Bypass device for (sudo pam sufficient) when connected remotely about pam-u2f HOT 4 CLOSED

I assume this is on Linux, over SSH?
I don't think there is a straightforward solution to the problem (happy to be wrong) as this was not it's intended use.

The best solution I can think of is to disable the YubiKey on the remote laptop. To do that you want to find out the usb bus to which it is connected to, for example running dmesg after plugging the device in, you should see something like

[170210.788223] usb 1-1: New USB device found, idVendor=1050, idProduct=0407
[170210.788228] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[170210.788230] usb 1-1: Product: Yubikey 4 OTP+U2F+CCID
[170210.788232] usb 1-1: Manufacturer: Yubico

at that point you can run echo -n "1-1" | sudo tee /sys/bus/usb/drivers/usb/unbind. This will cause the usb discovery to fail in libu2f-host and will make pam fall through.
The command echo -n "1-1" | sudo tee /sys/bus/usb/drivers/usb/bind will reconnect the device.

from pam-u2f.

@a-dma Thanks for this work around! When you say, "not it's intended use", do you mean because I'm using it as "sufficient"? It seems that u2f isn't super useful for second factor auth for sudo, since u2f doesn't go through ssh yet, meaning I'd be without sudo access any time I was remotely logged in.

Hence why I used sufficient. Maybe I was too excited for my Yubikey and need to re-evaluate if I should be using it with pam_sudo at all... Any thoughts?

from pam-u2f.

What I meant is that a U2F token is typically used, among other things, to provide a proof of human presence. Having it plugged into a remote machine makes that pretty much impossible.

As you said, when ssh support will be available this might change, but even then the typical usage would be to keep the token with you and not leaving it connected to the remote host.

I think using sufficient for sudo makes sense (assuming you trust your environment), what I would do is to unplug the YubiKey before leaving the host unattended, or even better (if you ask me) only plug it in when you actually need it.

from pam-u2f.

Oh, I see what you're saying. And you're right. It turns out the only time this is a "problem" is when I'm remoting into the laptop on my desk (that I leave the Yubikey 4 Nano in since it stays on/near my person). Which means that I can just tap it anyway. I can't imagine a scenario where I will be affected by this --- in the scenario with my desktop, as you pointed out, I will have removed the Yubikey when I am away from it since I use the normal keychain fob with my desktop devices.

Thanks for the workaround and clarification. Closing this now.

from pam-u2f.