Tuesday, March 30, 2010

10.6 Snow Leopard Screen Saver

In 10.5 and before, a local admin could unlock a screen saver using their credentials. This changed in 10.6. I understand why, two admins, one computer, you really don't want your buddy to unlock your screen saver. What if you had sensitive data there?! Apple changed this so that only the user that's logged in could unlock the screen saver. All well and good, for a home computer. Here at the university, we need to be able to unlock screen savers with our local admin accounts.

Thanks to a discussion on Apple's discussion boards: http://discussions.apple.com/thread.jspa?threadID=2235793&tstart=0
I was able to find a way to change the authorization to allow local admins to unlock the screen saver. Of course I could edit the file manually, but pishaw to that! Here's the command to change the file:

Don't forget your backup!
cp /etc/pam.d/screensaver /etc/pam.d/screensaver.backup

This should all be on one line. It will make a backup of the file and change the line.:
perl -i~backup -pe s/"account required pam_group.so no_warn group=admin,wheel fail_safe"/"account sufficient pam_group.so no_warn group=admin,wheel fail_safe"/g /etc/pam.d/screensaver

You can see that all we are changing is the "required" to "sufficient". Someone much smarter than I can comment and tell us what this is actually doing, but for my purpose this gets the done stamp.

I ssh'd into a laptop I was locked out of, ran this command, and was immediately able to unlock the screen saver. This should work through ARD, SSH, Payload Free Package (provided below), etc..

Here is a payload free package that will do this. Feel free to check out what the postflight script is doing.

Enjoy Mac Ninjas

Updated blog post! Using perl script instead of shell. 20100330


MrPapiSir said...

Did you forget to post the link to download the package/script on your
blog site?

Rusty said...

@MrPapiSir -
I guess I did! Thanks for the heads up!

Download pre-made package to fix screen saver: