[Pkg-auth-maintainers] Bug#898519: Bug #898519: libpam-u2f: upgrade to 1.0.6 breaks authentication with u2fzero device

Nicolas Braud-Santoni nicolas at braud-santoni.eu
Sat May 26 22:18:40 BST 2018 

Control: severity -1 serious
Control: tag -1 + upstream moreinfo sid buster
Control: forward -1 https://github.com/Yubico/pam-u2f/issues/97

On Sun, May 13, 2018 at 01:55:28AM +0200, Jörg Kurlbaum wrote:
> Package: libpam-u2f
> Version: 1.0.6-1
> Severity: important
> 
> Dear Maintainer,

Hi Jörg,

Sorry for only getting back to you now, and sorry for letting this bug slip
by into sid and buster unnoticed.  :(

> during a system upgrade on buster the package libpam-u2f is upgraded from 1.0.4 to 1.0.6.
> 
> After the upgrade the PAM modules fails to authenticate with the U2Fzero device (u2fzero.com).
> A manual downgrade to 1.0.4 solves all issues.

As I do not have a U2Fzero device, and was unable to reproduce the issue
with my own, it is complicated for me to debug, but the debug logs hints at
an issue in the low-level communication with the device, which is
implemented by libu2f-host. Did you recently update that library?
(I doubt that's the issue, though, as downgrading fixes the problem)

In the meantime, I am forwarding this bug upstream (against pam-u2f), who
might be able to pinpoint the issue faster than I would. (OTOH, several of
the pam-u2f upstream developers are in the relevant packaging team and
should have received the bug report anyhow.)


> This is severe: if the system is rebooted directly, authentication would fail.
> The user would be locked out from machine.

Agreed; as such, I am upgrading the severity to serious, as it makes pam-u2f
unsuitable for release.  This will eventually result in pam-u2f getting
deleted from buster, but I hope we can fix this before then  :)


Best,

  nicoo


> A quick look at the code shows a lot changes between the two (minor) versions. But i couldn't
> figure out the exact lines involved yet.
> 
> While with the 1.0.4 version the u2f device shows a red light as signal for pressing the button,
> the 1.0.6 version makes the device just light up bright green.
> 
> 
> My Configuration files:
> 
> 
> /etc/pam.d/u2f:
> 
> auth required pam_u2f.so authfile=/etc/u2f_keys cue debug openasuser
> 
> 
> /etc/pam.d/sudo:
> 
> #%PAM-1.0
> @include common-auth
> @include common-account
> @include common-session-noninteractive
> @include u2f

Those config files look perfectly reasonable.

> [...] 
> 
> -- System Information:
> Debian Release: buster/sid
>   APT prefers stable-updates
>   APT policy: (500, 'stable-updates'), (500, 'testing'), (500, 'stable'), (150, 'unstable')
> Architecture: amd64 (x86_64)
> Foreign Architectures: i386
> 
> Kernel: Linux 4.14.0-3-amd64 (SMP w/4 CPU cores)
> Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
> LSM: AppArmor: enabled
> 
> Versions of packages libpam-u2f depends on:
> ii  libc6           2.27-3
> ii  libpam0g        1.1.8-3.7
> ii  libu2f-host0    1.1.4-1
> ii  libu2f-server0  1.1.0-1
> 
> Versions of packages libpam-u2f recommends:
> ii  pamu2fcfg  1.0.6-1
> 
> libpam-u2f suggests no packages.
> 
> -- no debconf information
> 
> -- 
> Jörg (j at corsario.org)
> GPG-ID: 0xFAE26711E6EBF94D
> Fingerprint: 8A79 8BF8 0A04 60EA A004  7E42 FAE2 6711 E6EB F94D
>

More information about the Pkg-auth-maintainers mailing list