pam-u2f: Individual authorization file cannot be read when login on console

I use pam_u2f version 1.0.8 on a Fedora LXDE 32 system. I have added the following line (by using authselect, https://github.com/authselect/authselect) to files in /etc/pam.d/ to require 2-factor authorization: /etc/pam.d/password-auth:auth required pam_u2f.so cue nouserok

In most cases (e.g. login by lxdm) this works. But when I login on the console the Yubikey is not necessary and I can login by using only the password. That can be a security problem when someone uses a weak password because of the second factor (a weak password would be ok if the 2-factor authorization would really work).

When I add “debug” to the line above I get the attached output. The important lines seem to be:

debug(pam_u2f): pam-u2f.c:265 (pam_sm_authenticate): Using authentication file /home/anonym/.config/Yubico/u2f_keys debug(pam_u2f): pam-u2f.c:278 (pam_sm_authenticate): Dropping privileges debug(pam_u2f): pam-u2f.c:284 (pam_sm_authenticate): Switched to uid 1001 debug(pam_u2f): util.c:42 (get_devices_from_authfile): Cannot open file: /home/anonym/.config/Yubico/u2f_keys (Permission denied) debug(pam_u2f): pam-u2f.c:295 (pam_sm_authenticate): Restored privileges debug(pam_u2f): pam-u2f.c:306 (pam_sm_authenticate): Found no devices but nouserok specified. Skipping authentication

The problem seems to be that pam_u2f cannot read the file “$HOME/.config/Yubico/u2f_keys”.

Steps to reproduce that (tested with Fedora LXDE 32):

1. Add the above line to the files in /etc/pam-d/ (e.g. execute “authselect select sssd with-pam-u2f-2fa without-nullok” by root)
2. Activate a Yubikey for a user (e.g. exectute “mkdir ~/.config/Yubico; pamu2fcfg > ~/.config/Yubico/u2f_keys” by the user and press the Yubikey button)
3. Reboot the system
4. Wait until the login manager appears
5. Press the key combination Strg-Alt-F2 to switch to a console
6. Login as the user only with the password without the Yubikey

pam_u2f-debug-output.txt