pam-u2f: Individual authorization file cannot be read when login on console
I use pam_u2f version 1.0.8 on a Fedora LXDE 32 system. I have added the following line (by using authselect, https://github.com/authselect/authselect) to files in /etc/pam.d/ to require 2-factor authorization:
/etc/pam.d/password-auth:auth required pam_u2f.so cue nouserok
In most cases (e.g. login by lxdm) this works. But when I login on the console the Yubikey is not necessary and I can login by using only the password. That can be a security problem when someone uses a weak password because of the second factor (a weak password would be ok if the 2-factor authorization would really work).
When I add “debug” to the line above I get the attached output. The important lines seem to be:
debug(pam_u2f): pam-u2f.c:265 (pam_sm_authenticate): Using authentication file /home/anonym/.config/Yubico/u2f_keys debug(pam_u2f): pam-u2f.c:278 (pam_sm_authenticate): Dropping privileges debug(pam_u2f): pam-u2f.c:284 (pam_sm_authenticate): Switched to uid 1001 debug(pam_u2f): util.c:42 (get_devices_from_authfile): Cannot open file: /home/anonym/.config/Yubico/u2f_keys (Permission denied) debug(pam_u2f): pam-u2f.c:295 (pam_sm_authenticate): Restored privileges debug(pam_u2f): pam-u2f.c:306 (pam_sm_authenticate): Found no devices but nouserok specified. Skipping authentication
The problem seems to be that pam_u2f cannot read the file “$HOME/.config/Yubico/u2f_keys”.
Steps to reproduce that (tested with Fedora LXDE 32):
- Add the above line to the files in /etc/pam-d/ (e.g. execute “authselect select sssd with-pam-u2f-2fa without-nullok” by root)
- Activate a Yubikey for a user (e.g. exectute “mkdir ~/.config/Yubico; pamu2fcfg > ~/.config/Yubico/u2f_keys” by the user and press the Yubikey button)
- Reboot the system
- Wait until the login manager appears
- Press the key combination Strg-Alt-F2 to switch to a console
- Login as the user only with the password without the Yubikey
About this issue
- Original URL
- State: closed
- Created 4 years ago
- Comments: 15 (8 by maintainers)
Commits related to this issue
- Add a note regarding SELinux on man and README Relates to #152. — committed to Yubico/pam-u2f by a-dma 4 years ago
- Clarify text around SELinux Relates to #152. — committed to Yubico/pam-u2f by a-dma 4 years ago
Thanks for the links about SELinux. There is a reference to the SELinux mailing list (https://lists.fedoraproject.org/admin/lists/selinux.lists.fedoraproject.org/). So I sent a mail to the mailing list about this problem.