yubico / pam-u2f Goto Github PK

The pam-u2f should have a file inside /usr/share/pam-configs/ so it will be possible use the command "sudo pam-auth-update". Most of PAM modules have a file there.

This one confused me a lot.

• Using pamu2fcfg -o https://example.com -u brian >kkk, things didn't work
• Using pamu2fcfg -o https://example.com -i https://example.com -u brian >kkk then everything worked

I think what's happening is the -i (appid) flag is still defaulting to pam://<hostname> even if you specify a different origin.

This is inconsistent with the behaviour of the pam-u2f module itself, where if you specify only the origin, the appid defaults to the origin.

So I think it would be better if pamu2fcfg worked the same way: specifying -o without -i should set both origin and appid to the given value.

Setting nouserok as an option in PAM configuration doesn't work if the file for the user is missing or empty. It only works if there are entries for other users in it.

If you enable pam_u2f in one of the common-* PAM configs and it's included by something that runs under its own account (f.e. gdm), this can cause problems.

I have YubiKey 4 Nano and the blinking light is not always visible, so I often find myself missing a time window to touch Yubikey when there is a prompt "Please touch the device". This happens for example when I begin some long-running task that will finish with a sudo command (e.g. build and install an app).

I'd like to write an external script that could somehow check every second if there is a pending sudo command that is waiting with "Please touch the device" message. Could you please give me any hints on how to achieve this? Maybe there is a temporary file created that I could watch, or maybe I could patch the pam-u2f somehow for this purpose?

I already managed to write such script that captures if YubiKey is waiting for a touch for a gpg command, now I only need to detect pending touch for a sudo command and that will make me completely happy 🙂

Instead of http://localhost. The point is 1) to improve security (no cut'n'paste of credentials between machines), and 2) to avoid confusion if you use the same key on multiple machines.

It would link to both u2f-server and u2f-host and run through the registration phase for a particular key, outputing the publickey+keyhandle to put in the file. It should use the pam://$HOST appid/facetid.

I got PAM working on my Mac a few days ago, but today at work I notice it's randomly stopped working. Debug output below:

sh-3.2# su smiller
debug: pam-u2f.c:64 (parse_cfg): called.
debug: pam-u2f.c:65 (parse_cfg): flags 0 argc 1
debug: pam-u2f.c:67 (parse_cfg): argv[0]=debug
debug: pam-u2f.c:68 (parse_cfg): max_devices=0
debug: pam-u2f.c:69 (parse_cfg): debug=1
debug: pam-u2f.c:70 (parse_cfg): interactive=0
debug: pam-u2f.c:71 (parse_cfg): cue=0
debug: pam-u2f.c:72 (parse_cfg): manual=0
debug: pam-u2f.c:73 (parse_cfg): nouserok=0
debug: pam-u2f.c:74 (parse_cfg): alwaysok=0
debug: pam-u2f.c:75 (parse_cfg): authfile=(null)
debug: pam-u2f.c:76 (parse_cfg): origin=(null)
debug: pam-u2f.c:77 (parse_cfg): appid=(null)
debug: pam-u2f.c:119 (pam_sm_authenticate): Origin not specified, using "pam://Scotts-MBP-2"
debug: pam-u2f.c:130 (pam_sm_authenticate): Appid not specified, using the same value of origin (pam://Scotts-MBP-2)
debug: pam-u2f.c:140 (pam_sm_authenticate): Maximum devices number not set. Using default (24)
debug: pam-u2f.c:158 (pam_sm_authenticate): Requesting authentication for user smiller
debug: pam-u2f.c:169 (pam_sm_authenticate): Found user smiller
debug: pam-u2f.c:170 (pam_sm_authenticate): Home directory for smiller is /Users/smiller
debug: pam-u2f.c:177 (pam_sm_authenticate): Variable XDG_CONFIG_HOME is not set. Using default value ($HOME/.config/)
debug: pam-u2f.c:209 (pam_sm_authenticate): Using default authentication file /Users/smiller/.config/Yubico/u2f_keys
debug: util.c:107 (get_devices_from_authfile): Authorization line: smiller:AKyp1zw9XB7pCU03aKbSyNekjzX0Eeh1C7KY3v9eEXtR4poT7mHoioq8hp21ckzqxi4zF1Di7vXGSFw9zDlKVA,046f2691aaabc25e65e35130dbcaa42d532fa2ae1f9b6310a259143680d1376686dfb91506da83802325f82c15ec5f5799641c94f3cb63b621bcd68a33063eecb1
debug: util.c:112 (get_devices_from_authfile): Matched user: smiller
debug: util.c:130 (get_devices_from_authfile): KeyHandle for device number 1: AKyp1zw9XB7pCU03aKbSyNekjzX0Eeh1C7KY3v9eEXtR4poT7mHoioq8hp21ckzqxi4zF1Di7vXGSFw9zDlKVA
debug: util.c:157 (get_devices_from_authfile): publicKey for device number 1: 046f2691aaabc25e65e35130dbcaa42d532fa2ae1f9b6310a259143680d1376686dfb91506da83802325f82c15ec5f5799641c94f3cb63b621bcd68a33063eecb1
debug: util.c:172 (get_devices_from_authfile): Length of key number 1 is 65
debug: util.c:200 (get_devices_from_authfile): Found 1 device(s) for user smiller
debug: util.c:262 (do_authentication): Device max index is 0
debug: util.c:288 (do_authentication): Attempting authentication with device number 1
debug: util.c:310 (do_authentication): Challenge: { "keyHandle": "AKyp1zw9XB7pCU03aKbSyNekjzX0Eeh1C7KY3v9eEXtR4poT7mHoioq8hp21ckzqxi4zF1Di7vXGSFw9zDlKVA", "version": "U2F_V2", "challenge": "IEMNMAlXKY3DTyk_iru5InxI2s4Pi77rDGZg8SKVro0", "appId": "pam:\/\/Scotts-MBP-2" }
debug: util.c:328 (do_authentication): Unable to communicate to the device, authenticator error
debug: pam-u2f.c:256 (pam_sm_authenticate): do_authentication returned -2
debug: pam-u2f.c:275 (pam_sm_authenticate): done. [authentication error]

There should be a debug/verbose mode that initializes the U2F libraries in debug mode so that obtaining debug messages for these doesn't require to recompile the module

Hey -- I'm running Ubuntu 15.10 & trying to experiment with pam-u2f. I'm using a test key (provided by Google during the FIDO/U2F Chrome extension development).

This key isn't detected by pamu2fcfg -- but a blue u2f key is detected OK.

I've installed pamu2fcfg:

$ apt-cache policy pamu2fcfg
pamu2fcfg:
  Installed: 1.0.1-1
  Candidate: 1.0.1-1

It doesn't detect this U2F device:

$ pamu2fcfg
(Shows the usual "No U2F device available, please insert one now, you have 15 seconds...")
No device found. Aborting.

There's nothing printed to debug, and the device isn't detected regardless of what I do to it (plugged in before/during pamu2fcfg, tapping the device, etc.)

The device shows up in dmesg:

[17647.111215] usb 2-1.7: new full-speed USB device number 13 using ehci-pci
[17647.205905] usb 2-1.7: New USB device found, idVendor=1050, idProduct=0211
[17647.205915] usb 2-1.7: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[17647.205920] usb 2-1.7: Product: Yubico WinUSB Gnubby (gnubby1)
[17647.205924] usb 2-1.7: Manufacturer: Yubico

And it's set up in a udev rule:

ACTION!="add|change", GOTO="fido_end"

ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010|0110|0111|0114|0116|0211|0401|0403|0405|0407|0410", ENV{ID_SECURITY_TOKEN}="1"

LABEL="fido_end"

And it's working great in Chrome both as a Google 2-Step "Security Key" -- and with the demo server (https://demo.yubico.com/u2f).

Hi pam_u2f team,
I've built rpm's for pam_u2f, libu2f-host, and libu2f-server. Is there somewhere i could post these so they can be made available to everyone?

Also,
Is there anyway to get u2f working over ssh. As in add pam_u2f to the sshd pam config and respond to the challenge from my local laptop? I saw that a patch went into open ssl to support this. I've tried but with no luck.

Plus compiler warning that should be addressed...

configure: Summary of build options:

  Version:             1.0.5
  Host type:           x86_64-apple-darwin16.3.0
  Install prefix:      /usr/local
  Compiler:            clang
  Library types:       Shared=yes, Static=no
  LIBU2FHOST CFLAGS:   -I/usr/local/include/u2f-host
  LIBU2FHOST LIBS:     -L/usr/local/lib -lu2f-host
  LIBU2FSERVER CFLAGS: -I/usr/local/include/u2f-server
  LIBU2FSERVER LIBS:   -L/usr/local/lib -lu2f-server
  PAMDIR:              /lib/x86_64-linux-gnu/security

$ !ma
make clean && make -j 4 all && make check
Making clean in .
test -z "pam_u2f.la" || rm -f pam_u2f.la
rm -f ./so_locations
rm -rf .libs _libs
rm -f *.o
rm -f *.lo
Making clean in pamu2fcfg
 rm -f pamu2fcfg
rm -rf .libs _libs
rm -f *.o
rm -f *.lo
Making clean in tests
 rm -f basic
rm -rf .libs _libs
rm -f *.o
test -z "basic.log" || rm -f basic.log
test -z "basic.trs" || rm -f basic.trs
test -z "test-suite.log" || rm -f test-suite.log
rm -f *.lo
Making all in .
  CC       pam-u2f.lo
/bin/sh /Users/uri/src/pam-u2f/build-aux/missing a2x --format=manpage -L -a revdate="Version 1.0.5" man/pam_u2f.8.txt
  CC       util.lo
util.c:45:5: warning: implicit declaration of function 'close' is invalid in C99
      [-Wimplicit-function-declaration]
    close(fd);
    ^
util.c:172:54: warning: format specifies type 'int' but the argument has type 'size_t' (aka 'unsigned long')
      [-Wformat]
          D(("Length of key number %d is %d", i + 1, devices[i].key_len));
                                         ~~          ^~~~~~~~~~~~~~~~~~
                                         %zu
./util.h:28:12: note: expanded from macro 'D'
    printf x;                                                         \
           ^
util.c:483:12: warning: initializing 'char *' with an expression of type 'const char *' discards qualifiers
      [-Wincompatible-pointer-types-discards-qualifiers]
    .msg = prompt
           ^~~~~~
3 warnings generated.
  CCLD     pam_u2f.la
clang: warning: argument unused during compilation: '-pthread'
Making all in pamu2fcfg
gengetopt --no-handle-help --input cmdline.ggo Makefile.am
gengetopt --no-handle-help --input cmdline.ggo Makefile.am
/Applications/Xcode.app/Contents/Developer/usr/bin/make  all-am
/bin/sh /Users/uri/src/pam-u2f/build-aux/missing a2x --format=manpage -L -a revdate="Version 1.0.5" ../man/pamu2fcfg.1.txt
  CC       pamu2fcfg.o
  CC       cmdline.o
pamu2fcfg.c:120:47: warning: implicit conversion from enumeration type 'u2fs_initflags' to different
      enumeration type 'u2fh_initflags' [-Wenum-conversion]
  if (u2fh_global_init(args_info.debug_flag ? U2FS_DEBUG : 0) != U2FH_OK
      ~~~~~~~~~~~~~~~~                        ^~~~~~~~~~
1 warning generated.
  CCLD     pamu2fcfg
clang: warning: argument unused during compilation: '-pthread'
Making all in tests
make[1]: Nothing to be done for `all'.
Making check in .
make[1]: Nothing to be done for `check-am'.
Making check in pamu2fcfg
/Applications/Xcode.app/Contents/Developer/usr/bin/make  check-am
make[2]: Nothing to be done for `check-am'.
Making check in tests
/Applications/Xcode.app/Contents/Developer/usr/bin/make  basic
  CC       basic.o
  CCLD     basic
libtool: warning: '-no-install' is ignored for x86_64-apple-darwin16.3.0
libtool: warning: assuming '-no-fast-install' instead

*** Warning: Linking the executable basic against the loadable module
*** pam_u2f.so is not portable!
*** Warning: lib pam_u2f.so is a module, not a shared library

*** And there doesn't seem to be a static archive available
*** The link will probably fail, sorry
clang: warning: argument unused during compilation: '-pthread'
ld: can't link with bundle (MH_BUNDLE) only dylibs (MH_DYLIB) file '../.libs/pam_u2f.so' for architecture x86_64
clang: error: linker command failed with exit code 1 (use -v to see invocation)
make[2]: *** [basic] Error 1
make[1]: *** [check-am] Error 2
make: *** [check-recursive] Error 1
$ 

Not so much an "issue" but a plea from those of us who are NOT gifted systems engineers but have a NEED for a tool such as this.

Could some gifted person not knock up an executable or even a basic GUI interface. Or even a "Step 1 - step-2" instruction for dummies note. I appreciate you value your free time - so do I suspect use would be more extended if it were easier to use.

I would LOVE to implement pam-u2f to use the yubikeys I have to block access to linux PC's. I'm new to Linux and whilst I have some fairly good IT skills they are MAINFRAME skills.

I am going to write to the MINT admin guys to see if they can somehow assist too.

My thanks for your attention. Chris

Hi,
I'm following this instruction to install pam-u2f:
https://developers.yubico.com/pam-u2f/

I also manually installed pkg-config, as mentioned in one of the closed issues.

u2f-host is also installed through apt-get, since I've added the ppa source.

But, the ./configure always complains "No package 'u2f-host' found". I'm sure it's installed well (/usr/bin/u2f-host) Could you please help? Thanks

The documentation is very unclear as to what use cases this module supports.

I am guessing the pam U2F module only works for token authentication on the local host - that is, it talks directly to the U2F token using the local USB controller. Is that true?

But could you use this to authenticate an SSH session to a remote host? If so, how does it work?

Presumably at the server side the PAM module could send challenge/response messages to the client, but how would the ssh client talk to the U2F device at the client side? Is the user required to paste challenge/response messages into some companion tool?

The page at https://www.yubico.com/applications/computer-login/linux/ makes this even less clear. There it talks about using one time passwords (that's fine - I am happy with how the original Yubikey OTP works), and yet this page has a link to the PAM U2F module!

On Mac OS El Capitan (10.11.6), we'll get the following debug message:

debug: pam-u2f.c:209 (pam_sm_authenticate): Using default authentication file /Users/john/.config/Yubico/u2f_keys
debug: util.c:107 (get_devices_from_authfile): Authorization line: john:
debug: util.c:112 (get_devices_from_authfile): Matched user: john
debug: util.c:130 (get_devices_from_authfile): KeyHandle for device number 1:
debug: util.c:157 (get_devices_from_authfile): publicKey for device number 1:
debug: util.c:172 (get_devices_from_authfile): Length of key number 1 is 65
debug: util.c:200 (get_devices_from_authfile): Found 1 device(s) for user john
debug: util.c:252 (do_authentication): Unable to discover device(s), cannot find U2F device
debug: pam-u2f.c:256 (pam_sm_authenticate): do_authentication returned -2

Obviously, the user was found, but after that the device could not be found. Moving the authfile to /etc did not solve the problem.

The /etc/pam.d/su:

auth required /usr/local/Cellar/pam-u2f/1.0.4/lib/pam/pam_u2f.so debug
auth sufficient pam_rootok.so
auth required pam_opendirectory.so
account required pam_group.so no_warn group=admin,wheel ruser root_only fail_safe
account required pam_opendirectory.so no_check_shell
password required pam_opendirectory.so
session required pam_launchd.so

When using pam-u2f in /etc/pam.d/screensaver we also often see the problem that we have to authenticate several times before it works and after that the system seems to be in a state like after a reboot (all previous opened programms restart)

Trying to build from the git release tarball, and the configure script fails with the following:

...
checking for security/pam_modules.h... yes
checking for security/_pam_macros.h... yes
checking for security/pam_modutil.h... yes
checking for pam_start in -lpam... yes
./configure: line 12047: syntax error near unexpected token `LIBU2FHOST,'
./configure: line 12047: `PKG_CHECK_MODULES(LIBU2FHOST, u2f-host, , )'

Not sure if I'm missing a library or not.

EDIT: I'm on Debian Jessie, 64-bit.

I have this key:
http://www.amazon.es/dp/B00OGPO3ZS/ref=sr_ph?ie=UTF8&qid=1421490850&sr=1&keywords=u2f

I get the same whatever I do. This is the output for "pamu2fcfg -n -d"

USB send: 00ffffffff8600080807060504030201000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
USB write returned 65
USB read rc read 64
USB recv: 51e9e73083027a05040102007cba6404597848cd59d42045e38b74c263d2dccf40d34e152864066773a845a30c997d85fedcf46eaef6f958469d370d795cf8d7
No U2F device available, please insert one now, you have 15 secondsUSB send: 00ffffffff8600080807060504030201000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
USB write returned 65
USB read rc read 64
USB recv: 51e9e73000788f8ce179b7589acb40298fa9a6cccf7daaf190be6f850b4071d7cab201c676353f4ced2b938ffecf9c9e275be167fcaba8325c5eaf5f6f3ee715
No U2F device available, please insert one now, you have 14 secondsUSB send: 00ffffffff8600080807060504030201000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
USB write returned 65
USB read rc read 64
USB recv: ffffffff860011080706050403020126a4583b020106070000000000000000000000000000000000000000000000000000000000000000000000000000000000
device /dev/hidraw2 discovered as 'Plug-up'
  version (Interface, Major, Minor, Build): 2, 1, 6, 0  capFlags: 0

Device found!
JSON: { "challenge": "G3-SIaOxt2KuE_T7Jv0xiP0XP-J-dIKLBPtUuPxCrGg", "version": "U2F_V2", "appId": "pam:\/\/turbi" }
JSON challenge URL-B64: G3-SIaOxt2KuE_T7Jv0xiP0XP-J-dIKLBPtUuPxCrGg
client data: { "challenge": "G3-SIaOxt2KuE_T7Jv0xiP0XP-J-dIKLBPtUuPxCrGg", "origin": "pam:\/\/turbi", "typ": "navigator.id.finishEnrollment" }
JSON: { "challenge": "G3-SIaOxt2KuE_T7Jv0xiP0XP-J-dIKLBPtUuPxCrGg", "version": "U2F_V2", "appId": "pam:\/\/turbi" }
JSON app_id pam://turbi
USB send: 0026a4583b830047000103000000403ac910592dee9d0bf269752b99279213130e7c42ffd6fea8397939f1a17df9fe036fe62a55eff8a72006dcc696d46289b3
USB write returned 65
USB send: 0026a4583b006e37d295e4d257c3cbfce3dc85ce0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
USB write returned 65
USB read rc read 64
USB recv: ffffffff8600110807060504030201b37d2bc0020106070000000000000000000000000000000000000000000000000000000000000000000000000000000000
USB rc -2
error: (-2) Error in JSON handling

In chrome the key works properly.

How can I fix the problem?

Thank you

It does not seem possible to use U2F keys with a button (push the button) and other keys without (insert and press ENTER) on the same machine. It's possible to put 'interactive' and 'cue' in the pam file, but then nothing works.
It would increase usability to be able to use both kind of keys on the same system.

Easy enough to figure out in the process, but dependency on libpam-dev is not in the README.

hi,
I'm on fedora 24.

I have tested that adding u2f configuration in /etc/pam.d/system-auth is good enough for the authentication to work.
HOWEVER... all files have the following lines

# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.

I tested by running authconfig and these files are overwritten. Can you advise on where should the pam u2f configuration be set ?

pam-u2f,
When building pam_u2f on Fedora22 I get No package 'json' found or No package 'check' found. I tried setting the LIBJSON_LIBS LIBJSON_CFLAGS CHECK_LIBS and CHECK_CFLAGS to /usr/lib/<appropriate.so> . I got through the build but then make failed saying it couldn't find json.h.

json-c , json-glib, json-devel are all installed
check and check-devel are installed as well.

Any help would be much appreciated!!

I'm trying to work out how to use U2F Authentication with SSH, the only thing I am able to find is an old issue that uses an old OpenSSH version.

Does anyone know if there is a way to implement U2F Authentication with the current version of OpenSSH?

I already created a patch #48 for it.

Additional there could be another option like require_devices=2 for PGP-like key-splitting/key-sharing but the loop would need more changes I think.

I have auth required pam_u2f.so cue in /etc/pam.d/sudo

When the Yubikey is not plugged in, the "Please touch the device." message doesn't appear, and access is denied. Can it instead wait for the device to be plugged? Either by using udev to notify it for a new device, or just busy-loop polling?

sorry, accidentally touched my yubikey.

A fresh install of Ubuntu 15.10 64-bit, added the PPA and installed pamu2fcfg 1.0.2. Using Yubikey NEO w/firmware 3.4.3. Executing pamu2fcfg causes the LED on the Yubikey to blink, then causes a segfault.

I don't have write permission, so can't attach dump.

Here is the debug output:

chill@chill-laptop:~$ pamu2fcfg -d
USB send: 00ffffffff8600080807060504030201000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
USB write returned 65
now trying with timeout 2
USB read rc read 64
USB recv: ffffffff86001108070605040302010100b3a8020101000100000000000000000000000000000000000000000000000000000000000000000000000000000000
device /dev/hidraw5 discovered as 'Yubikey NEO OTP+U2F+CCID'
version (Interface, Major, Minor, Build): 2, 1, 1, 0 capFlags: 1
JSON: { "challenge": "dctvVk9NalieD7JRSgS8A4eoA1yx79reAgYK9y0vtYA", "version": "U2F_V2", "appId": "pam://chill-laptop" }
JSON challenge URL-B64: dctvVk9NalieD7JRSgS8A4eoA1yx79reAgYK9y0vtYA
client data: { "challenge": "dctvVk9NalieD7JRSgS8A4eoA1yx79reAgYK9y0vtYA", "origin": "pam://chill-laptop", "typ": "navigator.id.finishEnrollment" }
JSON: { "challenge": "dctvVk9NalieD7JRSgS8A4eoA1yx79reAgYK9y0vtYA", "version": "U2F_V2", "appId": "pam://chill-laptop" }
JSON app_id pam://chill-laptop
USB send: 000100b3a883004700010300000040d4a79dc250ed813df4c3bb063418416b575b02ca8524dc8950adf47198d56e6af116c09420dee0d966d62b2075542db20c
USB write returned 65
USB send: 000100b3a8001b12286e563a537c54c4be7017fe0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
USB write returned 65
now trying with timeout 2
now trying with timeout 4
now trying with timeout 8
now trying with timeout 16
USB read rc read 64
USB recv: 0100b3a8830002698500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
USB data (len 2): 6985
USB send: 000100b3a883004700010300000040d4a79dc250ed813df4c3bb063418416b575b02ca8524dc8950adf47198d56e6af116c09420dee0d966d62b2075542db20c
USB write returned 65
USB send: 000100b3a8001b12286e563a537c54c4be7017fe0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
USB write returned 65
now trying with timeout 2
now trying with timeout 4
now trying with timeout 8
USB read rc read 64
USB recv: 0100b3a8830002698500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
USB data (len 2): 6985
USB send: 000100b3a883004700010300000040d4a79dc250ed813df4c3bb063418416b575b02ca8524dc8950adf47198d56e6af116c09420dee0d966d62b2075542db20c
USB write returned 65
USB send: 000100b3a8001b12286e563a537c54c4be7017fe0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
USB write returned 65
now trying with timeout 2
now trying with timeout 4
now trying with timeout 8
USB read rc read 64
USB recv: 0100b3a8830002698500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
USB data (len 2): 6985
USB send: 000100b3a883004700010300000040d4a79dc250ed813df4c3bb063418416b575b02ca8524dc8950adf47198d56e6af116c09420dee0d966d62b2075542db20c
USB write returned 65
USB send: 000100b3a8001b12286e563a537c54c4be7017fe0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
USB write returned 65
now trying with timeout 2
now trying with timeout 4
now trying with timeout 8
USB read rc read 64
USB recv: 0100b3a8830002698500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
USB data (len 2): 6985
USB send: 000100b3a883004700010300000040d4a79dc250ed813df4c3bb063418416b575b02ca8524dc8950adf47198d56e6af116c09420dee0d966d62b2075542db20c
USB write returned 65
USB send: 000100b3a8001b12286e563a537c54c4be7017fe0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
USB write returned 65
now trying with timeout 2
now trying with timeout 4
now trying with timeout 8
USB read rc read 64
USB recv: 0100b3a8830002698500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
USB data (len 2): 6985
USB send: 000100b3a883004700010300000040d4a79dc250ed813df4c3bb063418416b575b02ca8524dc8950adf47198d56e6af116c09420dee0d966d62b2075542db20c
USB write returned 65
USB send: 000100b3a8001b12286e563a537c54c4be7017fe0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
USB write returned 65
now trying with timeout 2
now trying with timeout 4
now trying with timeout 8
USB read rc read 64
USB recv: 0100b3a8830002698500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
USB data (len 2): 6985
USB send: 000100b3a883004700010300000040d4a79dc250ed813df4c3bb063418416b575b02ca8524dc8950adf47198d56e6af116c09420dee0d966d62b2075542db20c
USB write returned 65
USB send: 000100b3a8001b12286e563a537c54c4be7017fe0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
USB write returned 65
now trying with timeout 2
now trying with timeout 4
now trying with timeout 8
USB read rc read 64
USB recv: 0100b3a8830002698500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
USB data (len 2): 6985
USB send: 000100b3a883004700010300000040d4a79dc250ed813df4c3bb063418416b575b02ca8524dc8950adf47198d56e6af116c09420dee0d966d62b2075542db20c
USB write returned 65
USB send: 000100b3a8001b12286e563a537c54c4be7017fe0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
USB write returned 65
now trying with timeout 2
now trying with timeout 4
now trying with timeout 8
USB read rc read 64
USB recv: 0100b3a8830002698500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
USB data (len 2): 6985
USB send: 000100b3a883004700010300000040d4a79dc250ed813df4c3bb063418416b575b02ca8524dc8950adf47198d56e6af116c09420dee0d966d62b2075542db20c
USB write returned 65
USB send: 000100b3a8001b12286e563a537c54c4be7017fe0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
USB write returned 65
now trying with timeout 2
now trying with timeout 4
now trying with timeout 8
USB read rc read 64
USB recv: 0100b3a8830002698500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
USB data (len 2): 6985
USB send: 000100b3a883004700010300000040d4a79dc250ed813df4c3bb063418416b575b02ca8524dc8950adf47198d56e6af116c09420dee0d966d62b2075542db20c
USB write returned 65
USB send: 000100b3a8001b12286e563a537c54c4be7017fe0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
USB write returned 65
now trying with timeout 2
now trying with timeout 4
now trying with timeout 8
USB read rc read 64
USB recv: 0100b3a8830002698500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
USB data (len 2): 6985
USB send: 000100b3a883004700010300000040d4a79dc250ed813df4c3bb063418416b575b02ca8524dc8950adf47198d56e6af116c09420dee0d966d62b2075542db20c
USB write returned 65
USB send: 000100b3a8001b12286e563a537c54c4be7017fe0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
USB write returned 65
now trying with timeout 2
now trying with timeout 4
now trying with timeout 8
USB read rc read 64
USB recv: 0100b3a8830002698500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
USB data (len 2): 6985
USB send: 000100b3a883004700010300000040d4a79dc250ed813df4c3bb063418416b575b02ca8524dc8950adf47198d56e6af116c09420dee0d966d62b2075542db20c
USB write returned 65
USB send: 000100b3a8001b12286e563a537c54c4be7017fe0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
USB write returned 65
now trying with timeout 2
now trying with timeout 4
now trying with timeout 8
USB read rc read 64
USB recv: 0100b3a8830002698500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
USB data (len 2): 6985
USB send: 000100b3a883004700010300000040d4a79dc250ed813df4c3bb063418416b575b02ca8524dc8950adf47198d56e6af116c09420dee0d966d62b2075542db20c
USB write returned 65
USB send: 000100b3a8001b12286e563a537c54c4be7017fe0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
USB write returned 65
now trying with timeout 2
now trying with timeout 4
now trying with timeout 8
USB read rc read 64
USB recv: 0100b3a8830002698500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
USB data (len 2): 6985
USB send: 000100b3a883004700010300000040d4a79dc250ed813df4c3bb063418416b575b02ca8524dc8950adf47198d56e6af116c09420dee0d966d62b2075542db20c
USB write returned 65
USB send: 000100b3a8001b12286e563a537c54c4be7017fe0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
USB write returned 65
now trying with timeout 2
now trying with timeout 4
now trying with timeout 8
USB read rc read 64
USB recv: 0100b3a8830002698500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
USB data (len 2): 6985
USB send: 000100b3a883004700010300000040d4a79dc250ed813df4c3bb063418416b575b02ca8524dc8950adf47198d56e6af116c09420dee0d966d62b2075542db20c
USB write returned 65
USB send: 000100b3a8001b12286e563a537c54c4be7017fe0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
USB write returned 65
now trying with timeout 2
now trying with timeout 4
now trying with timeout 8
USB read rc read 64
USB recv: 0100b3a8830002698500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
USB data (len 2): 6985
USB send: 000100b3a883004700010300000040d4a79dc250ed813df4c3bb063418416b575b02ca8524dc8950adf47198d56e6af116c09420dee0d966d62b2075542db20c
USB write returned 65
USB send: 000100b3a8001b12286e563a537c54c4be7017fe0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
USB write returned 65
now trying with timeout 2
now trying with timeout 4
now trying with timeout 8
USB read rc read 64
USB recv: 0100b3a8830002698500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
USB data (len 2): 6985
Segmentation fault (core dumped)

I am using a generic Ubuntu 16.04 VM under VirtualBox. I installed pamu2fcfg and use m Yubico key to successfully authenticate using su and to lightdm with the Unity greeter. But When I login with the greeter, the cue shows up properly only after I touch the device, not after entering the password as I would expect. This occurs regardless of where I place the
auth sufficient pam_u2f.so cue
line in /etc/pam.d/lightdm. Am I doing something wrong or is pam_u2f.so not interacting with unity correctly? (Or is unity/lightdm misbehaving?)
Thanks.

The interactive mode is very useful to prompt people to remember to insert their key. However, it also has the issue of requiring the ENTER button be pressed.

Would it be possible to have the authentication system poll for the insertion of a key if interactive is enabled instead of having the user take an action? Similarly, this could solve the problem of a user hitting enter "too early" (immediately after inserting their key, before initialization).

Hello,

that would be great if yubico could store data in the standard directory designed for storing config $XDG_CONFIG_HOME and if the variable doesn't exist used the default behavior.

reference documentation: http://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html

When I initially set up my U2F I used the default of ~/.yubico/u2f_keys. This was perfectly fine until I rebooted my machine.

On ubuntu the default encryption setup will encrypt the user directory such that it cannot be decrypted until the user has logged in. This means that if the user stores authentication info in their home directory they can never log in. With this in mind I would recommend considering either changing the default, allowing loading from both the central and the per-user location, or possibly documenting this possibility.

Obviously this is not really anyone's fault, but it was a big hassle to get around and I suspect a less able user would just reinstall linux entirely if this happened to them.

I see some work on adding libu2f support to openssh, but that seems unrelated to this PAM module. Are there details on how this module might be used down the line?

When I shell into my laptop and execute commands as sudo, I'm prompted to "Please touch the device".

Unfortunately the device is actually rather, very far away.

If I wait long enough, it gives up and sudo prompts me for my password.

Ask is to give me a control sequence to stop waiting for the yubikey and fall through to the next pam option.

It would be great if this module could take 2 timeouts options:

• timeout for the user to plug a key (with a message "Please insert your U2F dongle")
• timeout for the user to press the button

I have a MacOS machine requiring pam-u2f for /etc/pam.d/authorization and /etc/pam.d/authorization.

I have two users on that system -- user1 and user2.

user1 is a local administrator account, while user2 is a local non-admin account.

I set up u2f using pamu2fcfg while logged into user2. The resulting authorization mapping file was stored in /Users/user2/.config/u2f/keys.

Later, I manually edited the keys file to duplicate the first line but add user1 as another authorized user of that key:
keys:

user2:<key handle>,<public key>
user1:<same key handle>,<same public key>

Now, if I run an installer application requiring admin privileges while logged into user2 in MacOS, here's the behavior I expect:

1. I enter my admin username (user1) and password, and hit OK.
2. The U2F key already inserted prompts me for proof-of-presence. Once pressed, the installer should be authorized with admin privs.

Instead, this happens:

1. I enter my admin username (user1)/password and hit OK.
2. I am immediately rejected with the MacOS shaking animation inside the authorization prompt. It doesn't appear that the u2f key is interacted with at all.
3. The following lines are appended to log files

/var/log/system.log:
Apr 3 16:23:38 computername authorizationhost[1858]: Failed to authenticate user <user1> (error: 12).

/var/log/accountpolicy.log:
Apr 3 16:23:38 (74.75.1) AuthenticationAllowed completed: record "user1", result: Success (0).

I don't think it's a file permissions issue with the authorization mapping file; I gave user1 read and write access to /Users/user2/, /Users/user2/.config/, /Users/user2/.config/u2f/, and /Users/user2/.config/u2f/keys.

I haven't had this issue with pam_yubico.so configured as required for both pam files in mode=challenge-response.

Hello,
I have some error when i try to use pam-u2f with my Yubikey FIDO U2F.
When i try to connect (with debug activated), i have these errors:

debug: pam-u2f.c:85 (parse_cfg): called.
debug: pam-u2f.c:86 (parse_cfg): flags 0 argc 2
debug: pam-u2f.c:88 (parse_cfg): argv[0]=debug
debug: pam-u2f.c:88 (parse_cfg): argv[1]=authfile=/etc/u2f_mappings
debug: pam-u2f.c:90 (parse_cfg): max_devices=0
debug: pam-u2f.c:91 (parse_cfg): debug=1
debug: pam-u2f.c:92 (parse_cfg): interactive=0
debug: pam-u2f.c:93 (parse_cfg): cue=0
debug: pam-u2f.c:94 (parse_cfg): manual=0
debug: pam-u2f.c:95 (parse_cfg): nouserok=0
debug: pam-u2f.c:96 (parse_cfg): openasuser=0
debug: pam-u2f.c:97 (parse_cfg): alwaysok=0
debug: pam-u2f.c:98 (parse_cfg): authfile=/etc/u2f_mappings
debug: pam-u2f.c:99 (parse_cfg): origin=(null)
debug: pam-u2f.c:100 (parse_cfg): appid=(null)
debug: pam-u2f.c:101 (parse_cfg): prompt=(null)
debug: pam-u2f.c:142 (pam_sm_authenticate): Origin not specified, using "pam://JeanPwet"
debug: pam-u2f.c:152 (pam_sm_authenticate): Appid not specified, using the same value of origin (pam://DestrucThor)
debug: pam-u2f.c:161 (pam_sm_authenticate): Maximum devices number not set. Using default (24)
debug: pam-u2f.c:179 (pam_sm_authenticate): Requesting authentication for user root
debug: pam-u2f.c:190 (pam_sm_authenticate): Found user root
debug: pam-u2f.c:191 (pam_sm_authenticate): Home directory for root is /root
debug: pam-u2f.c:231 (pam_sm_authenticate): Using authentication file /etc/u2f_mappings
debug: util.c:100 (get_devices_from_authfile): Authorization line: donokami:4bSMXw2rLIv7h1DP50bQ3URLEgl3TFflaGLQL6sxSLeV09-yo5Po6blhCxX4GcIyL4hI6I4O_8kpIm1jQ1LpmQ,04ae58870a3c9c0e173934759e13dd9e9a0d546ad356c22e2dda6e1793418b1825372f4f9c9f364f44be796ce7e6ba644e8fea075f94be2f8b7a05e456b40e483c
debug: util.c:100 (get_devices_from_authfile): Authorization line: root:Tykq35PskneGkzpxRkP7OxayXWBkhcyIK1eF68ssKUo2BlwF81DNLPkuPxZ2CPA0kzGxIlIS5pKi0XVWDw-BGw,04d438440b35aa55282a21cdb109c651a2bac5c7deaf51b51746a1fa3713250995df99cb7a81b11fbe8d3385b1518d6692246fb354699f1588b1c891a5f3de89d5
debug: util.c:105 (get_devices_from_authfile): Matched user: root
debug: util.c:132 (get_devices_from_authfile): KeyHandle for device number 1: Tykq35PskneGkzpxRkP7OxayXWBkhcyIK1eF68ssKUo2BlwF81DNLPkuPxZ2CPA0kzGxIlIS5pKi0XVWDw-BGw
debug: util.c:151 (get_devices_from_authfile): publicKey for device number 1: 04d438440b35aa55282a21cdb109c651a2bac5c7deaf51b51746a1fa3713250995df99cb7a81b11fbe8d3385b1518d6692246fb354699f1588b1c891a5f3de89d5
debug: util.c:162 (get_devices_from_authfile): Length of key number 1 is 65
debug: util.c:189 (get_devices_from_authfile): Found 1 device(s) for user root
USB send: 00ffffffff8600080807060504030201000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
USB write returned 65
now trying with timeout 2
USB read rc read 64
USB recv: ffffffff86001108070605040302010002000c020403030100000000000000000000000000000000000000000000000000000000000000000000000000000000
device /dev/hidraw0 discovered as 'Security Key by Yubico'
  version (Interface, Major, Minor, Build): 2, 4, 3, 0  capFlags: 1
debug: util.c:270 (do_authentication): Device max index is 0
debug: util.c:301 (do_authentication): Attempting authentication with device number 1
debug: util.c:323 (do_authentication): Challenge: { "keyHandle": "Tykq35PskneGkzpxRkP7OxayXWBkhcyIK1eF68ssKUo2BlwF81DNLPkuPxZ2CPA0kzGxIlIS5pKi0XVWDw-BGw", "version": "U2F_V2", "challenge": "siVwHR5SkxE_nDikfNLdZqQtlFXPubqpjxD5shh_bco", "appId": "pam:\/\/JeanPwet" }
JSON: { "keyHandle": "Tykq35PskneGkzpxRkP7OxayXWBkhcyIK1eF68ssKUo2BlwF81DNLPkuPxZ2CPA0kzGxIlIS5pKi0XVWDw-BGw", "version": "U2F_V2", "challenge": "siVwHR5SkxE_nDikfNLdZqQtlFXPubqpjxD5shh_bco", "appId": "pam:\/\/JeanPwet" }
JSON challenge URL-B64: siVwHR5SkxE_nDikfNLdZqQtlFXPubqpjxD5shh_bco
client data: { "challenge": "siVwHR5SkxE_nDikfNLdZqQtlFXPubqpjxD5shh_bco", "origin": "pam:\/\/DestrucThor", "typ": "navigator.id.getAssertion" }
JSON: { "keyHandle": "Tykq35PskneGkzpxRkP7OxayXWBkhcyIK1eF68ssKUo2BlwF81DNLPkuPxZ2CPA0kzGxIlIS5pKi0XVWDw-BGw", "version": "U2F_V2", "challenge": "siVwHR5SkxE_nDikfNLdZqQtlFXPubqpjxD5shh_bco", "appId": "pam:\/\/JeanPwet" }
JSON app_id pam://JeanPwet
JSON: { "keyHandle": "Tykq35PskneGkzpxRkP7OxayXWBkhcyIK1eF68ssKUo2BlwF81DNLPkuPxZ2CPA0kzGxIlIS5pKi0XVWDw-BGw", "version": "U2F_V2", "challenge": "siVwHR5SkxE_nDikfNLdZqQtlFXPubqpjxD5shh_bco", "appId": "pam:\/\/JeanPwet" }
JSON keyHandle URL-B64: Tykq35PskneGkzpxRkP7OxayXWBkhcyIK1eF68ssKUo2BlwF81DNLPkuPxZ2CPA0kzGxIlIS5pKi0XVWDw-BGw
USB send: 000002000c83008a0002030000008133aeb1d11d42663ccc36a78c2c940eb190403320bb2ebbec2b1ef39732d75dda7d3daf84ea0b882c57dc4938e58b89b47f
USB write returned 65
USB send: 000002000c0071851938e277bbe501b4fa059bc2404f292adf93ec927786933a714643fb3b16b25d606485cc882b5785ebcb2c294a36065c05f350cd2cf92e3f
USB write returned 65
USB send: 000002000c017608f0349331b1225212e692a2d175560f0f811b0000000000000000000000000000000000000000000000000000000000000000000000000000
USB write returned 65
now trying with timeout 2
now trying with timeout 4
now trying with timeout 8
now trying with timeout 16
USB read rc read 64
USB recv: 0002000c8300026a8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
USB data (len 2): 6a80
debug: util.c:338 (do_authentication): Unable to communicate to the device, authenticator error
USB send: 000002000c8100010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
USB write returned 65
now trying with timeout 2
USB read rc read 64
USB recv: 0002000c810001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
debug: pam-u2f.c:289 (pam_sm_authenticate): do_authentication returned -2
debug: pam-u2f.c:308 (pam_sm_authenticate): done. [Échec d'authentification]

What can i do?
Thanks.

does it work with NginX webserver for webpage authentication?

pam-u2f 1.0.4 uses secure_getenv(3), a GNU extension, and falls back to an implementation it ships if HAVE_SECURE_GETENV is not defined.

Unfortunately, the configure script wrongly sets HAVE_SECURE_GETENV on some platforms.
For instance, during a Debian/kFreeBSD build:
https://buildd.debian.org/status/fetch.php?pkg=pam-u2f&arch=kfreebsd-amd64&ver=1.0.4-0.2&stamp=1468537730

dpkg-buildpackage
─────────────────

dpkg-buildpackage: info: source package pam-u2f
dpkg-buildpackage: info: source version 1.0.4-0.2
dpkg-buildpackage: info: source distribution unstable
 dpkg-source --before-build pam-u2f-1.0.4
dpkg-buildpackage: info: host architecture kfreebsd-amd64
[...]
dh_auto_configure -- \
    --disable-silent-rules \
    --with-pam-dir=/lib/x86_64-kfreebsd-gnu/security
    ../configure --build=x86_64-kfreebsd-gnu --prefix=/usr --includedir=\${prefix}/include --mandir=\${prefix}/share/man --infodir=\${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --disable-silent-rules --libdir=\${prefix}/lib/x86_64-kfreebsd-gnu --libexecdir=\${prefix}/lib/x86_64-kfreebsd-gnu --disable-maintainer-mode --disable-dependency-tracking --disable-silent-rules --with-pam-dir=/lib/x86_64-kfreebsd-gnu/security
configure: WARNING: unrecognized options: --disable-maintainer-mode
[...]
checking build system type... x86_64-pc-kfreebsd-gnu
checking host system type... x86_64-pc-kfreebsd-gnu
[...]
checking for stdlib.h... yes
[...]
checking for secure_getenv... yes
checking that generated files are newer than configure... done
configure: creating ./config.status
config.status: creating Makefile
config.status: creating pamu2fcfg/Makefile
config.status: creating tests/Makefile
config.status: executing depfiles commands
config.status: executing libtool commands
configure: WARNING: unrecognized options: --disable-maintainer-mode
configure: Summary of build options:

  Version:             1.0.4
  Host type:           x86_64-pc-kfreebsd-gnu
  Install prefix:      /usr
  Compiler:            gcc
  Library types:       Shared=yes, Static=no
  LIBU2FHOST CFLAGS:   -I/usr/include/u2f-host
  LIBU2FHOST LIBS:     -lu2f-host
  LIBU2FSERVER CFLAGS: -I/usr/include/u2f-server
  LIBU2FSERVER LIBS:   -lu2f-server
  PAMDIR:              /lib/x86_64-kfreebsd-gnu/security

make[1]: Leaving directory '/«PKGBUILDDIR»'
   dh_auto_build -a -O--parallel -O--builddirectory=build
    make -j2
make[1]: Entering directory '/«PKGBUILDDIR»/build'
Making all in .
make[2]: Entering directory '/«PKGBUILDDIR»/build'
[...]
../pam-u2f.c: In function 'pam_sm_authenticate':
../pam-u2f.c:174:20: warning: implicit declaration of function 'secure_getenv' [-Wimplicit-function-declaration]
     authfile_dir = secure_getenv(DEFAULT_AUTHFILE_DIR_VAR);
                    ^
../pam-u2f.c:174:18: warning: assignment makes pointer from integer without a cast [-Wint-conversion]
     authfile_dir = secure_getenv(DEFAULT_AUTHFILE_DIR_VAR);
                  ^

The result is an implicitely-defined function, which (per the C standard) expects to receive an int, hence the 64-bit pointer might get truncated.

I'm only able to register one key.

When I specify two keys in u2f_keys as so:

<username1>:<KeyHandle1>,<UserKey1>:<KeyHandle2>,<UserKey2>

Only one of the keys works. If I switch the order of the keys in the file, then the other key works, but the first stops working.

I'm using the version from the PPA on Ubuntu 15.10.

So,
What's missing for me to use this is a way of adding pam_u2f to GDM without making the whole system lock up.

Adding it as sufficient to pam, will let you get it up and running, and you can log in via gdm/login/sudo.

Adding it as requisite for some reason causes repeated failures, and it won't move further.

What's the recommended config to require token + password to log in on a desktop environment?

https://launchpad.net/~yubico/+archive/ubuntu/stable/+packages
https://launchpad.net/~yubico/+archive/ubuntu/stable/+build/6688622

Does not contain pam_u2f.so

Examining the build log provides the following hint which may be related:

libtool: install: warning: remember to run `libtool --finish /lib/x86_64-linux-gnu/security'

Hello,
I got the following error while trying to compile the pam-u2f library:

make[1]: Entering directory '.../pam_u2f/pam_u2f/src/pam_u2f-1.0.1'
  CC       util.lo
In file included from util.c:8:0:
/usr/include/u2f-host/u2f-host.h:24:30: fatal error: u2f-host-version.h: No such file or directory

I am not sure if my fix is correct because I have never worked with the build system that is used by your project. Inside the Makefile.am file I have changed the line
AM_CFLAGS = $(WARN_CFLAGS)
to
AM_CFLAGS = $(WARN_CFLAGS) $(LIBU2FHOST_CFLAGS) $(LIBU2FSERVER_CFLAGS)

The version that's currently installed via apt-get install pam-u2f has a few differences from the current one up on GitHub, notably:

1. The default key directory is .yubico/u2f_keys versus .config/Yubico/u2f_keys in the newer version
2. It doesn't appear to respect the "manual" or "interactive" attributes in the pam module.

When updating from ubuntu 16.04 to 16.10 u2f with yubikey u2fstopped working.

After a bit of looking around I discovered that pamu2fcfg doesn't work either and fails with:

paumu2fcfg: error while loading shared libraries: libjson-c.so.2: cannot open shared object file: No such file or directory

Looking around I find that ubuntu from version 16.10 no longer ships libjson-c.so.2 instead they ship libjson-c.so.3.

So I suspect that libpam-u2f also depends on libjson and that is why it fails, but I have no evidence of that.

Is it possible to get the debug output also for ssh sessions to e.g. auth.log ?

In my first tests the individual mapping files were ignored/not found - no idea what happend there.
I had to use a local "login" test with debug activated to see that my key copy was somehow not correct so I got this error from key:

util.c: D(("Length of key number %d not even", i + 1));

Visually I saw no error/difference but a new copy&paste entry fixed it.

Add an interactive mode such that the device checking only starts after user press ENTER on a message like "Press ENTER to check against your U2F Authenticator", which is useful because some keys are set to deactivates itself after several seconds of connection to the USB port.

This blogpost might be useful for:

• Linking to in the docs.
• Fixing issues the author experienced.
• Inspiration for writing a similar tutorial.

https://bugzilla.redhat.com/show_bug.cgi?id=1283296#c7

So, this module uses a number of environment variables ($DEFAULT_AUTHFILE_DIR_VAR, $XDG_CONFIG_HOME at least). To try it out, I added auth require pam_u2f.so debug origin=pam://$HOSTNAME appid=pam://$HOSTNAME as the first line in /etc/pam.d/su-l, and then I run:

$ su -
[pam-u2f.c:parse_cfg(48)] called.
[pam-u2f.c:parse_cfg(49)] flags 0 argc 3
[pam-u2f.c:parse_cfg(51)] argv[0]=debug
[pam-u2f.c:parse_cfg(51)] argv[1]=origin=pam://$HOSTNAME
[pam-u2f.c:parse_cfg(51)] argv[2]=appid=pam://$HOSTNAME
[pam-u2f.c:parse_cfg(52)] max_devices=0
[pam-u2f.c:parse_cfg(53)] debug=1
[pam-u2f.c:parse_cfg(54)] interactive=0
[pam-u2f.c:parse_cfg(55)] cue=0
[pam-u2f.c:parse_cfg(56)] manual=0
[pam-u2f.c:parse_cfg(57)] nouserok=0
[pam-u2f.c:parse_cfg(58)] alwaysok=0
[pam-u2f.c:parse_cfg(59)] authfile=(null)
[pam-u2f.c:parse_cfg(60)] origin=pam://$HOSTNAME
[pam-u2f.c:parse_cfg(61)] appid=pam://$HOSTNAME
[pam-u2f.c:pam_sm_authenticate(124)] Maximum devices number not set. Using default (24)
[pam-u2f.c:pam_sm_authenticate(142)] Requesting authentication for user root
[pam-u2f.c:pam_sm_authenticate(153)] Found user root
[pam-u2f.c:pam_sm_authenticate(154)] Home directory for root is /root
[pam-u2f.c:pam_sm_authenticate(161)] Variable XDG_CONFIG_HOME is not set. Using default value ($HOME/.config/)
[pam-u2f.c:pam_sm_authenticate(193)] Using default authentication file /root/.config/Yubico/u2f_keys
[util.c:get_devices_from_authfile(34)] Cannot open file: /root/.config/Yubico/u2f_keys (No such file or directory)
[pam-u2f.c:pam_sm_authenticate(211)] Unable to get devices from file /root/.config/Yubico/u2f_keys
[pam-u2f.c:pam_sm_authenticate(259)] done. [Authentication service cannot retrieve authentication info]
Password: 

Question: I'd expect the auth process to fail, since "require" is used.

In the logs I see:

Dec 06 19:38:28 rawhide su[9137]: PAM pam_parse: expecting return value; [...require]

Looks like an error in the module.

Then I run:

$ XDG_CONFIG_HOME=/home/test su -
[pam-u2f.c:parse_cfg(48)] called.
[pam-u2f.c:parse_cfg(49)] flags 0 argc 3
[pam-u2f.c:parse_cfg(51)] argv[0]=debug
[pam-u2f.c:parse_cfg(51)] argv[1]=origin=pam://$HOSTNAME
[pam-u2f.c:parse_cfg(51)] argv[2]=appid=pam://$HOSTNAME
[pam-u2f.c:parse_cfg(52)] max_devices=0
[pam-u2f.c:parse_cfg(53)] debug=1
[pam-u2f.c:parse_cfg(54)] interactive=0
[pam-u2f.c:parse_cfg(55)] cue=0
[pam-u2f.c:parse_cfg(56)] manual=0
[pam-u2f.c:parse_cfg(57)] nouserok=0
[pam-u2f.c:parse_cfg(58)] alwaysok=0
[pam-u2f.c:parse_cfg(59)] authfile=(null)
[pam-u2f.c:parse_cfg(60)] origin=pam://$HOSTNAME
[pam-u2f.c:parse_cfg(61)] appid=pam://$HOSTNAME
[pam-u2f.c:pam_sm_authenticate(124)] Maximum devices number not set. Using default (24)
[pam-u2f.c:pam_sm_authenticate(142)] Requesting authentication for user root
[pam-u2f.c:pam_sm_authenticate(153)] Found user root
[pam-u2f.c:pam_sm_authenticate(154)] Home directory for root is /root
[pam-u2f.c:pam_sm_authenticate(178)] Variable XDG_CONFIG_HOME set to /home/test
[pam-u2f.c:pam_sm_authenticate(193)] Using default authentication file /home/test/Yubico/u2f_keys
[util.c:get_devices_from_authfile(34)] Cannot open file: /home/test/Yubico/u2f_keys (No such file or directory)
[pam-u2f.c:pam_sm_authenticate(211)] Unable to get devices from file /home/test/Yubico/u2f_keys
[pam-u2f.c:pam_sm_authenticate(259)] done. [Authentication service cannot retrieve authentication info]
Password: 

As you can see, "Requesting authentication for user root", but it's happy to read configuration from a user specified file. This doesn't seem right.

I'm testing pam-u2f (thanks!) installed via homebrew on MacOS.

I have /etc/pam.d/authorization and /etc/pam.d/screensaver configured to require pam-u2f:
auth required /usr/local/Cellar/pam-u2f/1.0.4/lib/pam/pam_u2f.so authfile=/Users/username/.config/u2f/keys

It generally works very well, but I've noticed that if I try to unlock the machine from the password-protected screensaver with my password only and no U2F key inserted, this happens next:

1. The login fails
2. If I insert the U2F key and re-try, the login momentarily appears to progress, but then I'm logged out and return to the screen that selects a user to login with.

Frustratingly and inexplicably, this always results in my Google Chrome preference file becoming corrupted, even if I don't have Google Chrome open.

The fact that the user is logged out if they forget to insert the key is a serious impediment to encouraging users under my purview to use pam-u2f.

Oddly, I never noticed this behavior with pam_yubico.so configured as required for both pam files in mode=challenge-response.

Machine: MBP
OS: 10.11.6 (El Capitan)
U2F device: Yubico FIDO U2F Security Key

Hi there!

Thank you very much for this project, I am very glad to be able to use it in my work and projects.

I do have one feature request:

If attempting to auth without the key inserted, a message appears:
[util.c:do_authentication(233)] Unable to discover device(s), cannot find U2F device

It seems to be related to the fact that util.c is (seemingly) lacking a check for missing devices.

Would it be possible to expand this so that the module silently passes to the next authentication module?
I'd be happy to submit a pull request if you would provide some insight into a preferred fix.

Here's my relevant configuration:

OS: ArchLinux, 4.2.1 Kernel

/etc/pam.d/sudo

#%PAM-1.0
auth        sufficient  pam_u2f.so cue
auth        include     system-auth
account     include     system-auth
session     include     system-auth

Auth while missing the key:

$ sudo su
[util.c:do_authentication(233)] Unable to discover device(s), cannot find U2F device
[sudo] password for tom:

Again, thanks so much for the work!