Is teamviewer or remote desktop like you want to do ? – Chris Mar 07 '18 at 09:14
  • Machine is either of this two states: 1)Login screen. 2)Lock screen. I want to unlock it but either by any program or terminal. In other words I'm not physically there and need to write some kind of credential provider, I might have user credentials already saved. This program will provide user and password to system which will unlock physical screen – Shortman Mar 07 '18 at 09:14
  • For example, in case of Linux I could use loginctl unlock-session c1 from ssh connection, if user "Tim" is running under c1 session and he has locked his screen this command would unlock session c1 – Shortman Mar 07 '18 at 09:20
  • I don't know any program that does this, but I know you can create your own SecurityAgentPlugin from: https://developer.apple.com/library/content/technotes/tn2228/_index.html#//apple_ref/doc/uid/DTS40007991 The info is rather old, because etc/authorization is moved to the security authorizationdb -> https://derflounder.wordpress.com/2014/02/16/managing-the-authorization-database-in-os-x-mavericks/ – Mateusz Szlosek Mar 07 '18 at 09:21
  • connecting with remode desktop program as teamviewer and providing credentials isn't an option. I'll be connected with ssh, or I'll have to define date when screen will be unlocked programatically – Shortman Mar 07 '18 at 09:22
  • @MateuszSzlosek thanks :) I'll take a look if I could use it – Shortman Mar 07 '18 at 09:27

2 Answers2

2

The duplicate link I added has some really good Apple Script options.

$ osascript -e 'tell application "System Events"
> keystroke "verysecurepassword"
> key code 36
> end tell'

I might also suggest using LockScreen. It's a hidden application that comes preinstalled and is protected by System Integrity protection. It will put a lock icon on the screen, lock the keyboard and mouse, and freeze the Touch Bar (Sounds malicious, right?).

  1. System Preferences > Security & Privacy > Uncheck "Require Password...."

  2. To lock the Mac use 

$ /System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/Support/LockScreen.app/Contents/MacOS/LockScreen
  1. To unlock the Mac use (non tested but should work)
    $ killall LockScreen
user7886229
  • 10,009
0

Apple distinguishes an ssh session from an actual graphical log in and even restricts some things like MDM enrollment to prevent any remote session from doing an action that is designed for a person in front of the machine to approve.

It depends on your macOS version and your settings if this is trivial or blocked.

Locking is easy, unlocking depends on the security choices and T2 chip presence in the hardware.

For code and API - check out our partner site Stack Overflow - the API to lock a screen is documented there and you might find official Apple developer API and SDK at https://developer.apple.com

bmike
  • 235,889
  • This actually should be quite secure. On Linux systems with Systemd, you can say: loginctl unlock-session, which will unlock for the current user. So you need a way to authenticate as the user anyway. I'm missing this on my Mac. – Tamás Barta Sep 29 '20 at 13:24
  • Apple is placing the decryption keys in a Secure Enclave @TamásBarta so as long as whatever script or framework calls the unlock asks the T2 chip to unlock in an approved way, you’re correct. Apple stores one time keys to NVRAM as part of fdesetup authrestart which automates not only unlock, but unlock over a power cycle event. – bmike Sep 29 '20 at 14:50
  • 1
    Wow, thanks for the additional info @bmike, I'm not familiar with the Apple stuff, so I appreciate these details. – Tamás Barta Sep 30 '20 at 22:38