Pam_u2f module don't work after the first log-in using Yubikey

Ask Fedora
, ,
1

Hi ! I’m trying to use my Yubikey for session login and unlock session using pam_u2f.so module (in “required” mode). I will show you my conf files at the end of the message, juste let me explain my probleme first !
My probleme is : the first login (just after boot) works perfectly. However, every time I return to the login page (for any reason, like “lock-session”, “computer sleeping”, etc.), I can’t log in. D:
Here’s what I have tried to debug :

  • Remove the pam_u2f.so, to be sure the probleme come from it => i can log-in again :), pam_u2f.so is the reason why i can’t log-in
  • I found that link cve-details , then i tried the suggested mitigation => didn’t change anything
  • i put SELinux in “permissive” mode (but the best would be to find a solution without disabling SELinux) => didn’t change anything, SELinux isn’t the problem
  • i used the “nouserok” pam_u2f.so option, (nouserok = if your user don’t have a file with keys OR if there is no key for your user in the file THEN pam_u2f.so return OK :+1: ) in order to see if the module read the file. The result is, i can’t log-in => that means pam_u2f.so can read the file with the key BUT for some reason, the verification with the Yubikey don’t work (even if it work for the very first log-in)
  • The single log i can have is (from cat /var/log/secure), this log happen when i can’t log-in in the “login window”, not the “unlock window” (i have no logs when i try to log-in using unlock window :/, maybe there is more logs somewhere) :
Mar 11 15:21:56 fedora sddm-helper[6110]: pam_kwallet5(sddm:auth): pam_kwallet5: pam_sm_authenticate

I’m out of idea and solutions, if someone can help with that problem, i would be very very happy :smiley: !

here is my pam conf :
Added /etc/pam.d/u2f-required

#%PAM-1.0
auth       required     pam_u2f.so

Included the u2f-required file in /etc/pam.d/kde (for unlocking window session) and /etc/pam.d/sddm (for the log-in window)
In both cases, i added the u2f-required line, just after the postlogin line

....
auth        include       postlogin
auth        include       u2f-required
...

And the key file is in standard location : /home/<USER>/.config/Yubico/u2f_keys
with the following rights (can’t be modified by the user, but he can read it) :

-rw-r--r--.  1 root           root            208 10 mars  17:16 u2f_keys

If you have any questions, feel free to ask !

2

I have no idea what the problem might be, but I’d suggest using pamtester to test your authentication stacks and configuring debug options for pam_u2f. (See man pam_u2f for details about the options.)

Edit: Having root-owned files in a normal user’s home directory doesn’t sound right. It is possible that the pam_u2f library is checking for correct ownership (and permissions). I’d suggest running sudo chown -R $USER: ~/.config/Yubico and chmod 600 ~/.config/Yubico/u2f_keys.

3

Hi! Thank for answering, i will try pamtester tonight or tomorrow and I’ll come back to share what I find :slight_smile:

Regarding the u2f_keys file, I tried using an “authfile” in /etc/u2f_mapping (I did this with my ArchLinux setup and it worked perfectly), but it didn’t work on Fedora. That is why i tried another approach (just in case). Anyway, when I do my debugging, I’m testing both solutions.

So for me there is no problem about the file location. It seems like the most important is a file that can be read by pam_u2f.so module