Comments (4)
I assume this is on Linux, over SSH?
I don't think there is a straightforward solution to the problem (happy to be wrong) as this was not it's intended use.
The best solution I can think of is to disable the YubiKey on the remote laptop. To do that you want to find out the usb bus to which it is connected to, for example running dmesg
after plugging the device in, you should see something like
[170210.788223] usb 1-1: New USB device found, idVendor=1050, idProduct=0407
[170210.788228] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[170210.788230] usb 1-1: Product: Yubikey 4 OTP+U2F+CCID
[170210.788232] usb 1-1: Manufacturer: Yubico
at that point you can run echo -n "1-1" | sudo tee /sys/bus/usb/drivers/usb/unbind
. This will cause the usb discovery to fail in libu2f-host and will make pam fall through.
The command echo -n "1-1" | sudo tee /sys/bus/usb/drivers/usb/bind
will reconnect the device.
from pam-u2f.
@a-dma Thanks for this work around! When you say, "not it's intended use", do you mean because I'm using it as "sufficient"? It seems that u2f isn't super useful for second factor auth for sudo, since u2f doesn't go through ssh yet, meaning I'd be without sudo
access any time I was remotely logged in.
Hence why I used sufficient. Maybe I was too excited for my Yubikey and need to re-evaluate if I should be using it with pam_sudo at all... Any thoughts?
from pam-u2f.
What I meant is that a U2F token is typically used, among other things, to provide a proof of human presence. Having it plugged into a remote machine makes that pretty much impossible.
As you said, when ssh support will be available this might change, but even then the typical usage would be to keep the token with you and not leaving it connected to the remote host.
I think using sufficient for sudo makes sense (assuming you trust your environment), what I would do is to unplug the YubiKey before leaving the host unattended, or even better (if you ask me) only plug it in when you actually need it.
from pam-u2f.
Oh, I see what you're saying. And you're right. It turns out the only time this is a "problem" is when I'm remoting into the laptop on my desk (that I leave the Yubikey 4 Nano in since it stays on/near my person). Which means that I can just tap it anyway. I can't imagine a scenario where I will be affected by this --- in the scenario with my desktop, as you pointed out, I will have removed the Yubikey when I am away from it since I use the normal keychain fob with my desktop devices.
Thanks for the workaround and clarification. Closing this now.
from pam-u2f.
Related Issues (20)
- [Linux Mint 20.3] ETIMEDOUT (Connection timed out) when writing to "/dev/hidraw3" HOT 12
- Multiple U2F key entries in authfile require a touch for each entry until success HOT 3
- [RFE] Allow to set pam_u2f arguments in configuration file HOT 7
- Key not found in authenticator 0 HOT 2
- automated test case failure HOT 2
- Found 0 device(s) for user XXXX HOT 1
- Entries order in u2f_keys + feature request HOT 4
- libfido2 debug output is written to stderr HOT 1
- install on peppermint os HOT 1
- Pamu2f doesn't fallback to PIN when blocking the Yubikey by touching it wrong more than 3 times HOT 2
- pamu2fcfg arbitrarily decides whether to ask for PIN or not. HOT 4
- Question: is it possible to Skip u2f login without unplugging the FIDO device? HOT 5
- Can only authenticate when using PIN verification HOT 4
- Idea: use hmac-secret to hook into the keyrings and open them (like when using pw) HOT 3
- Mooltipass Mini BLE: FIDO_ERR_INVALID_ARGUMENT HOT 12
- libpam-u2f and ubuntu 22.04 error: yubico ubuntu login segmentation fault (core dumped) HOT 1
- More descriptive error messages HOT 8
- Nitrokey U2F doesn't work together with Nitrokey 3A/C HOT 6
- Having U2F key inserted on startup breaks GNOME password login until restart HOT 1
- pam-u2f saying that my token doesn't have a pin even so a pin is set. HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pam-u2f.