Two factor authentication at login screen: authentication fails the first time after key is inserted

[LinuxOnTheDesktop]

If the Yubikey is plugged in before the login manager loads then all is well. If I insert the key after the manager loads then, it seems, the first attempt to authenticate always fails (even if one waits some twenty seconds before making the attempt); only with a second attempt will the system unlock. This is a pretty serious bug.

OS: Linux Mint 19.3 Tricia x86_64 Host: 2325L19 ThinkPad X230 Kernel: 5.3.18-050318-generic Shell: bash 4.4.20 Resolution: 1366x768 @ 60.02Hz DE: Cinnamon 4.4.8 Login manager: slick-greeter, which is basedon LightDM. Yubikey software:

[a-dma]

is it libpam-yubico you're having problems with? That is a different project: https://github.com/Yubico/yubico-pam.

If so please open an issue there. Also, if you do, try to enable the debug output and attach a trace (set both debug and debug_file to achieve that).

Otherwise feel free to reopen this.

[LinuxOnTheDesktop]

I don't know. I bought the key, expected it to work, and now face this inconvenience. It's your software - you tell me which (of two nearly identically named) repositories is at issue. After all, I did describe the problem.

[a-dma]

What software did you install? libpam-yubico comes from the project that I linked above.

[LinuxOnTheDesktop]

What software did you install?

As I said, I have this software installed:

But yes libpam-yubico is one of those packages. So I will file this bug against, er, 'yubico-pam'.

[a-dma]

That's because you're grepping for yubico, the Debian/Ubuntu package for this project is libpam-u2f.

[LinuxOnTheDesktop]

Just now I filed a new version of the report at https://github.com/Yubico/yubico-pam (and specifically at https://github.com/Yubico/yubico-pam/issues/207). @a-dma , are you telling me I should have filed it elsewhere? I can't say I am enjoying the process of reporting a bug, especially since it is a bug with a paid product.

[a-dma]

If you're trying to use yubico-pam then over there is the correct place. If you're trying to use pam-u2f then the correct place is here. I can't help you figure out the issue if you don't know what software you're trying to use, and I can't do that just by looking at a partial screenshot of installed packages.

Are you trying to use Yubico OTPs or U2F/FIDO2? How are you configuring the module?

pam-u2f is for using U2F/FIDO2, you should add pam_u2f.so to one of your PAM services and configure it according to the documentation. yubico-pam is for using Yubico OTPs, you should add pam_yubico.so to one of your PAM services and configure it according to the documentation.

[LinuxOnTheDesktop]

One cannot really expect a new user to know all of the acronyms. Indeed I more or less wholly fail to understand your last post, I am afraid (and that despite my having considerable amateur Linux knowledge - I am able, for instance, to compile various packages from source, to create udev rules, etc.).

I can tell you - and indeed I tried to convey this already - that I am trying to use two-factor authentication and to do so (only) for logging in. I created my setup by following two sets of instructions - one set being provided by Yubico (which were somewhat unclear, and which contain a consequential double typo, for which I filed a bug report) and some third-party ones. The resulting (hybrid) instructions amounted to the following (which I paste from notes that I created).

INSTALL SOFTWARE

$ sudo add-apt-repository ppa:yubico/stable && sudo apt-get update $ sudo apt-get install libpam-yubico yubikey-manager

SETUP THE KEY ITSELF

$ ykman otp chalresp -g 2 $ ykpamcfg -2

CONFIGURE LOGIN

Open Terminal. If your system is Ubuntu 17.10 or newer, run: sudo nano /etc/pam.d/gdm-password. If your system is Ubuntu 17.04 or older, run: sudo nano /etc/pam.d/lightdm [use this latter command for Mint 19] Add the following line above [or should it be below?] the “@include common-auth” line:

auth required pam_yubico.so mode=challenge-response

Press Ctrl+X and then Enter to save and close the file.

REBOOT

NB: Do NOT press the button on the YubiKey when logging in. So doing enters something - not my normal password - into the password field. Just having the key inserted is what you want.

[a-dma]

I'm not expecting new (nor veteran) users to know all the different acronyms by heart. My point was not a critique, rather an attempt at a) explaining that the initial set of information wasn't enough to understand what you were trying to use and b) trying to extract more information.

What you have provided in your last message is indeed enough to at least pinpoint the right project: yubico-pam.

The important line being

auth required pam_yubico.so mode=challenge-response

This is what I was asking for in my previous message.

Now that this is clear we can work in the other issue to understand, replicate and solve the problem.

[LinuxOnTheDesktop]

I have cleaned up the information in my last post and copied the result to https://github.com/Yubico/yubico-pam/issues/207.