pam-u2f: MacOS Mojave : Unable to discover device(s), cannot find U2F device

Hi, I have an issue to use U2F with titan google key. I am on MacOS 10.14.5 (18F132) Mojave. Her my installation :

# Install PAM U2F Module
brew install pam-u2f

# Generate a new authorization mapping file
mkdir -p ~/.config/u2f  
# >>> Insert U2F Token
pamu2fcfg > ~/.config/u2f/keys  
# >>> Press button on U2F token
# >>> Remove token
# >>> Insert second U2F token
pamu2fcfg -n >> ~/.config/u2f/keys  
# >>> Press button on second U2F token
# >>> Remove token

# Edit PAM configuration files
sudo nano /etc/pam.d/screensaver  
### Add a line with:
auth       sufficient  /usr/local/opt/pam-u2f/lib/pam/pam_u2f.so debug debug_file=/Users/mfrancois/.config/u2f/debug.log  authfile=/Users/mfrancois/.config/u2f/keys

sudo nano /etc/pam.d/authorization  
### Add a line with:
auth       sufficient  /usr/local/opt/pam-u2f/lib/pam/pam_u2f.so debug debug_file=/Users/mfrancois/.config/u2f/debug.log  authfile=/Users/mfrancois/.config/u2f/keys

I made some test with

u2f-server -aregister -ohttp://demo.yubico.com   -i http://demo.yubico.com -k keyhandle.dat -p userkey.dat

I past the json result on

u2f-host -aregister -o http://demo.yubico.com

I past the json result on previous one an I have Registration successful I test the key on demo website and that work well to.

But when I would like use on mac authentification the debug let me know Unable to discover device(s), cannot find U2F device

debug(pam_u2f): util.c:167 (get_devices_from_authfile): Length of key number 2 is 65
debug(pam_u2f): util.c:194 (get_devices_from_authfile): Found 2 device(s) for user mfrancois
debug(pam_u2f): pam-u2f.c:340 (pam_sm_authenticate): Using file '/var/run/user/0/pam-u2f-authpending' for emitting touch request notifications
debug(pam_u2f): util.c:271 (do_authentication): Unable to discover device(s), cannot find U2F device
debug(pam_u2f): pam-u2f.c:371 (pam_sm_authenticate): do_authentication returned -2
debug(pam_u2f): pam-u2f.c:410 (pam_sm_authenticate): done. [authentication error]
debug(pam_u2f): pam-u2f.c:99 (parse_cfg): called.
debug(pam_u2f): pam-u2f.c:100 (parse_cfg): flags 0 argc 3
debug(pam_u2f): pam-u2f.c:102 (parse_cfg): argv[0]=debug
debug(pam_u2f): pam-u2f.c:102 (parse_cfg): argv[1]=debug_file=/Users/mfrancois/.config/u2f/debug.log
debug(pam_u2f): pam-u2f.c:102 (parse_cfg): argv[2]=authfile=/Users/mfrancois/.config/u2f/keys
debug(pam_u2f): pam-u2f.c:104 (parse_cfg): max_devices=0
debug(pam_u2f): pam-u2f.c:105 (parse_cfg): debug=1
debug(pam_u2f): pam-u2f.c:106 (parse_cfg): interactive=0
debug(pam_u2f): pam-u2f.c:107 (parse_cfg): cue=0
debug(pam_u2f): pam-u2f.c:108 (parse_cfg): nodetect=0
debug(pam_u2f): pam-u2f.c:109 (parse_cfg): manual=0
debug(pam_u2f): pam-u2f.c:110 (parse_cfg): nouserok=0
debug(pam_u2f): pam-u2f.c:111 (parse_cfg): openasuser=0
debug(pam_u2f): pam-u2f.c:112 (parse_cfg): alwaysok=0
debug(pam_u2f): pam-u2f.c:113 (parse_cfg): authfile=/Users/mfrancois/.config/u2f/keys
debug(pam_u2f): pam-u2f.c:114 (parse_cfg): authpending_file=(null)
debug(pam_u2f): pam-u2f.c:115 (parse_cfg): origin=(null)
debug(pam_u2f): pam-u2f.c:116 (parse_cfg): appid=(null)
debug(pam_u2f): pam-u2f.c:117 (parse_cfg): prompt=(null)
debug(pam_u2f): pam-u2f.c:169 (pam_sm_authenticate): Origin not specified, using "pam://mbp-de-maxime-2.lan"
debug(pam_u2f): pam-u2f.c:181 (pam_sm_authenticate): Appid not specified, using the same value of origin (pam://mbp-de-maxime-2.lan)
debug(pam_u2f): pam-u2f.c:192 (pam_sm_authenticate): Maximum devices number not set. Using default (24)
debug(pam_u2f): pam-u2f.c:210 (pam_sm_authenticate): Requesting authentication for user mfrancois
debug(pam_u2f): pam-u2f.c:221 (pam_sm_authenticate): Found user mfrancois
debug(pam_u2f): pam-u2f.c:222 (pam_sm_authenticate): Home directory for mfrancois is /Users/mfrancois
debug(pam_u2f): pam-u2f.c:271 (pam_sm_authenticate): Using authentication file /Users/mfrancois/.config/u2f/keys
debug(pam_u2f): util.c:105 (get_devices_from_authfile): Authorization line: mfrancois:H43INPz6_XLBOHKqD0vyIGNxIeUX--mjWNCgMCJtZpatpW9pCbEtJ7hjtYoe_yRacYRriqd_y0s-YsQDuSOmxw,0442ddb92f941cf73ca3851d535ed70126d051edc51aa899345179671c0a09d70e98bab62b8f4da5be78abe4ea3af766194f0df4e5c0479ac6138c8d8cd80402b2:aBGhbYSZv6eqeIAYs4gjhYAEj2R_dMbdH2yN5eHuVpzFFSEjOivpqhLPNbXKgYobI-ZNIPtJl9X31RlMEgFOAg,04acd50d7231c61ed4ae560e92e9362a6fa8fa0ae3a837508949b2f60fda2a940336b6e3267b1230f3f5077ff1fdba8ba6765ae30ec6dcd0cbd589d03b630892d2
debug(pam_u2f): util.c:110 (get_devices_from_authfile): Matched user: mfrancois
debug(pam_u2f): util.c:137 (get_devices_from_authfile): KeyHandle for device number 1: H43INPz6_XLBOHKqD0vyIGNxIeUX--mjWNCgMCJtZpatpW9pCbEtJ7hjtYoe_yRacYRriqd_y0s-YsQDuSOmxw
debug(pam_u2f): util.c:156 (get_devices_from_authfile): publicKey for device number 1: 0442ddb92f941cf73ca3851d535ed70126d051edc51aa899345179671c0a09d70e98bab62b8f4da5be78abe4ea3af766194f0df4e5c0479ac6138c8d8cd80402b2
debug(pam_u2f): util.c:167 (get_devices_from_authfile): Length of key number 1 is 65
debug(pam_u2f): util.c:137 (get_devices_from_authfile): KeyHandle for device number 2: aBGhbYSZv6eqeIAYs4gjhYAEj2R_dMbdH2yN5eHuVpzFFSEjOivpqhLPNbXKgYobI-ZNIPtJl9X31RlMEgFOAg
debug(pam_u2f): util.c:156 (get_devices_from_authfile): publicKey for device number 2: 04acd50d7231c61ed4ae560e92e9362a6fa8fa0ae3a837508949b2f60fda2a940336b6e3267b1230f3f5077ff1fdba8ba6765ae30ec6dcd0cbd589d03b630892d2
debug(pam_u2f): util.c:167 (get_devices_from_authfile): Length of key number 2 is 65
debug(pam_u2f): util.c:194 (get_devices_from_authfile): Found 2 device(s) for user mfrancois
debug(pam_u2f): pam-u2f.c:340 (pam_sm_authenticate): Using file '/var/run/user/0/pam-u2f-authpending' for emitting touch request notifications
debug(pam_u2f): util.c:271 (do_authentication): Unable to discover device(s), cannot find U2F device
debug(pam_u2f): pam-u2f.c:371 (pam_sm_authenticate): do_authentication returned -2
debug(pam_u2f): pam-u2f.c:410 (pam_sm_authenticate): done. [authentication error]

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Comments: 15 (7 by maintainers)

Most upvoted comments

TLDR; HEAD works on Mojave!

OK I ran into the same issue on Mojave (See also #128) with the latest release of pam-u2f: my keys (Yubikey U2F) working fine with pamu2fcfg, but then failing to work with the actual pam module (I’m testing with sudo).

I just built pam-u2f HEAD the following way:

Make sure the old version is no longer lying around:

brew uninstall pam-u2f

Install libcbor (dependency) from a submitted Homebrew formula which got rejected (?):

brew install https://raw.githubusercontent.com/Homebrew/homebrew-core/02ca54688cf404d5e268370629ab183f6eb8fb47/Formula/libcbor.rb

Install libfido2 (dependency) from a submitted Homebrew formula which got rejected as well (?):

brew install https://raw.githubusercontent.com/gvarisco/homebrew-core/patch-2/Formula/libfido2.rb

Build the pam module (you may need some build dependencies):

git clone https://github.com/Yubico/pam-u2f.git cd pam-u2f autoreconf --install export PKG_CONFIG_PATH=/usr/local/opt/openssl@1.1/lib/pkgconfig ./configure --with-pam-dir=/usr/local/lib/pam/ make make install

Then rebuild the keys file using the new version of pamu2fcfg as usual, and set up the pam config to point to the new module in /usr/local/lib/pam/ and that should just work.

+2
wclarie on Jan 7, 2020
Read more comments on GitHub
← pam-u2f: Individual authorization file cannot be read when login on console
pam-u2f: randomly stopped working on OSX →