Package: libpam-u2f Version: 1.0.6-1 Severity: important Dear Maintainer,
during a system upgrade on buster the package libpam-u2f is upgraded from 1.0.4 to 1.0.6. After the upgrade the PAM modules fails to authenticate with the U2Fzero device (u2fzero.com). A manual downgrade to 1.0.4 solves all issues. This is severe: if the system is rebooted directly, authentication would fail. The user would be locked out from machine. A quick look at the code shows a lot changes between the two (minor) versions. But i couldn't figure out the exact lines involved yet. While with the 1.0.4 version the u2f device shows a red light as signal for pressing the button, the 1.0.6 version makes the device just light up bright green. My Configuration files: /etc/pam.d/u2f: auth required pam_u2f.so authfile=/etc/u2f_keys cue debug openasuser /etc/pam.d/sudo: #%PAM-1.0 @include common-auth @include common-account @include common-session-noninteractive @include u2f Output with debug option enabled: jkur@durruti:~$ sudo su [sudo] Passwort für jkur: [../pam-u2f.c:parse_cfg(64)] called. [../pam-u2f.c:parse_cfg(65)] flags 32768 argc 3 [../pam-u2f.c:parse_cfg(67)] argv[0]=authfile=/etc/u2f_keys [../pam-u2f.c:parse_cfg(67)] argv[1]=cue [../pam-u2f.c:parse_cfg(67)] argv[2]=debug [../pam-u2f.c:parse_cfg(68)] max_devices=0 [../pam-u2f.c:parse_cfg(69)] debug=1 [../pam-u2f.c:parse_cfg(70)] interactive=0 [../pam-u2f.c:parse_cfg(71)] cue=1 [../pam-u2f.c:parse_cfg(72)] manual=0 [../pam-u2f.c:parse_cfg(73)] nouserok=0 [../pam-u2f.c:parse_cfg(74)] alwaysok=0 [../pam-u2f.c:parse_cfg(75)] authfile=/etc/u2f_keys [../pam-u2f.c:parse_cfg(76)] origin=(null) [../pam-u2f.c:parse_cfg(77)] appid=(null) [../pam-u2f.c:pam_sm_authenticate(119)] Origin not specified, using "pam://durruti" [../pam-u2f.c:pam_sm_authenticate(130)] Appid not specified, using the same value of origin (pam://durruti) [../pam-u2f.c:pam_sm_authenticate(140)] Maximum devices number not set. Using default (24) [../pam-u2f.c:pam_sm_authenticate(158)] Requesting authentication for user jkur [../pam-u2f.c:pam_sm_authenticate(169)] Found user jkur [../pam-u2f.c:pam_sm_authenticate(170)] Home directory for jkur is /home/jkur [../pam-u2f.c:pam_sm_authenticate(221)] Using authentication file /etc/u2f_keys [../util.c:get_devices_from_authfile(107)] Authorization line: jkur:bz1_psgGoVqj7EF6woABHuu4FSQ_oTJz_5zwzE-mIm_KRib_,047d360b8d4c2077430d1c42ff0f39788ec45e805bdc95a8f6b645d781ac00056b19289a9a1519bdbe94de5f7e4a98858811e7e09e34d4c51763287bd9d971134d [../util.c:get_devices_from_authfile(112)] Matched user: jkur [../util.c:get_devices_from_authfile(130)] KeyHandle for device number 1: bz1_psgGoVqj7EF6woABHuu4FSQ_oTJz_5zwzE-mIm_KRib_ [../util.c:get_devices_from_authfile(157)] publicKey for device number 1: 047d360b8d4c2077430d1c42ff0f39788ec45e805bdc95a8f6b645d781ac00056b19289a9a1519bdbe94de5f7e4a98858811e7e09e34d4c51763287bd9d971134d [../util.c:get_devices_from_authfile(172)] Length of key number 1 is 65 [../util.c:get_devices_from_authfile(200)] Found 1 device(s) for user jkur Please touch the device. [../util.c:do_authentication(262)] Device max index is 0 [../util.c:do_authentication(288)] Attempting authentication with device number 1 [../util.c:do_authentication(310)] Challenge: { "keyHandle": "bz1_psgGoVqj7EF6woABHuu4FSQ_oTJz_5zwzE-mIm_KRib_", "version": "U2F_V2", "challenge": "frqCM5S0XEXkVNKHoRD96P9jVFLmDI0M-jdLWb_kK0U", "appId": "pam:\/\/durruti" } [../util.c:do_authentication(316)] Response: { "signatureData": "AQAAAcgwRQIgRoPNq_hryxmrH6m2VWM5ANsHptaUTefUmUEjtKehr_gCIQDHVex3x3XYKQfXBbTGGDndLklGbh80DkEHff2e9KvKbA", "clientData": "eyAiY2hhbGxlbmdlIjogImZycUNNNVMwWEVYa1ZOS0hvUkQ5NlA5alZGTG1ESTBNLWpkTFdiX2tLMFUiLCAib3JpZ2luIjogInBhbTpcL1wvZHVycnV0aSIsICJ0eXAiOiAibmF2aWdhdG9yLmlkLmdldEFzc2VydGlvbiIgfQ", "keyHandle": "bz1_psgGoVqj7EF6woABHuu4FSQ_oTJz_5zwzE-mIm_KRib_" } [../pam-u2f.c:pam_sm_authenticate(275)] done. [Erfolg] root@durruti:/home/jkur# root@durruti:/home/jkur# root@durruti:/home/jkur# root@durruti:/home/jkur# exit jkur@durruti:~$ sudo su [sudo] Passwort für jkur: debug(pam_u2f): ../pam-u2f.c:89 (parse_cfg): called. debug(pam_u2f): ../pam-u2f.c:90 (parse_cfg): flags 32768 argc 4 debug(pam_u2f): ../pam-u2f.c:92 (parse_cfg): argv[0]=authfile=/etc/u2f_keys debug(pam_u2f): ../pam-u2f.c:92 (parse_cfg): argv[1]=cue debug(pam_u2f): ../pam-u2f.c:92 (parse_cfg): argv[2]=debug debug(pam_u2f): ../pam-u2f.c:92 (parse_cfg): argv[3]=openasuser debug(pam_u2f): ../pam-u2f.c:94 (parse_cfg): max_devices=0 debug(pam_u2f): ../pam-u2f.c:95 (parse_cfg): debug=1 debug(pam_u2f): ../pam-u2f.c:96 (parse_cfg): interactive=0 debug(pam_u2f): ../pam-u2f.c:97 (parse_cfg): cue=1 debug(pam_u2f): ../pam-u2f.c:98 (parse_cfg): manual=0 debug(pam_u2f): ../pam-u2f.c:99 (parse_cfg): nouserok=0 debug(pam_u2f): ../pam-u2f.c:100 (parse_cfg): openasuser=1 debug(pam_u2f): ../pam-u2f.c:101 (parse_cfg): alwaysok=0 debug(pam_u2f): ../pam-u2f.c:102 (parse_cfg): authfile=/etc/u2f_keys debug(pam_u2f): ../pam-u2f.c:103 (parse_cfg): origin=(null) debug(pam_u2f): ../pam-u2f.c:104 (parse_cfg): appid=(null) debug(pam_u2f): ../pam-u2f.c:105 (parse_cfg): prompt=(null) debug(pam_u2f): ../pam-u2f.c:146 (pam_sm_authenticate): Origin not specified, using "pam://durruti" debug(pam_u2f): ../pam-u2f.c:156 (pam_sm_authenticate): Appid not specified, using the same value of origin (pam://durruti) debug(pam_u2f): ../pam-u2f.c:165 (pam_sm_authenticate): Maximum devices number not set. Using default (24) debug(pam_u2f): ../pam-u2f.c:183 (pam_sm_authenticate): Requesting authentication for user jkur debug(pam_u2f): ../pam-u2f.c:194 (pam_sm_authenticate): Found user jkur debug(pam_u2f): ../pam-u2f.c:195 (pam_sm_authenticate): Home directory for jkur is /home/jkur debug(pam_u2f): ../pam-u2f.c:235 (pam_sm_authenticate): Using authentication file /etc/u2f_keys debug(pam_u2f): ../pam-u2f.c:245 (pam_sm_authenticate): Switched to uid 1000 debug(pam_u2f): ../util.c:102 (get_devices_from_authfile): Authorization line: jkur:bz1_psgGoVqj7EF6woABHuu4FSQ_oTJz_5zwzE-mIm_KRib_,047d360b8d4c2077430d1c42ff0f39788ec45e805bdc95a8f6b645d781ac00056b19289a9a1519bdbe94de5f7e4a98858811e7e09e34d4c51763287bd9d971134d debug(pam_u2f): ../util.c:107 (get_devices_from_authfile): Matched user: jkur debug(pam_u2f): ../util.c:134 (get_devices_from_authfile): KeyHandle for device number 1: bz1_psgGoVqj7EF6woABHuu4FSQ_oTJz_5zwzE-mIm_KRib_ debug(pam_u2f): ../util.c:153 (get_devices_from_authfile): publicKey for device number 1: 047d360b8d4c2077430d1c42ff0f39788ec45e805bdc95a8f6b645d781ac00056b19289a9a1519bdbe94de5f7e4a98858811e7e09e34d4c51763287bd9d971134d debug(pam_u2f): ../util.c:164 (get_devices_from_authfile): Length of key number 1 is 65 debug(pam_u2f): ../util.c:191 (get_devices_from_authfile): Found 1 device(s) for user jkur debug(pam_u2f): ../pam-u2f.c:256 (pam_sm_authenticate): Switched back to uid 0 USB send: 00ffffffff8600080807060504030201000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 USB write returned 65 now trying with timeout 2 now trying with timeout 4 USB read rc read 64 USB recv: ffffffff8600110807060504030201cafebabe020200000315cea8f3b6d054ce7c6c8da9afb5f9fffb44fc6228a4ecd4dcbacb6d63baba57bc97ec53860e39ae device /dev/hidraw0 discovered as 'U2F Zero' version (Interface, Major, Minor, Build): 2, 2, 0, 0 capFlags: 3 debug(pam_u2f): ../util.c:269 (do_authentication): Device max index is 0 debug(pam_u2f): ../util.c:300 (do_authentication): Attempting authentication with device number 1 debug(pam_u2f): ../util.c:322 (do_authentication): Challenge: { "keyHandle": "bz1_psgGoVqj7EF6woABHuu4FSQ_oTJz_5zwzE-mIm_KRib_", "version": "U2F_V2", "challenge": "XB4nnk8WJwvN6kEmE4bxG_zwHTB0BnPiOa9YkKcL1nA", "appId": "pam:\/\/durruti" } JSON: { "keyHandle": "bz1_psgGoVqj7EF6woABHuu4FSQ_oTJz_5zwzE-mIm_KRib_", "version": "U2F_V2", "challenge": "XB4nnk8WJwvN6kEmE4bxG_zwHTB0BnPiOa9YkKcL1nA", "appId": "pam:\/\/durruti" } JSON challenge URL-B64: XB4nnk8WJwvN6kEmE4bxG_zwHTB0BnPiOa9YkKcL1nA client data: { "challenge": "XB4nnk8WJwvN6kEmE4bxG_zwHTB0BnPiOa9YkKcL1nA", "origin": "pam:\/\/durruti", "typ": "navigator.id.getAssertion" } JSON: { "keyHandle": "bz1_psgGoVqj7EF6woABHuu4FSQ_oTJz_5zwzE-mIm_KRib_", "version": "U2F_V2", "challenge": "XB4nnk8WJwvN6kEmE4bxG_zwHTB0BnPiOa9YkKcL1nA", "appId": "pam:\/\/durruti" } JSON app_id pam://durruti JSON: { "keyHandle": "bz1_psgGoVqj7EF6woABHuu4FSQ_oTJz_5zwzE-mIm_KRib_", "version": "U2F_V2", "challenge": "XB4nnk8WJwvN6kEmE4bxG_zwHTB0BnPiOa9YkKcL1nA", "appId": "pam:\/\/durruti" } JSON keyHandle URL-B64: bz1_psgGoVqj7EF6woABHuu4FSQ_oTJz_5zwzE-mIm_KRib_ USB send: 00cafebabe83006e00020700000065a549964c3b62b878f71cebda3fe1a8a4b50b38645ca277ebb1dbc24f52d67af739e9eb27ecdb0c00b8e469121d93a9d569 USB write returned 65 USB send: 00cafebabe00021d4f2cbc287aea8b36c7eba054246f3d7fa6c806a15aa3ec417ac280011eebb815243fa13273ff9cf0cc4fa6226fca4626ff00000000000000 USB write returned 65 now trying with timeout 2 now trying with timeout 4 now trying with timeout 8 now trying with timeout 16 now trying with timeout 32 now trying with timeout 64 now trying with timeout 128 now trying with timeout 256 now trying with timeout 512 now trying with timeout 1024 USB read rc read 64 USB recv: cafebabe830002698400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 USB data (len 2): 6984 debug(pam_u2f): ../util.c:348 (do_authentication): Device for this keyhandle is not present. USB send: 00cafebabe8100010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 USB write returned 65 now trying with timeout 2 now trying with timeout 4 now trying with timeout 8 now trying with timeout 16 now trying with timeout 32 now trying with timeout 64 now trying with timeout 128 now trying with timeout 256 now trying with timeout 512 now trying with timeout 1024 now trying with timeout 2048 now trying with timeout 4096 ^CUSB read rc read 64 Device /dev/hidraw0 failed ping, dead. USB send: 00ffffffff8600080807060504030201000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 ^C^C^C^CUSB write returned -1 debug(pam_u2f): ../util.c:355 (do_authentication): Unable to discover devices debug(pam_u2f): ../pam-u2f.c:293 (pam_sm_authenticate): do_authentication returned -2 debug(pam_u2f): ../pam-u2f.c:312 (pam_sm_authenticate): done. [Fehler bei Authentifizierung] sudo: 1 Fehlversuch bei der Passwort-Eingabe Best regargs, Jörg -- System Information: Debian Release: buster/sid APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'testing'), (500, 'stable'), (150, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.14.0-3-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages libpam-u2f depends on: ii libc6 2.27-3 ii libpam0g 1.1.8-3.7 ii libu2f-host0 1.1.4-1 ii libu2f-server0 1.1.0-1 Versions of packages libpam-u2f recommends: ii pamu2fcfg 1.0.6-1 libpam-u2f suggests no packages. -- no debconf information -- Jörg (j...@corsario.org) GPG-ID: 0xFAE26711E6EBF94D Fingerprint: 8A79 8BF8 0A04 60EA A004 7E42 FAE2 6711 E6EB F94D