Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 2:39 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 8 posts ] 
Author Message
PostPosted: Fri Jan 02, 2015 12:06 am 
Offline

Joined: Thu Jan 01, 2015 11:24 pm
Posts: 6
Hi,

I've successful setup pam-u2f. When my Yubico is plugged in, I need to press the button to get verified. But when I've unplugged my Yubico, pam-u2f seem to skip the auth process:

####
[util.c:do_authentication(213)] Unable to discover device(s), cannot find U2F device
[pam-u2f.c:pam_sm_authenticate(175)] do_authentication returned -2
[pam-u2f.c:pam_sm_authenticate(192)] done. [The return value should be ignored by PAM dispatch]
####

This is very bad because I just need to unplug any U2F Device to get verified and can login .... Is there any way to change this behavior? I expect an auth failure when no U2F Key is found.

BR
Manuel


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Fri Jan 02, 2015 12:37 pm 
Offline
Yubico Moderator
Yubico Moderator

Joined: Fri Jan 02, 2015 12:22 pm
Posts: 16
Hi,

what you describe is not the intended behaviour. I suspect something is not right in the configuration files because the last line of three you have pasted will normally trigger a 'permission denied' error.

Could you please paste the relevant lines of the configuration file in /etc/pam.d for the service you are using?

Also a full dump of the debug information printed by the module would be helpful. Feel free to leave out the public key and the key handle, even tho they're not critical.

Thanks
A.


Top
 Profile  
Reply with quote  
PostPosted: Fri Jan 02, 2015 1:00 pm 
Offline

Joined: Thu Jan 01, 2015 11:24 pm
Posts: 6
Hi Alessio,


My pam config:

auth required pam_u2f.so authfile=/etc/u2f_mappings appid=myappid debug
auth required pam_unix.so try_first_pass
auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass
auth requisite pam_deny.so
auth optional pam_ecryptfs.so unwrap
auth optional pam_cap.so


Debug Log from success U2F auth:

manuel@mamel:~$ sudo su
[pam-u2f.c:parse_cfg(39)] called.
[pam-u2f.c:parse_cfg(40)] flags 32768 argc 3
[pam-u2f.c:parse_cfg(42)] argv[0]=authfile=/etc/u2f_mappings
[pam-u2f.c:parse_cfg(42)] argv[1]=appid=myappid
[pam-u2f.c:parse_cfg(42)] argv[2]=debug
[pam-u2f.c:parse_cfg(43)] max_devices=0
[pam-u2f.c:parse_cfg(44)] debug=1
[pam-u2f.c:parse_cfg(45)] alwaysok=0
[pam-u2f.c:parse_cfg(46)] authfile=/etc/u2f_mappings
[pam-u2f.c:parse_cfg(47)] origin=(null)
[pam-u2f.c:parse_cfg(48)] appid=myappid
[pam-u2f.c:pam_sm_authenticate(87)] Origin not specified, using "pam://mamel"
[pam-u2f.c:pam_sm_authenticate(108)] Maximum devices number not set. Using default (24)
[pam-u2f.c:pam_sm_authenticate(124)] Requesting authentication for user manuel
[pam-u2f.c:pam_sm_authenticate(135)] Found user manuel
[pam-u2f.c:pam_sm_authenticate(136)] Home directory for manuel is /home/manuel
[pam-u2f.c:pam_sm_authenticate(162)] Using authentication file /etc/u2f_mappings
[util.c:get_devices_from_authfile(73)] Authorization line: manuel:****,****
[util.c:get_devices_from_authfile(78)] Matched user: manuel
[util.c:get_devices_from_authfile(104)] KeyHandle for device number 1: ****
[util.c:get_devices_from_authfile(127)] publicKey for device number 1: *****
[util.c:get_devices_from_authfile(140)] Length of key number 1 is 65
[util.c:get_devices_from_authfile(166)] Found 1 device(s) for user manuel
[util.c:do_authentication(219)] Device max index is 0
[util.c:do_authentication(242)] Attempting authentication with device number 1
[util.c:do_authentication(261)] Challenge: { "keyHandle": "*****", "version": "U2F_V2", "challenge": "*****", "appId": "myappid" }
[util.c:do_authentication(267)] Response: { "signatureData": "***", "clientData": "***", "keyHandle": "****" }
[pam-u2f.c:pam_sm_authenticate(192)] done. [Success]
[sudo] password for manuel:
root@mamel:/home/manuel#


Debug Log when no Yubikey is insert:

manuel@mamel:~$ sudo su
[pam-u2f.c:parse_cfg(39)] called.
[pam-u2f.c:parse_cfg(40)] flags 32768 argc 3
[pam-u2f.c:parse_cfg(42)] argv[0]=authfile=/etc/u2f_mappings
[pam-u2f.c:parse_cfg(42)] argv[1]=appid=myappid
[pam-u2f.c:parse_cfg(42)] argv[2]=debug
[pam-u2f.c:parse_cfg(43)] max_devices=0
[pam-u2f.c:parse_cfg(44)] debug=1
[pam-u2f.c:parse_cfg(45)] alwaysok=0
[pam-u2f.c:parse_cfg(46)] authfile=/etc/u2f_mappings
[pam-u2f.c:parse_cfg(47)] origin=(null)
[pam-u2f.c:parse_cfg(48)] appid=myappid
[pam-u2f.c:pam_sm_authenticate(87)] Origin not specified, using "pam://mamel"
[pam-u2f.c:pam_sm_authenticate(108)] Maximum devices number not set. Using default (24)
[pam-u2f.c:pam_sm_authenticate(124)] Requesting authentication for user manuel
[pam-u2f.c:pam_sm_authenticate(135)] Found user manuel
[pam-u2f.c:pam_sm_authenticate(136)] Home directory for manuel is /home/manuel
[pam-u2f.c:pam_sm_authenticate(162)] Using authentication file /etc/u2f_mappings
[util.c:get_devices_from_authfile(73)] Authorization line: manuel:***,****
[util.c:get_devices_from_authfile(78)] Matched user: manuel
[util.c:get_devices_from_authfile(104)] KeyHandle for device number 1: ****
[util.c:get_devices_from_authfile(127)] publicKey for device number 1: ****
[util.c:get_devices_from_authfile(140)] Length of key number 1 is 65
[util.c:get_devices_from_authfile(166)] Found 1 device(s) for user manuel
[util.c:do_authentication(213)] Unable to discover device(s), cannot find U2F device
[pam-u2f.c:pam_sm_authenticate(175)] do_authentication returned -2
[pam-u2f.c:pam_sm_authenticate(192)] done. [The return value should be ignored by PAM dispatch]
[sudo] password for manuel:
root@mamel:/home/manuel#


The module say to me "The return value should be ignored by PAM dispatch" and this is that what PAM do, just ignore the return code -2 and going on the the next line.


I have a similar behavior when I try to authenticate a user without a config line in "/etc/u2f_mappings":

.... same as above ....
[util.c:get_devices_from_authfile(166)] Found 0 device(s) for user testuser
[pam-u2f.c:pam_sm_authenticate(175)] do_authentication returned -2
[pam-u2f.c:pam_sm_authenticate(192)] done. [The return value should be ignored by PAM dispatch]


This is good for me because I can have user which need a U2F device and user without the need of a U2F device. But it would be nicer if I can setup what happen when I user try to login and have no configuration file. The default action should be "failed"


BR
Manuel


Top
 Profile  
Reply with quote  
PostPosted: Fri Jan 02, 2015 4:02 pm 
Offline
Yubico Moderator
Yubico Moderator

Joined: Fri Jan 02, 2015 12:22 pm
Posts: 16
Hi Manuel,

I have pushed a new version on github. Please check it out.

You should now get a hard fail if anything within the authentication process gives an error.

Furthermore, I have added a new configuration parameter called 'nouserok'. It defaults to unset, but if you set it, it will allow authentication requests to succeed even if the user is not present within the authentication file.

I hope this helps.

Let me know
A.


Top
 Profile  
Reply with quote  
PostPosted: Fri Jan 02, 2015 4:39 pm 
Offline

Joined: Thu Jan 01, 2015 11:24 pm
Posts: 6
Hi Alessio,

you made my day. Many thanks, it work fine.

--Manuel


Top
 Profile  
Reply with quote  
PostPosted: Fri Jan 02, 2015 5:11 pm 
Offline
Yubico Moderator
Yubico Moderator

Joined: Fri Jan 02, 2015 12:22 pm
Posts: 16
Glad to help, and thank you for suggesting the improvement.

A.


Top
 Profile  
Reply with quote  
PostPosted: Sat Jan 03, 2015 11:23 am 
Offline

Joined: Thu Jan 01, 2015 11:24 pm
Posts: 6
Hi Alessio,

I've another problem with my system. When I enable pam-u2f after booting everything is working fine. I can lock my screen, change to console and so on. Login is working fine with pam-u2f
But when I reboot, I'm not able to login. Respectively I can login but get logged out immediately. The only way to use my system again is booting with a rescue Stick, disable pam-u2f. Then I can login, enable the module and use it fine.

The logout is too fast to see any debug messages. And I can't find anything interesting in auth.log or syslog.

Any ideas? Is there a way to write debug to file instead of stdout?


BR
Manuel


Top
 Profile  
Reply with quote  
PostPosted: Mon Jan 05, 2015 12:17 pm 
Offline
Yubico Moderator
Yubico Moderator

Joined: Fri Jan 02, 2015 12:22 pm
Posts: 16
Hi Manuel,

I have never encountered this behaviour during my tests. Are you using a real system or a virtual machine? Which distro?

You can try some quick debugging by changing the authentication method of pam-u2f to optional. This should allow you to log in anyway.

If that doesn't work you can enable system level debugging.

To do that you have to edit the file /etc/syslog.conf (or rsyslog.conf if you are using rsyslog) and add the line
Code:
*.debug  /var/log/debug.log

After that you have to create the file /var/log/debug.log
And then create the file /etc/pam_debug
Restart (r)syslog and you should have debug messages inside debug.log

I hope this helps
A.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 8 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: Heise IT-Markt [Crawler] and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group