-
Notifications
You must be signed in to change notification settings - Fork 90
Description
What version of pam-u2f are you using?
1.4.0 from Fedora 43 repository
What operating system are you using?
Fedora 43
What authenticator are you using?
Yubikey 5
Problem description
If the syntax of the file /etc/security/pam_u2f.conf is not correct, like missing a new line at the end of the file, pam-u2f silently fails, even in debug mode (set in /etc/authselect/system-auth, at the line for pam_u2f.so).
In the same way, if the /etc/security/pam_u2f.conf file has too broad permissions (664), pam-u2f silently fails, even in debug mode. It has to be 644 at best.
By the way, if this /etc/security/pam_u2f.conf file exists, and if arguments are also passed in the pam configuration file (under /etc/pam.d/ or /etc/authselect/), the arguments are ignored.
Here is the output of such a run (valid /etc/security/pam_u2f.conf, but with too broad permissions 664, and arguments passed through /etc/authselect/system-auth):
su user
debug(pam_u2f): cfg.c:272 (cfg_init): called.
debug(pam_u2f): cfg.c:273 (cfg_init): flags 0 argc 4
debug(pam_u2f): cfg.c:275 (cfg_init): argv[0]=authfile=/etc/u2f_mappings
debug(pam_u2f): cfg.c:275 (cfg_init): argv[1]=origin=pam://errorprone
debug(pam_u2f): cfg.c:275 (cfg_init): argv[2]=cue
debug(pam_u2f): cfg.c:275 (cfg_init): argv[3]=debug
debug(pam_u2f): cfg.c:277 (cfg_init): max_devices=0
debug(pam_u2f): cfg.c:278 (cfg_init): debug=1
debug(pam_u2f): cfg.c:279 (cfg_init): interactive=0
debug(pam_u2f): cfg.c:280 (cfg_init): cue=0
debug(pam_u2f): cfg.c:281 (cfg_init): nodetect=0
debug(pam_u2f): cfg.c:282 (cfg_init): userpresence=-1
debug(pam_u2f): cfg.c:283 (cfg_init): userverification=-1
debug(pam_u2f): cfg.c:284 (cfg_init): pinverification=-1
debug(pam_u2f): cfg.c:285 (cfg_init): manual=0
debug(pam_u2f): cfg.c:286 (cfg_init): nouserok=0
debug(pam_u2f): cfg.c:287 (cfg_init): openasuser=0
debug(pam_u2f): cfg.c:288 (cfg_init): alwaysok=0
debug(pam_u2f): cfg.c:289 (cfg_init): sshformat=0
debug(pam_u2f): cfg.c:290 (cfg_init): expand=0
debug(pam_u2f): cfg.c:291 (cfg_init): authfile=(null)
debug(pam_u2f): cfg.c:292 (cfg_init): authpending_file=(null)
debug(pam_u2f): cfg.c:294 (cfg_init): origin=(null)
debug(pam_u2f): cfg.c:295 (cfg_init): appid=(null)
debug(pam_u2f): cfg.c:296 (cfg_init): prompt=(null)
su: Authentication failure