randomly stopped working on OSX about pam-u2f HOT 22 CLOSED

Yep, that's the issue. From @smiller171 's log:

debug: pam-u2f.c:76 (parse_cfg): origin=(null)
debug: pam-u2f.c:77 (parse_cfg): appid=(null)
debug: pam-u2f.c:119 (pam_sm_authenticate): Origin not specified, using "pam://Scotts-MBP-2"
debug: pam-u2f.c:130 (pam_sm_authenticate): Appid not specified, using the same value of origin (pam://Scotts-MBP-2)

The hostname has a -2 suffix indicating the MBP probably renamed itself due to a 'false' .local name collision (it happens sometimes). This means it will probably fail again, next time it happens. IMO, the documentation should reflect the fact that origin and appid have to be set. Otherwise, if the hostname changes, authentication fails.

from pam-u2f.

Hello, I'm also using mac os x, and had the same problem. It is now that I solved it that I could search the right keywords and see others having the same problem. For the sake of explanation and to make up for the searching I did, here is a description and the solution (tldr; @g5pw is right):

By default mac os x changes the hostname by doing a reverse dns lookup on the (dhcp) locally assigned ip. In order to reproduce the problem all that is needed is to setup your ~/.config/Yubicon/u2f_keys when connected to some network, test that the key works and then disconnect (or connect to another network) - now the key should not work.

The solution is to set a hostname, so that the OS does not change it when connecting or disconnecting between networks. The programmable way to do that, is by using scutil (system configuration utility) to query and set the hostname.

$ sudo scutil --set HostName my-static-hostname-or-fqdn-that-will-not-change
$ scutil --get HostName
my-static-hostname-or-fqdn-that-will-not-change

Cheers 🍺 🏖

PS: one can always reset the default behaviour by specifying an empty hostname

from pam-u2f.

For those encountering this problem, @c00kiemon5ter 's solution worked reliably for me also.
But note that it's --set and --get with double dashes.

from pam-u2f.

I've tried reproducing this on a Mac, but to no avail.
Have you made any changes lately? I know there has been some work on libhiapi which libu2f-host uses. Could that be the culprit?

Maybe try rebuilding with libu2f-host in verbose mode.

from pam-u2f.

How do I go about doing that?

from pam-u2f.

We should probably have a better way, but for now you have to change the 0 to a 1 in u2fh_global_init here https://github.com/Yubico/pam-u2f/blob/master/util.c#L244

from pam-u2f.

@a-dma does that require a recompile or is there somewhere I can change it on the existing install? I just installed from Homebrew.

from pam-u2f.

Yes, unfortunately it does require you to recompile the module (I've opened #43 to address this), but so far that's the only solution I'm afraid.

from pam-u2f.

@a-dma is that not what this is? https://github.com/Yubico/pam-u2f/blob/master/pamu2fcfg/cmdline.c#L42

from pam-u2f.

Not really. That sets verbose mode in the registration tool (aka pamu2fcfg). Libu2f-host itself can't be set in debug mode without recompiling.

What you could try to do is use the tool that comes with libu2f-host (aka u2f-host) with the -d flag and try to emulate what the pam module does to see if you can recreate the problem.

from pam-u2f.

like this? u2f-host -d --action=authenticate

from pam-u2f.

oh, my libu2f-host version seems to be out of date. It's on 1.0.0 and homebrew doesn't seem to want to upgrade.

from pam-u2f.

I modified the homebrew install script to get libu2f-host up to date. Still not working, but I'll try rebooting in a bit.

from pam-u2f.

yes you would want to do something like
u2f-server -a register -ohttp://test.com -ihttp://test.com -k hndle.dat -p user.dat -d
copy the challenge and paste it into
u2f-host -ohttp://test.com -a register -d

and then do a similar process with authentication

from pam-u2f.

This is indeed due to an outdated libu2f-host. I have submitted a pull request bumping Homebrew's version and can confirm that it works with the current version. Doing this should probably be added to the release process on Yubico's end.

from pam-u2f.

@elyscape it still didn't work when I updated libu2f-host.

The Apple Store replaced the logic board on my Mac for unrelated issues, and after re-installing all my stuff I had the same issue. Pam-u2f worked for a few days, then randomly stopped.

from pam-u2f.

Interesting. For me, it wasn't working at all until I updated libu2f-host, but now it works fine. I do need to hit the button for it to authenticate, though.

from pam-u2f.

@elyscape works for me for a couple days without updating libu2f-host, then stops randomly, and updating the lib doesn't help.

from pam-u2f.

I have the same issue, libu2f-{host,server} and pam-u2f installed from Macports.
EDIT: Oh, I think I got it! If origin and appid are not specified when calling pamu2fcfg, the system hostname is used. But the hostname can change under macOS (due to DHCP, for example). Solution: specify an origin and appid and it should work.

from pam-u2f.

Will need to find time to test, but this sounds promising @g5pw

from pam-u2f.

README has been updated, and this (DHCP setting a new hostname) seems to have been the issue.

from pam-u2f.

@niall-byrne thanks, fixed in the comment.

from pam-u2f.