martelletto
commented
2 years ago Hi, thank you for the report. What application are you using in conjunction with pam-u2f?
Open 0xallie opened 2 years ago
martelletto
commented
2 years ago Hi, thank you for the report. What application are you using in conjunction with pam-u2f?
0xallie
commented
2 years ago I’m seeing this behavior with sudo on Ubuntu 21.04.
martelletto
commented
2 years ago Thank you. There is not much we can do to only display the cue if the PIN is correct, as that result isn't available to the application until the device responds. We could, however, ask the application to inform the user about what went wrong, e.g:
$ sudo -i
Please enter the PIN:
Please touch your YubiKey.
Touch timeout.
$ sudo -i
Please enter the PIN:
Please touch your YubiKey.
Invalid PIN.This is implemented in the diff below.
diff --git a/util.c b/util.c
index 5727e8d..86ea4cd 100644
--- a/util.c
+++ b/util.c
@@ -1382,6 +1382,18 @@ int do_authentication(const cfg_t *cfg, const device_t *devices,
retval = 1;
goto out;
}
+ } else {
+ switch (r) {
+ case FIDO_ERR_PIN_INVALID:
+ converse(pamh, PAM_TEXT_INFO, "Invalid PIN.");
+ break;
+ case FIDO_ERR_PIN_BLOCKED:
+ converse(pamh, PAM_TEXT_INFO, "PIN blocked.");
+ break;
+ case FIDO_ERR_ACTION_TIMEOUT:
+ converse(pamh, PAM_TEXT_INFO, "Touch timeout.");
+ break;
+ }
}
}
} else {
I have the following at the top of
/etc/pam.d/common-auth:When entering the wrong PIN, the cue prompt still appears, and then authentication immediately fails.