pam-u2f: `sudo` auth does not work when requiring PIN
/etc/pam.d/sudo
contains
auth sufficient pam_u2f.so cue
Run command below:
$ pamu2fcfg -umaximbaz > ~/.config/Yubico/u2f_keys
Then sudo -s
will work as expected, it will print “Please touch the device.”, I touch it and I get sudo access.
Now do the same, but require PIN:
$ pamu2fcfg -umaximbaz -N > ~/.config/Yubico/u2f_keys
Running sudo -s
:
- First it asks “Please enter the PIN:”, I enter it.
- Then the message “Please touch the device.” appears.
- Instantly Yubikey stops flashing and I get the next message:
[sudo] password for maximbaz:
In journalctl
I see this:
sudo[1235117]: pam_unix(sudo:auth): conversation failed
kernel: audit: type=1100 audit(1583694800.396:4001): pid=1235117 uid=1000 auid=1000 ses=1 msg='op=PAM:authentication grantors=? acct="maximbaz" exe="/usr/bin/sudo" hostname=? addr=? >
audit[1235117]: USER_AUTH pid=1235117 uid=1000 auid=1000 ses=1 msg='op=PAM:authentication grantors=? acct="maximbaz" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/7 res=fai>
sudo[1235117]: pam_unix(sudo:auth): auth could not identify password for [maximbaz]
I’m on Arch Linux, latest master (https://github.com/Yubico/pam-u2f/commit/89412d932a24617ba6bb776988805dfbe663f795), YubiKey 5 Nano
Let me know if I can help with something, happy to help investigating.
About this issue
- Original URL
- State: closed
- Created 4 years ago
- Comments: 19 (10 by maintainers)
Thanks for the report, acknowledged. I’ll look into it as soon as I have some time.
Ah, I see. Yes, you can still use
pam-u2f
, but only FIDO2 supports PIN. That should maybe be handled more gracefully.cue
is just something that makes the message “Please touch the device.” appear when you run anysudo
command, I’ve just tested, the issue is reproducible even without that parameter.I’m using
AUR/pam_u2f-git
, waiting on #140 to update the community package 🙂