Yubico Forum
https://forum.yubico.com/

pam-u2f and no key plugged in
https://forum.yubico.com/viewtopic.php?f=23&t=1693
Page 1 of 1

Author:  aicahthohvip [ Fri Jan 02, 2015 12:06 am ]
Post subject:  pam-u2f and no key plugged in

Hi,

I've successful setup pam-u2f. When my Yubico is plugged in, I need to press the button to get verified. But when I've unplugged my Yubico, pam-u2f seem to skip the auth process:

####
[util.c:do_authentication(213)] Unable to discover device(s), cannot find U2F device
[pam-u2f.c:pam_sm_authenticate(175)] do_authentication returned -2
[pam-u2f.c:pam_sm_authenticate(192)] done. [The return value should be ignored by PAM dispatch]
####

This is very bad because I just need to unplug any U2F Device to get verified and can login .... Is there any way to change this behavior? I expect an auth failure when no U2F Key is found.

BR
Manuel

Author:  Alessio [ Fri Jan 02, 2015 12:37 pm ]
Post subject:  Re: pam-u2f and no key plugged in

Hi,

what you describe is not the intended behaviour. I suspect something is not right in the configuration files because the last line of three you have pasted will normally trigger a 'permission denied' error.

Could you please paste the relevant lines of the configuration file in /etc/pam.d for the service you are using?

Also a full dump of the debug information printed by the module would be helpful. Feel free to leave out the public key and the key handle, even tho they're not critical.

Thanks
A.

Author:  aicahthohvip [ Fri Jan 02, 2015 1:00 pm ]
Post subject:  Re: pam-u2f and no key plugged in

Hi Alessio,


My pam config:

auth required pam_u2f.so authfile=/etc/u2f_mappings appid=myappid debug
auth required pam_unix.so try_first_pass
auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass
auth requisite pam_deny.so
auth optional pam_ecryptfs.so unwrap
auth optional pam_cap.so


Debug Log from success U2F auth:

manuel@mamel:~$ sudo su
[pam-u2f.c:parse_cfg(39)] called.
[pam-u2f.c:parse_cfg(40)] flags 32768 argc 3
[pam-u2f.c:parse_cfg(42)] argv[0]=authfile=/etc/u2f_mappings
[pam-u2f.c:parse_cfg(42)] argv[1]=appid=myappid
[pam-u2f.c:parse_cfg(42)] argv[2]=debug
[pam-u2f.c:parse_cfg(43)] max_devices=0
[pam-u2f.c:parse_cfg(44)] debug=1
[pam-u2f.c:parse_cfg(45)] alwaysok=0
[pam-u2f.c:parse_cfg(46)] authfile=/etc/u2f_mappings
[pam-u2f.c:parse_cfg(47)] origin=(null)
[pam-u2f.c:parse_cfg(48)] appid=myappid
[pam-u2f.c:pam_sm_authenticate(87)] Origin not specified, using "pam://mamel"
[pam-u2f.c:pam_sm_authenticate(108)] Maximum devices number not set. Using default (24)
[pam-u2f.c:pam_sm_authenticate(124)] Requesting authentication for user manuel
[pam-u2f.c:pam_sm_authenticate(135)] Found user manuel
[pam-u2f.c:pam_sm_authenticate(136)] Home directory for manuel is /home/manuel
[pam-u2f.c:pam_sm_authenticate(162)] Using authentication file /etc/u2f_mappings
[util.c:get_devices_from_authfile(73)] Authorization line: manuel:****,****
[util.c:get_devices_from_authfile(78)] Matched user: manuel
[util.c:get_devices_from_authfile(104)] KeyHandle for device number 1: ****
[util.c:get_devices_from_authfile(127)] publicKey for device number 1: *****
[util.c:get_devices_from_authfile(140)] Length of key number 1 is 65
[util.c:get_devices_from_authfile(166)] Found 1 device(s) for user manuel
[util.c:do_authentication(219)] Device max index is 0
[util.c:do_authentication(242)] Attempting authentication with device number 1
[util.c:do_authentication(261)] Challenge: { "keyHandle": "*****", "version": "U2F_V2", "challenge": "*****", "appId": "myappid" }
[util.c:do_authentication(267)] Response: { "signatureData": "***", "clientData": "***", "keyHandle": "****" }
[pam-u2f.c:pam_sm_authenticate(192)] done. [Success]
[sudo] password for manuel:
root@mamel:/home/manuel#


Debug Log when no Yubikey is insert:

manuel@mamel:~$ sudo su
[pam-u2f.c:parse_cfg(39)] called.
[pam-u2f.c:parse_cfg(40)] flags 32768 argc 3
[pam-u2f.c:parse_cfg(42)] argv[0]=authfile=/etc/u2f_mappings
[pam-u2f.c:parse_cfg(42)] argv[1]=appid=myappid
[pam-u2f.c:parse_cfg(42)] argv[2]=debug
[pam-u2f.c:parse_cfg(43)] max_devices=0
[pam-u2f.c:parse_cfg(44)] debug=1
[pam-u2f.c:parse_cfg(45)] alwaysok=0
[pam-u2f.c:parse_cfg(46)] authfile=/etc/u2f_mappings
[pam-u2f.c:parse_cfg(47)] origin=(null)
[pam-u2f.c:parse_cfg(48)] appid=myappid
[pam-u2f.c:pam_sm_authenticate(87)] Origin not specified, using "pam://mamel"
[pam-u2f.c:pam_sm_authenticate(108)] Maximum devices number not set. Using default (24)
[pam-u2f.c:pam_sm_authenticate(124)] Requesting authentication for user manuel
[pam-u2f.c:pam_sm_authenticate(135)] Found user manuel
[pam-u2f.c:pam_sm_authenticate(136)] Home directory for manuel is /home/manuel
[pam-u2f.c:pam_sm_authenticate(162)] Using authentication file /etc/u2f_mappings
[util.c:get_devices_from_authfile(73)] Authorization line: manuel:***,****
[util.c:get_devices_from_authfile(78)] Matched user: manuel
[util.c:get_devices_from_authfile(104)] KeyHandle for device number 1: ****
[util.c:get_devices_from_authfile(127)] publicKey for device number 1: ****
[util.c:get_devices_from_authfile(140)] Length of key number 1 is 65
[util.c:get_devices_from_authfile(166)] Found 1 device(s) for user manuel
[util.c:do_authentication(213)] Unable to discover device(s), cannot find U2F device
[pam-u2f.c:pam_sm_authenticate(175)] do_authentication returned -2
[pam-u2f.c:pam_sm_authenticate(192)] done. [The return value should be ignored by PAM dispatch]
[sudo] password for manuel:
root@mamel:/home/manuel#


The module say to me "The return value should be ignored by PAM dispatch" and this is that what PAM do, just ignore the return code -2 and going on the the next line.


I have a similar behavior when I try to authenticate a user without a config line in "/etc/u2f_mappings":

.... same as above ....
[util.c:get_devices_from_authfile(166)] Found 0 device(s) for user testuser
[pam-u2f.c:pam_sm_authenticate(175)] do_authentication returned -2
[pam-u2f.c:pam_sm_authenticate(192)] done. [The return value should be ignored by PAM dispatch]


This is good for me because I can have user which need a U2F device and user without the need of a U2F device. But it would be nicer if I can setup what happen when I user try to login and have no configuration file. The default action should be "failed"


BR
Manuel

Author:  Alessio [ Fri Jan 02, 2015 4:02 pm ]
Post subject:  Re: pam-u2f and no key plugged in

Hi Manuel,

I have pushed a new version on github. Please check it out.

You should now get a hard fail if anything within the authentication process gives an error.

Furthermore, I have added a new configuration parameter called 'nouserok'. It defaults to unset, but if you set it, it will allow authentication requests to succeed even if the user is not present within the authentication file.

I hope this helps.

Let me know
A.

Author:  aicahthohvip [ Fri Jan 02, 2015 4:39 pm ]
Post subject:  Re: pam-u2f and no key plugged in

Hi Alessio,

you made my day. Many thanks, it work fine.

--Manuel

Author:  Alessio [ Fri Jan 02, 2015 5:11 pm ]
Post subject:  Re: pam-u2f and no key plugged in

Glad to help, and thank you for suggesting the improvement.

A.

Author:  aicahthohvip [ Sat Jan 03, 2015 11:23 am ]
Post subject:  Re: pam-u2f and no key plugged in

Hi Alessio,

I've another problem with my system. When I enable pam-u2f after booting everything is working fine. I can lock my screen, change to console and so on. Login is working fine with pam-u2f
But when I reboot, I'm not able to login. Respectively I can login but get logged out immediately. The only way to use my system again is booting with a rescue Stick, disable pam-u2f. Then I can login, enable the module and use it fine.

The logout is too fast to see any debug messages. And I can't find anything interesting in auth.log or syslog.

Any ideas? Is there a way to write debug to file instead of stdout?


BR
Manuel

Author:  Alessio [ Mon Jan 05, 2015 12:17 pm ]
Post subject:  Re: pam-u2f and no key plugged in

Hi Manuel,

I have never encountered this behaviour during my tests. Are you using a real system or a virtual machine? Which distro?

You can try some quick debugging by changing the authentication method of pam-u2f to optional. This should allow you to log in anyway.

If that doesn't work you can enable system level debugging.

To do that you have to edit the file /etc/syslog.conf (or rsyslog.conf if you are using rsyslog) and add the line
Code:
*.debug  /var/log/debug.log

After that you have to create the file /var/log/debug.log
And then create the file /etc/pam_debug
Restart (r)syslog and you should have debug messages inside debug.log

I hope this helps
A.

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/