[Pkg-auth-maintainers] Bug#898519: libpam-u2f: upgrade to 1.0.6 breaks authentication with u2fzero device

Jörg Kurlbaum jkur at corsario.org
Sun May 13 00:55:28 BST 2018 

Package: libpam-u2f
Version: 1.0.6-1
Severity: important

Dear Maintainer,

during a system upgrade on buster the package libpam-u2f is upgraded from 1.0.4 to 1.0.6.

After the upgrade the PAM modules fails to authenticate with the U2Fzero device (u2fzero.com).
A manual downgrade to 1.0.4 solves all issues.

This is severe: if the system is rebooted directly, authentication would fail.
The user would be locked out from machine.

A quick look at the code shows a lot changes between the two (minor) versions. But i couldn't
figure out the exact lines involved yet.

While with the 1.0.4 version the u2f device shows a red light as signal for pressing the button,
the 1.0.6 version makes the device just light up bright green.


My Configuration files:


/etc/pam.d/u2f:

auth required pam_u2f.so authfile=/etc/u2f_keys cue debug openasuser


/etc/pam.d/sudo:

#%PAM-1.0
@include common-auth
@include common-account
@include common-session-noninteractive
@include u2f



Output with debug option enabled:

jkur at durruti:~$ sudo su
[sudo] Passwort für jkur: 
[../pam-u2f.c:parse_cfg(64)] called.
[../pam-u2f.c:parse_cfg(65)] flags 32768 argc 3
[../pam-u2f.c:parse_cfg(67)] argv[0]=authfile=/etc/u2f_keys
[../pam-u2f.c:parse_cfg(67)] argv[1]=cue
[../pam-u2f.c:parse_cfg(67)] argv[2]=debug
[../pam-u2f.c:parse_cfg(68)] max_devices=0
[../pam-u2f.c:parse_cfg(69)] debug=1
[../pam-u2f.c:parse_cfg(70)] interactive=0
[../pam-u2f.c:parse_cfg(71)] cue=1
[../pam-u2f.c:parse_cfg(72)] manual=0
[../pam-u2f.c:parse_cfg(73)] nouserok=0
[../pam-u2f.c:parse_cfg(74)] alwaysok=0
[../pam-u2f.c:parse_cfg(75)] authfile=/etc/u2f_keys
[../pam-u2f.c:parse_cfg(76)] origin=(null)
[../pam-u2f.c:parse_cfg(77)] appid=(null)
[../pam-u2f.c:pam_sm_authenticate(119)] Origin not specified, using "pam://durruti"
[../pam-u2f.c:pam_sm_authenticate(130)] Appid not specified, using the same value of origin (pam://durruti)
[../pam-u2f.c:pam_sm_authenticate(140)] Maximum devices number not set. Using default (24)
[../pam-u2f.c:pam_sm_authenticate(158)] Requesting authentication for user jkur
[../pam-u2f.c:pam_sm_authenticate(169)] Found user jkur
[../pam-u2f.c:pam_sm_authenticate(170)] Home directory for jkur is /home/jkur
[../pam-u2f.c:pam_sm_authenticate(221)] Using authentication file /etc/u2f_keys
[../util.c:get_devices_from_authfile(107)] Authorization line: jkur:bz1_psgGoVqj7EF6woABHuu4FSQ_oTJz_5zwzE-mIm_KRib_,047d360b8d4c2077430d1c42ff0f39788ec45e805bdc95a8f6b645d781ac00056b19289a9a1519bdbe94de5f7e4a98858811e7e09e34d4c51763287bd9d971134d
[../util.c:get_devices_from_authfile(112)] Matched user: jkur
[../util.c:get_devices_from_authfile(130)] KeyHandle for device number 1: bz1_psgGoVqj7EF6woABHuu4FSQ_oTJz_5zwzE-mIm_KRib_
[../util.c:get_devices_from_authfile(157)] publicKey for device number 1: 047d360b8d4c2077430d1c42ff0f39788ec45e805bdc95a8f6b645d781ac00056b19289a9a1519bdbe94de5f7e4a98858811e7e09e34d4c51763287bd9d971134d
[../util.c:get_devices_from_authfile(172)] Length of key number 1 is 65
[../util.c:get_devices_from_authfile(200)] Found 1 device(s) for user jkur
Please touch the device.
[../util.c:do_authentication(262)] Device max index is 0
[../util.c:do_authentication(288)] Attempting authentication with device number 1
[../util.c:do_authentication(310)] Challenge: { "keyHandle": "bz1_psgGoVqj7EF6woABHuu4FSQ_oTJz_5zwzE-mIm_KRib_", "version": "U2F_V2", "challenge": "frqCM5S0XEXkVNKHoRD96P9jVFLmDI0M-jdLWb_kK0U", "appId": "pam:\/\/durruti" }
[../util.c:do_authentication(316)] Response: { "signatureData": "AQAAAcgwRQIgRoPNq_hryxmrH6m2VWM5ANsHptaUTefUmUEjtKehr_gCIQDHVex3x3XYKQfXBbTGGDndLklGbh80DkEHff2e9KvKbA", "clientData": "eyAiY2hhbGxlbmdlIjogImZycUNNNVMwWEVYa1ZOS0hvUkQ5NlA5alZGTG1ESTBNLWpkTFdiX2tLMFUiLCAib3JpZ2luIjogInBhbTpcL1wvZHVycnV0aSIsICJ0eXAiOiAibmF2aWdhdG9yLmlkLmdldEFzc2VydGlvbiIgfQ", "keyHandle": "bz1_psgGoVqj7EF6woABHuu4FSQ_oTJz_5zwzE-mIm_KRib_" }
[../pam-u2f.c:pam_sm_authenticate(275)] done. [Erfolg]
root at durruti:/home/jkur# 
root at durruti:/home/jkur# 
root at durruti:/home/jkur# 
root at durruti:/home/jkur# exit
jkur at durruti:~$ sudo su
[sudo] Passwort für jkur: 
debug(pam_u2f): ../pam-u2f.c:89 (parse_cfg): called.
debug(pam_u2f): ../pam-u2f.c:90 (parse_cfg): flags 32768 argc 4
debug(pam_u2f): ../pam-u2f.c:92 (parse_cfg): argv[0]=authfile=/etc/u2f_keys
debug(pam_u2f): ../pam-u2f.c:92 (parse_cfg): argv[1]=cue
debug(pam_u2f): ../pam-u2f.c:92 (parse_cfg): argv[2]=debug
debug(pam_u2f): ../pam-u2f.c:92 (parse_cfg): argv[3]=openasuser
debug(pam_u2f): ../pam-u2f.c:94 (parse_cfg): max_devices=0
debug(pam_u2f): ../pam-u2f.c:95 (parse_cfg): debug=1
debug(pam_u2f): ../pam-u2f.c:96 (parse_cfg): interactive=0
debug(pam_u2f): ../pam-u2f.c:97 (parse_cfg): cue=1
debug(pam_u2f): ../pam-u2f.c:98 (parse_cfg): manual=0
debug(pam_u2f): ../pam-u2f.c:99 (parse_cfg): nouserok=0
debug(pam_u2f): ../pam-u2f.c:100 (parse_cfg): openasuser=1
debug(pam_u2f): ../pam-u2f.c:101 (parse_cfg): alwaysok=0
debug(pam_u2f): ../pam-u2f.c:102 (parse_cfg): authfile=/etc/u2f_keys
debug(pam_u2f): ../pam-u2f.c:103 (parse_cfg): origin=(null)
debug(pam_u2f): ../pam-u2f.c:104 (parse_cfg): appid=(null)
debug(pam_u2f): ../pam-u2f.c:105 (parse_cfg): prompt=(null)
debug(pam_u2f): ../pam-u2f.c:146 (pam_sm_authenticate): Origin not specified, using "pam://durruti"
debug(pam_u2f): ../pam-u2f.c:156 (pam_sm_authenticate): Appid not specified, using the same value of origin (pam://durruti)
debug(pam_u2f): ../pam-u2f.c:165 (pam_sm_authenticate): Maximum devices number not set. Using default (24)
debug(pam_u2f): ../pam-u2f.c:183 (pam_sm_authenticate): Requesting authentication for user jkur
debug(pam_u2f): ../pam-u2f.c:194 (pam_sm_authenticate): Found user jkur
debug(pam_u2f): ../pam-u2f.c:195 (pam_sm_authenticate): Home directory for jkur is /home/jkur
debug(pam_u2f): ../pam-u2f.c:235 (pam_sm_authenticate): Using authentication file /etc/u2f_keys
debug(pam_u2f): ../pam-u2f.c:245 (pam_sm_authenticate): Switched to uid 1000
debug(pam_u2f): ../util.c:102 (get_devices_from_authfile): Authorization line: jkur:bz1_psgGoVqj7EF6woABHuu4FSQ_oTJz_5zwzE-mIm_KRib_,047d360b8d4c2077430d1c42ff0f39788ec45e805bdc95a8f6b645d781ac00056b19289a9a1519bdbe94de5f7e4a98858811e7e09e34d4c51763287bd9d971134d
debug(pam_u2f): ../util.c:107 (get_devices_from_authfile): Matched user: jkur
debug(pam_u2f): ../util.c:134 (get_devices_from_authfile): KeyHandle for device number 1: bz1_psgGoVqj7EF6woABHuu4FSQ_oTJz_5zwzE-mIm_KRib_
debug(pam_u2f): ../util.c:153 (get_devices_from_authfile): publicKey for device number 1: 047d360b8d4c2077430d1c42ff0f39788ec45e805bdc95a8f6b645d781ac00056b19289a9a1519bdbe94de5f7e4a98858811e7e09e34d4c51763287bd9d971134d
debug(pam_u2f): ../util.c:164 (get_devices_from_authfile): Length of key number 1 is 65
debug(pam_u2f): ../util.c:191 (get_devices_from_authfile): Found 1 device(s) for user jkur
debug(pam_u2f): ../pam-u2f.c:256 (pam_sm_authenticate): Switched back to uid 0
USB send: 00ffffffff8600080807060504030201000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
USB write returned 65
now trying with timeout 2
now trying with timeout 4
USB read rc read 64
USB recv: ffffffff8600110807060504030201cafebabe020200000315cea8f3b6d054ce7c6c8da9afb5f9fffb44fc6228a4ecd4dcbacb6d63baba57bc97ec53860e39ae
device /dev/hidraw0 discovered as 'U2F Zero'
  version (Interface, Major, Minor, Build): 2, 2, 0, 0  capFlags: 3
debug(pam_u2f): ../util.c:269 (do_authentication): Device max index is 0
debug(pam_u2f): ../util.c:300 (do_authentication): Attempting authentication with device number 1
debug(pam_u2f): ../util.c:322 (do_authentication): Challenge: { "keyHandle": "bz1_psgGoVqj7EF6woABHuu4FSQ_oTJz_5zwzE-mIm_KRib_", "version": "U2F_V2", "challenge": "XB4nnk8WJwvN6kEmE4bxG_zwHTB0BnPiOa9YkKcL1nA", "appId": "pam:\/\/durruti" }
JSON: { "keyHandle": "bz1_psgGoVqj7EF6woABHuu4FSQ_oTJz_5zwzE-mIm_KRib_", "version": "U2F_V2", "challenge": "XB4nnk8WJwvN6kEmE4bxG_zwHTB0BnPiOa9YkKcL1nA", "appId": "pam:\/\/durruti" }
JSON challenge URL-B64: XB4nnk8WJwvN6kEmE4bxG_zwHTB0BnPiOa9YkKcL1nA
client data: { "challenge": "XB4nnk8WJwvN6kEmE4bxG_zwHTB0BnPiOa9YkKcL1nA", "origin": "pam:\/\/durruti", "typ": "navigator.id.getAssertion" }
JSON: { "keyHandle": "bz1_psgGoVqj7EF6woABHuu4FSQ_oTJz_5zwzE-mIm_KRib_", "version": "U2F_V2", "challenge": "XB4nnk8WJwvN6kEmE4bxG_zwHTB0BnPiOa9YkKcL1nA", "appId": "pam:\/\/durruti" }
JSON app_id pam://durruti
JSON: { "keyHandle": "bz1_psgGoVqj7EF6woABHuu4FSQ_oTJz_5zwzE-mIm_KRib_", "version": "U2F_V2", "challenge": "XB4nnk8WJwvN6kEmE4bxG_zwHTB0BnPiOa9YkKcL1nA", "appId": "pam:\/\/durruti" }
JSON keyHandle URL-B64: bz1_psgGoVqj7EF6woABHuu4FSQ_oTJz_5zwzE-mIm_KRib_
USB send: 00cafebabe83006e00020700000065a549964c3b62b878f71cebda3fe1a8a4b50b38645ca277ebb1dbc24f52d67af739e9eb27ecdb0c00b8e469121d93a9d569
USB write returned 65
USB send: 00cafebabe00021d4f2cbc287aea8b36c7eba054246f3d7fa6c806a15aa3ec417ac280011eebb815243fa13273ff9cf0cc4fa6226fca4626ff00000000000000
USB write returned 65
now trying with timeout 2
now trying with timeout 4
now trying with timeout 8
now trying with timeout 16
now trying with timeout 32
now trying with timeout 64
now trying with timeout 128
now trying with timeout 256
now trying with timeout 512
now trying with timeout 1024
USB read rc read 64
USB recv: cafebabe830002698400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
USB data (len 2): 6984
debug(pam_u2f): ../util.c:348 (do_authentication): Device for this keyhandle is not present.
USB send: 00cafebabe8100010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
USB write returned 65
now trying with timeout 2
now trying with timeout 4
now trying with timeout 8
now trying with timeout 16
now trying with timeout 32
now trying with timeout 64
now trying with timeout 128
now trying with timeout 256
now trying with timeout 512
now trying with timeout 1024
now trying with timeout 2048
now trying with timeout 4096
^CUSB read rc read 64
Device /dev/hidraw0 failed ping, dead.
USB send: 00ffffffff8600080807060504030201000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
^C^C^C^CUSB write returned -1
debug(pam_u2f): ../util.c:355 (do_authentication): Unable to discover devices
debug(pam_u2f): ../pam-u2f.c:293 (pam_sm_authenticate): do_authentication returned -2
debug(pam_u2f): ../pam-u2f.c:312 (pam_sm_authenticate): done. [Fehler bei Authentifizierung]
sudo: 1 Fehlversuch bei der Passwort-Eingabe




Best regargs,
   Jörg


 



-- System Information:
Debian Release: buster/sid
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'testing'), (500, 'stable'), (150, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.14.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libpam-u2f depends on:
ii  libc6           2.27-3
ii  libpam0g        1.1.8-3.7
ii  libu2f-host0    1.1.4-1
ii  libu2f-server0  1.1.0-1

Versions of packages libpam-u2f recommends:
ii  pamu2fcfg  1.0.6-1

libpam-u2f suggests no packages.

-- no debconf information

-- 
Jörg (j at corsario.org)
GPG-ID: 0xFAE26711E6EBF94D
Fingerprint: 8A79 8BF8 0A04 60EA A004  7E42 FAE2 6711 E6EB F94D

More information about the Pkg-auth-maintainers mailing list