Comments (22)
Yep, that's the issue. From @smiller171 's log:
debug: pam-u2f.c:76 (parse_cfg): origin=(null)
debug: pam-u2f.c:77 (parse_cfg): appid=(null)
debug: pam-u2f.c:119 (pam_sm_authenticate): Origin not specified, using "pam://Scotts-MBP-2"
debug: pam-u2f.c:130 (pam_sm_authenticate): Appid not specified, using the same value of origin (pam://Scotts-MBP-2)
The hostname has a -2
suffix indicating the MBP probably renamed itself due to a 'false' .local name collision (it happens sometimes). This means it will probably fail again, next time it happens. IMO, the documentation should reflect the fact that origin
and appid
have to be set. Otherwise, if the hostname changes, authentication fails.
from pam-u2f.
Hello, I'm also using mac os x, and had the same problem. It is now that I solved it that I could search the right keywords and see others having the same problem. For the sake of explanation and to make up for the searching I did, here is a description and the solution (tldr; @g5pw is right):
By default mac os x changes the hostname by doing a reverse dns lookup on the (dhcp) locally assigned ip. In order to reproduce the problem all that is needed is to setup your ~/.config/Yubicon/u2f_keys
when connected to some network, test that the key works and then disconnect (or connect to another network) - now the key should not work.
The solution is to set a hostname, so that the OS does not change it when connecting or disconnecting between networks. The programmable way to do that, is by using scutil
(system configuration utility) to query and set the hostname.
$ sudo scutil --set HostName my-static-hostname-or-fqdn-that-will-not-change
$ scutil --get HostName
my-static-hostname-or-fqdn-that-will-not-change
Cheers 🍺 🏖
PS: one can always reset the default behaviour by specifying an empty hostname
from pam-u2f.
For those encountering this problem, @c00kiemon5ter 's solution worked reliably for me also.
But note that it's --set
and --get
with double dashes.
from pam-u2f.
I've tried reproducing this on a Mac, but to no avail.
Have you made any changes lately? I know there has been some work on libhiapi which libu2f-host uses. Could that be the culprit?
Maybe try rebuilding with libu2f-host in verbose mode.
from pam-u2f.
How do I go about doing that?
from pam-u2f.
We should probably have a better way, but for now you have to change the 0
to a 1
in u2fh_global_init
here https://github.com/Yubico/pam-u2f/blob/master/util.c#L244
from pam-u2f.
@a-dma does that require a recompile or is there somewhere I can change it on the existing install? I just installed from Homebrew.
from pam-u2f.
Yes, unfortunately it does require you to recompile the module (I've opened #43 to address this), but so far that's the only solution I'm afraid.
from pam-u2f.
@a-dma is that not what this is? https://github.com/Yubico/pam-u2f/blob/master/pamu2fcfg/cmdline.c#L42
from pam-u2f.
Not really. That sets verbose mode in the registration tool (aka pamu2fcfg
). Libu2f-host itself can't be set in debug mode without recompiling.
What you could try to do is use the tool that comes with libu2f-host (aka u2f-host
) with the -d
flag and try to emulate what the pam module does to see if you can recreate the problem.
from pam-u2f.
like this? u2f-host -d --action=authenticate
from pam-u2f.
oh, my libu2f-host version seems to be out of date. It's on 1.0.0 and homebrew doesn't seem to want to upgrade.
from pam-u2f.
I modified the homebrew install script to get libu2f-host up to date. Still not working, but I'll try rebooting in a bit.
from pam-u2f.
yes you would want to do something like
u2f-server -a register -ohttp://test.com -ihttp://test.com -k hndle.dat -p user.dat -d
copy the challenge and paste it into
u2f-host -ohttp://test.com -a register -d
and then do a similar process with authentication
from pam-u2f.
This is indeed due to an outdated libu2f-host. I have submitted a pull request bumping Homebrew's version and can confirm that it works with the current version. Doing this should probably be added to the release process on Yubico's end.
from pam-u2f.
@elyscape it still didn't work when I updated libu2f-host.
The Apple Store replaced the logic board on my Mac for unrelated issues, and after re-installing all my stuff I had the same issue. Pam-u2f worked for a few days, then randomly stopped.
from pam-u2f.
Interesting. For me, it wasn't working at all until I updated libu2f-host, but now it works fine. I do need to hit the button for it to authenticate, though.
from pam-u2f.
@elyscape works for me for a couple days without updating libu2f-host, then stops randomly, and updating the lib doesn't help.
from pam-u2f.
I have the same issue, libu2f-{host,server} and pam-u2f installed from Macports.
EDIT: Oh, I think I got it! If origin
and appid
are not specified when calling pamu2fcfg
, the system hostname is used. But the hostname can change under macOS (due to DHCP, for example). Solution: specify an origin
and appid
and it should work.
from pam-u2f.
Will need to find time to test, but this sounds promising @g5pw
from pam-u2f.
README has been updated, and this (DHCP setting a new hostname) seems to have been the issue.
from pam-u2f.
@niall-byrne thanks, fixed in the comment.
from pam-u2f.
Related Issues (20)
- Found 0 device(s) for user XXXX HOT 1
- Entries order in u2f_keys + feature request HOT 4
- libfido2 debug output is written to stderr HOT 1
- install on peppermint os HOT 1
- Pamu2f doesn't fallback to PIN when blocking the Yubikey by touching it wrong more than 3 times HOT 2
- pamu2fcfg arbitrarily decides whether to ask for PIN or not. HOT 4
- Question: is it possible to Skip u2f login without unplugging the FIDO device? HOT 5
- Can only authenticate when using PIN verification HOT 4
- Idea: use hmac-secret to hook into the keyrings and open them (like when using pw) HOT 3
- Mooltipass Mini BLE: FIDO_ERR_INVALID_ARGUMENT HOT 12
- libpam-u2f and ubuntu 22.04 error: yubico ubuntu login segmentation fault (core dumped) HOT 1
- More descriptive error messages HOT 8
- Nitrokey U2F doesn't work together with Nitrokey 3A/C HOT 6
- Having U2F key inserted on startup breaks GNOME password login until restart HOT 1
- pam-u2f saying that my token doesn't have a pin even so a pin is set. HOT 2
- [RFE] Allow comments in authorization mapping file
- Log keyhandle on auth attempt HOT 2
- Relaxed auth file parsing
- GDM login takes two minutes for U2F cue to appear on device after password entry HOT 18
- Timestamp debug logs HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pam-u2f.