Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Yubikey not working #198

Closed
cwrau opened this issue Sep 20, 2018 · 9 comments
Closed

Yubikey not working #198

cwrau opened this issue Sep 20, 2018 · 9 comments

Comments

@cwrau
Copy link

cwrau commented Sep 20, 2018

I'm submitting a…

[X] Bug
[ ] Feature Request
[ ] Other (Please describe in detail)

Current Behavior

When trying to use i3lock, I cannot unlock, which requires my yubikey
The yubikey is blinking, but the login is ultimately unsuccessful

Expected Behavior

i3lock unlocks normally

Reproduction Instructions

Setup yubikey required pam auth, run i3lock and try to unlock

Environment

Output of i3lock --version:

i3lock version: 2.10
@eplanet
Copy link
Contributor

eplanet commented Sep 20, 2018

Hello! Thanks for reporting the issue, I don't think Yubikey is supported (yet) in i3lock.

I assume you installed PAM module described here? If so, could you follow the instructions in the Troubleshooting section and post the logs here? Don't forget to remove any sensitive information from these logs.

@cwrau
Copy link
Author

cwrau commented Sep 20, 2018

No, I used the challenge-response method (https://support.yubico.com/support/solutions/articles/15000011355-ubuntu-linux-login-guide-challenge-response), but it's working everywhere, just not in i3lock.
My current workaround is to login using another Terminal and then pkilling the i3lock.

The debug doesn't write anything to the file, but this to the terminal:

[../pam_yubico.c:parse_cfg(759)] called.
[../pam_yubico.c:parse_cfg(760)] flags 32768 argc 4
[../pam_yubico.c:parse_cfg(762)] argv[0]=mode=challenge-response
[../pam_yubico.c:parse_cfg(762)] argv[1]=chalresp_path=/var/yubico
[../pam_yubico.c:parse_cfg(762)] argv[2]=debug
[../pam_yubico.c:parse_cfg(762)] argv[3]=debug_file=/var/log/pam_yubico.log
[../pam_yubico.c:parse_cfg(763)] id=0
[../pam_yubico.c:parse_cfg(764)] key=(null)
[../pam_yubico.c:parse_cfg(765)] debug=1
[../pam_yubico.c:parse_cfg(766)] alwaysok=0
[../pam_yubico.c:parse_cfg(767)] verbose_otp=0
[../pam_yubico.c:parse_cfg(768)] try_first_pass=0
[../pam_yubico.c:parse_cfg(769)] use_first_pass=0
[../pam_yubico.c:parse_cfg(770)] authfile=(null)
[../pam_yubico.c:parse_cfg(771)] ldapserver=(null)
[../pam_yubico.c:parse_cfg(772)] ldap_uri=(null)
[../pam_yubico.c:parse_cfg(773)] ldap_bind_user=(null)
[../pam_yubico.c:parse_cfg(774)] ldap_bind_password=(null)
[../pam_yubico.c:parse_cfg(775)] ldap_filter=(null)
[../pam_yubico.c:parse_cfg(776)] ldap_cacertfile=(null)
[../pam_yubico.c:parse_cfg(777)] ldapdn=(null)
[../pam_yubico.c:parse_cfg(778)] user_attr=(null)
[../pam_yubico.c:parse_cfg(779)] yubi_attr=(null)
[../pam_yubico.c:parse_cfg(780)] yubi_attr_prefix=(null)
[../pam_yubico.c:parse_cfg(781)] url=(null)
[../pam_yubico.c:parse_cfg(782)] urllist=(null)
[../pam_yubico.c:parse_cfg(783)] capath=(null)
[../pam_yubico.c:parse_cfg(784)] cainfo=(null)
[../pam_yubico.c:parse_cfg(785)] proxy=(null)
[../pam_yubico.c:parse_cfg(786)] token_id_length=12
[../pam_yubico.c:parse_cfg(787)] mode=chresp
[../pam_yubico.c:parse_cfg(788)] chalresp_path=/var/yubico
[../pam_yubico.c:pam_sm_authenticate(819)] pam_yubico version: 2.23
[../pam_yubico.c:pam_sm_authenticate(834)] get user returned: cwr
[../util.c:check_firmware_version(212)] YubiKey Firmware version: 4.3.7

[../pam_yubico.c:do_challenge_response(483)] Loading challenge from file /var/yubico/cwr-**
[../util.c:load_chalresp_state(363)] Challenge: **, hashed response: **, salt: **, iterations: 10000, slot: 2
[../pam_yubico.c:do_challenge_response(559)] Got the expected response, generating new challenge (63 bytes).
[../pam_yubico.c:do_challenge_response(645)] Challenge-response success!

@shenron
Copy link

shenron commented Nov 2, 2018

I think it's not the same problem because my yubikey never blinking. I used this tutorial: https://www.jamesthebard.net/archlinux-and-u2f-login/

The default pam configuration did not work, that why I override the pam config of i3lock and allow or my password or the challenge of the yubikey.
My password works, not my yubikey ...

/etc/pam.d/i3lock

#auth include system-auth
auth sufficient pam_u2f.so authfile=/etc/u2f_mappings cue
auth sufficient pam_unix.so try_first_pass nullok`

Something link to the authfile ? I have no error

journalctl -n 100 --no-page

Nov 02 13:15:24 arch unix_chkpwd[15935]: password check failed for user (shenron)
Nov 02 13:15:24 arch i3lock[15932]: pam_unix(i3lock:auth): authentication failure; logname= uid=1000 euid=1000 tty=:0.0 ruser= rhost= user=shenron

Edit:

If I remove the authfile and add the mapping in the default place it work ...

mkdir -p ~/.config/Yubico
pamu2fcfg -u"$(whoami)" > ~/.config/Yubico/u2f_keys

@madchap
Copy link

madchap commented Nov 10, 2018

The debug doesn't write anything to the file, but this to the terminal:

You'd have to make your pam config change, then fully logout of your i3 session. That worked for me as I am starting i3 with startx.

Yet, I guess you're right... trying to reproduce the issue with i3lock does not log anything to the yubico debug log file. In my case, the yubikey does not even blink (I am also using hmac challenge-response).

@madchap
Copy link

madchap commented Nov 10, 2018

A not-so-safe workaround is to give it suid, and it may just go away with some update or other jobs that may fix permissions.

chmod u+s $(which i3lock)

The post that gave me this answer: Yubico/yubico-pam#113

@cwrau
Copy link
Author

cwrau commented Nov 12, 2018

That is a much better workaround, thanks!

@kpcyrd
Copy link

kpcyrd commented Nov 12, 2018

Instead of executing i3lock as root, you probably want to figure out which capabilities are needed and then assigning them with setcap(8).

@cwrau
Copy link
Author

cwrau commented Nov 12, 2018

Sadly I don't know which capabilities it would need

@stapelberg
Copy link
Member

Thanks for providing the workaround. I’ll close this issue, as it seems to me that it’s a shortcoming of the yubikey PAM module and has nothing to do with i3lock itself.

sh1r4s3 pushed a commit to sh1r4s3/i3lock-gif that referenced this issue Jun 26, 2022
* Add outline color and width for every text element

Define outline colors, i.e. --timeoutlinecolor=FFFF00FF
Define outline width, i.e. --timeoutlinewidth=0.75

New arguments:
    --verifoutlinecolor
    --wrongoutlinecolor
    --layoutoutlinecolor
    --timeoutlinecolor
    --dateoutlinecolor
    --greeteroutlinecolor

    --timeoutlinewidth
    --dateoutlinewidth
    --verifoutlinewidth
    --wrongoutlinewidth
    --modifieroutlinewidth
    --layoutoutlinewidth
    --greeteroutlinewidth

* Separate the variable definitions

Co-authored-by: Raymond Li <hi@raymond.li>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

6 participants