Fedora update broke pam_u2f two-factor login

Howdy!

I have a Fedora 35 workstation configured to require a Yubikey to as a second factor when logging in or using sudo. Until a software update yesterday this configuration worked fine:

Installed the package pam-u2f

Added this line:

auth       required     pam_u2f.so

to several configuration files in /etc/pam.d/

This worked fine until I did my regular software update and rebooted yesterday. Now my Yubikey doesn’t blink to prompt for me to touch it and I cannot log in. The Yubikey doesn’t prompt for me to press it either through the GNOME login page or from one of the virtual terminals.

Does anyone know why a software update would have broken this?

My current plan is to:

  1. Wait a few days so any emergency bugfixes become available
  2. Boot into a live version of Fedora
  3. Decrypt the main drive
  4. Edit the /etc/pam.d/ configuration files to no longer require pam_u2f.so
  5. Boot back into the main version of Fedora
  6. Update all software
  7. Add the pam_u2f.so entries back into the /etc/pam.d/ configuration files
  8. Repeat as necessary if it doesn’t work
1 Like

Hi @keeblo , welcome to the forums!

The latest update seems to be here:

https://bodhi.fedoraproject.org/updates/FEDORA-2021-a52d48b1c2

No karma there, so maybe it wasn’t tested enough to catch this regression. it only includes a CVE fix, though, so one wouldn’t expect it to have any other major changes.

I don’t see any bugs here either:

Perhaps worth filing one so that you can communicate directly with the maintainer on this?

https://docs.fedoraproject.org/en-US/quick-docs/howto-file-a-bug/

You could also bring this up on the devel mailing list, since there are community members that do use Yubikey and would/should run into this issue too:

https://lists.fedoraproject.org/archives/list/devel%40lists.fedoraproject.org/

Whelp, I fixed it by copying the /etc/pam.d/ directory from another Fedora laptop with working login. Here are the differences between the working and non-working versions:

For gdm-password:
The non-working configuration was:

auth        required      pam_u2f.so
auth        substack      password-auth

The working configuration is:

auth        substack      password-auth
auth        required      pam_u2f.so

For login:
The non-working configuration:

auth       required     pam_u2f.so
auth       substack     system-auth

The working configuration is:

auth       substack     system-auth
auth       required     pam_u2f.so

For polkit-1:
The non-working configuration was:

auth       required     pam_u2f.so
auth       include      system-auth

The working configuration didn’t have any reference to pam_u2f.so

For su:
The non-working configuration is:

auth		required	pam_u2f.so
auth		substack	system-auth

The working configuration is:

auth		substack	system-auth
auth            required        pam_u2f.so

For sudo:
The non-working configuration was:

auth       required     pam_u2f.so
auth       include      system-auth

The working configuration is:

auth       substack     system-auth
auth       required     pam_u2f.so

For passwd:
The non-working configuration is:

auth       required	pam_u2f.so
password   substack	system-auth

The working configuration doesn’t have any reference to pam_u2f

So, from what I can tell, the bug/error appears to be in either:

  • Having pam_u2f.so in polkit-1 or passwd
    or
  • Having pam_u2f.so before system-auth

Does anyone have any recommendations or ideas?

Adding another reply since I did some configuration file tweaking since the last post.

For passwd:
I added a pam_u2f.so line, so the configuration now looks like this:

password   substack     system-auth
auth       required     pam_u2f.so

For polkit-1:
I added a pam_u2f.so line, so the configuration now looks like this:

auth       include      system-auth
auth       required     pam_u2f.so

The system works fine with these changes, so it appears that the bug/errors are entirely related to the order in which pam_u2f.so appears.

Should this be reported somewhere?

P.S. Thank you, @ankursinha, for your quick response! :smiley:

1 Like

I’m not sure—I guess reporting it on bugzilla to discuss it with the maintainer is probably the best thing to do? Did you refer to some documentation to set this up too? We could update that in the meantime to make this note?