pam-u2f: MacOS Mojave : Unable to discover device(s), cannot find U2F device
Hi, I have an issue to use U2F with titan google key. I am on MacOS 10.14.5 (18F132) Mojave. Her my installation :
# Install PAM U2F Module
brew install pam-u2f
# Generate a new authorization mapping file
mkdir -p ~/.config/u2f
# >>> Insert U2F Token
pamu2fcfg > ~/.config/u2f/keys
# >>> Press button on U2F token
# >>> Remove token
# >>> Insert second U2F token
pamu2fcfg -n >> ~/.config/u2f/keys
# >>> Press button on second U2F token
# >>> Remove token
# Edit PAM configuration files
sudo nano /etc/pam.d/screensaver
### Add a line with:
auth sufficient /usr/local/opt/pam-u2f/lib/pam/pam_u2f.so debug debug_file=/Users/mfrancois/.config/u2f/debug.log authfile=/Users/mfrancois/.config/u2f/keys
sudo nano /etc/pam.d/authorization
### Add a line with:
auth sufficient /usr/local/opt/pam-u2f/lib/pam/pam_u2f.so debug debug_file=/Users/mfrancois/.config/u2f/debug.log authfile=/Users/mfrancois/.config/u2f/keys
I made some test with
u2f-server -aregister -ohttp://demo.yubico.com -i http://demo.yubico.com -k keyhandle.dat -p userkey.dat
I past the json result on
u2f-host -aregister -o http://demo.yubico.com
I past the json result on previous one an I have Registration successful I test the key on demo website and that work well to.
But when I would like use on mac authentification the debug let me know Unable to discover device(s), cannot find U2F device
debug(pam_u2f): util.c:167 (get_devices_from_authfile): Length of key number 2 is 65
debug(pam_u2f): util.c:194 (get_devices_from_authfile): Found 2 device(s) for user mfrancois
debug(pam_u2f): pam-u2f.c:340 (pam_sm_authenticate): Using file '/var/run/user/0/pam-u2f-authpending' for emitting touch request notifications
debug(pam_u2f): util.c:271 (do_authentication): Unable to discover device(s), cannot find U2F device
debug(pam_u2f): pam-u2f.c:371 (pam_sm_authenticate): do_authentication returned -2
debug(pam_u2f): pam-u2f.c:410 (pam_sm_authenticate): done. [authentication error]
debug(pam_u2f): pam-u2f.c:99 (parse_cfg): called.
debug(pam_u2f): pam-u2f.c:100 (parse_cfg): flags 0 argc 3
debug(pam_u2f): pam-u2f.c:102 (parse_cfg): argv[0]=debug
debug(pam_u2f): pam-u2f.c:102 (parse_cfg): argv[1]=debug_file=/Users/mfrancois/.config/u2f/debug.log
debug(pam_u2f): pam-u2f.c:102 (parse_cfg): argv[2]=authfile=/Users/mfrancois/.config/u2f/keys
debug(pam_u2f): pam-u2f.c:104 (parse_cfg): max_devices=0
debug(pam_u2f): pam-u2f.c:105 (parse_cfg): debug=1
debug(pam_u2f): pam-u2f.c:106 (parse_cfg): interactive=0
debug(pam_u2f): pam-u2f.c:107 (parse_cfg): cue=0
debug(pam_u2f): pam-u2f.c:108 (parse_cfg): nodetect=0
debug(pam_u2f): pam-u2f.c:109 (parse_cfg): manual=0
debug(pam_u2f): pam-u2f.c:110 (parse_cfg): nouserok=0
debug(pam_u2f): pam-u2f.c:111 (parse_cfg): openasuser=0
debug(pam_u2f): pam-u2f.c:112 (parse_cfg): alwaysok=0
debug(pam_u2f): pam-u2f.c:113 (parse_cfg): authfile=/Users/mfrancois/.config/u2f/keys
debug(pam_u2f): pam-u2f.c:114 (parse_cfg): authpending_file=(null)
debug(pam_u2f): pam-u2f.c:115 (parse_cfg): origin=(null)
debug(pam_u2f): pam-u2f.c:116 (parse_cfg): appid=(null)
debug(pam_u2f): pam-u2f.c:117 (parse_cfg): prompt=(null)
debug(pam_u2f): pam-u2f.c:169 (pam_sm_authenticate): Origin not specified, using "pam://mbp-de-maxime-2.lan"
debug(pam_u2f): pam-u2f.c:181 (pam_sm_authenticate): Appid not specified, using the same value of origin (pam://mbp-de-maxime-2.lan)
debug(pam_u2f): pam-u2f.c:192 (pam_sm_authenticate): Maximum devices number not set. Using default (24)
debug(pam_u2f): pam-u2f.c:210 (pam_sm_authenticate): Requesting authentication for user mfrancois
debug(pam_u2f): pam-u2f.c:221 (pam_sm_authenticate): Found user mfrancois
debug(pam_u2f): pam-u2f.c:222 (pam_sm_authenticate): Home directory for mfrancois is /Users/mfrancois
debug(pam_u2f): pam-u2f.c:271 (pam_sm_authenticate): Using authentication file /Users/mfrancois/.config/u2f/keys
debug(pam_u2f): util.c:105 (get_devices_from_authfile): Authorization line: mfrancois:H43INPz6_XLBOHKqD0vyIGNxIeUX--mjWNCgMCJtZpatpW9pCbEtJ7hjtYoe_yRacYRriqd_y0s-YsQDuSOmxw,0442ddb92f941cf73ca3851d535ed70126d051edc51aa899345179671c0a09d70e98bab62b8f4da5be78abe4ea3af766194f0df4e5c0479ac6138c8d8cd80402b2:aBGhbYSZv6eqeIAYs4gjhYAEj2R_dMbdH2yN5eHuVpzFFSEjOivpqhLPNbXKgYobI-ZNIPtJl9X31RlMEgFOAg,04acd50d7231c61ed4ae560e92e9362a6fa8fa0ae3a837508949b2f60fda2a940336b6e3267b1230f3f5077ff1fdba8ba6765ae30ec6dcd0cbd589d03b630892d2
debug(pam_u2f): util.c:110 (get_devices_from_authfile): Matched user: mfrancois
debug(pam_u2f): util.c:137 (get_devices_from_authfile): KeyHandle for device number 1: H43INPz6_XLBOHKqD0vyIGNxIeUX--mjWNCgMCJtZpatpW9pCbEtJ7hjtYoe_yRacYRriqd_y0s-YsQDuSOmxw
debug(pam_u2f): util.c:156 (get_devices_from_authfile): publicKey for device number 1: 0442ddb92f941cf73ca3851d535ed70126d051edc51aa899345179671c0a09d70e98bab62b8f4da5be78abe4ea3af766194f0df4e5c0479ac6138c8d8cd80402b2
debug(pam_u2f): util.c:167 (get_devices_from_authfile): Length of key number 1 is 65
debug(pam_u2f): util.c:137 (get_devices_from_authfile): KeyHandle for device number 2: aBGhbYSZv6eqeIAYs4gjhYAEj2R_dMbdH2yN5eHuVpzFFSEjOivpqhLPNbXKgYobI-ZNIPtJl9X31RlMEgFOAg
debug(pam_u2f): util.c:156 (get_devices_from_authfile): publicKey for device number 2: 04acd50d7231c61ed4ae560e92e9362a6fa8fa0ae3a837508949b2f60fda2a940336b6e3267b1230f3f5077ff1fdba8ba6765ae30ec6dcd0cbd589d03b630892d2
debug(pam_u2f): util.c:167 (get_devices_from_authfile): Length of key number 2 is 65
debug(pam_u2f): util.c:194 (get_devices_from_authfile): Found 2 device(s) for user mfrancois
debug(pam_u2f): pam-u2f.c:340 (pam_sm_authenticate): Using file '/var/run/user/0/pam-u2f-authpending' for emitting touch request notifications
debug(pam_u2f): util.c:271 (do_authentication): Unable to discover device(s), cannot find U2F device
debug(pam_u2f): pam-u2f.c:371 (pam_sm_authenticate): do_authentication returned -2
debug(pam_u2f): pam-u2f.c:410 (pam_sm_authenticate): done. [authentication error]
About this issue
- Original URL
- State: closed
- Created 5 years ago
- Comments: 15 (7 by maintainers)
TLDR; HEAD works on Mojave!
OK I ran into the same issue on Mojave (See also #128) with the latest release of pam-u2f: my keys (Yubikey U2F) working fine with pamu2fcfg, but then failing to work with the actual pam module (I’m testing with sudo).
I just built pam-u2f HEAD the following way:
Make sure the old version is no longer lying around:
Install libcbor (dependency) from a submitted Homebrew formula which got rejected (?):
Install libfido2 (dependency) from a submitted Homebrew formula which got rejected as well (?):
Build the pam module (you may need some build dependencies):
Then rebuild the keys file using the new version of
pamu2fcfg
as usual, and set up the pam config to point to the new module in/usr/local/lib/pam/
and that should just work.