Two factor authentication at login screen: authentication fails the first time after key is inserted

[LinuxOnTheDesktop]

If the Yubikey is plugged in before the login manager loads then all is well. If I insert the key after the manager loads then, it seems, the first attempt to authenticate always fails (even if one waits some twenty seconds before making the attempt); only with a second attempt will the system unlock. This is a pretty serious bug.

My system OS: Linux Mint 19.3 Tricia x86_64 Host: 2325L19 ThinkPad X230 Kernel: 5.3.18-050318-generic Shell: bash 4.4.20 Resolution: 1366x768 @ 60.02Hz DE: Cinnamon 4.4.8 Login manager: slick-greeter, which is basedon LightDM. Yubikey software:

Debug log

Apparently and understandably for a bug report such as this I should enable debugging. To that end I appended 'debug debugfile /home//y.txt ' to the yubico line in the relevant pam.d file - namely, `/etc/pam.d/lightdm'. Then I logged on. However, y.txt seems not to have been created.

EDIT: some further information

In case what I am trying to do is unclear, let me add: I am trying to use two-factor authentication and to do so (only) for logging in. I created my setup by following two sets of instructions - one set being provided by Yubico (which were somewhat unclear, and which contain a consequential double typo, for which I filed a bug report) and some third-party ones. The resulting (hybrid) instructions amounted to the following (which I paste from notes that I created).

INSTALL SOFTWARE

$ sudo add-apt-repository ppa:yubico/stable && sudo apt-get update $ sudo apt-get install libpam-yubico yubikey-manager

SETUP THE KEY ITSELF

$ ykman otp chalresp -g 2 $ ykpamcfg -2

CONFIGURE LOGIN

Open Terminal. If your system is Ubuntu 17.10 or newer, run: sudo nano /etc/pam.d/gdm-password. If your system is Ubuntu 17.04 or older, run: sudo nano /etc/pam.d/lightdm [use this latter command for Mint 19] Add the following line above [or should it be below?] the “@include common-auth” line:

auth required pam_yubico.so mode=challenge-response

Press Ctrl+X and then Enter to save and close the file.

REBOOT

NB: Do NOT press the button on the YubiKey when logging in. So doing enters something - not my normal password - into the password field. Just having the key inserted is what you want.

[klali]

Hello,

As you note (and got pointers for) the debug log would help here.

If I understand you correctly your configuration line now is:

"auth required pam_yubico.so mode=challenge-response debug debugfile /home//y.txt" ?

I'm interested in the debug parameters here, can you make this something like:

"auth required pam_yubico.so mode=challenge-response debug debug_file=/tmp/yubico_debug.txt"

and then you create the file /tmp/yubico_debug.txt with something like: "touch /tmp/yubico_debug.txt" and then try to use the module? Hopefully we get some debugging information in that file that you can forward to me then (either attached here or mailed to klas@yubico.com).

Thanks!

[LinuxOnTheDesktop]

Thanks. My configuration line is now: auth required pam_yubico.so mode=challenge-response debug debug_file=/tmp/yubico_debug.txt.

Having set that line, I logged off - without the Yubikey inserted - and entered my password into the login screen. The password was refused - as expected. Then I inserted the key, waited a few seconds, and entered the password again. The password was again rejected - which was expected from previous behaviour but not what should happen. Then I entered the password again and (as expected) the password was accepted.

A log was indeed generated. I attach it. yubico_debug.txt

[klali]

Hey. Sorry for being a bit slow responding here.

Reading your original question I notice that you write that you have pam_yubico.so before common-auth ? That will lead to problems like this.

What happens is that pam_yubico.so tries to load and do it's work as soon as the login screen loads (since it doesn't need any keyboard input), and at this point there's no YubiKey inserted. It will typically give you better behaviour if it's running after password collection, you achieve this by putting it after common-auth (or in common-auth and modify the pam_unix.so line.

[LinuxOnTheDesktop]

I notice that you write that you have pam_yubico.so before common-auth ? That will lead to problems like this.

I was exactly on the money in writing (as I did above) of the 'consequential double typo'. The problem is that the instructions here told the user, twice, to insert the 'pam_yubico.so' line 'below above' (sic) the 'common-auth' line. So, you caused this problem (because I had to guess whether you meant 'above' or 'below' and I guessed wrongly). I notice though that the instructions have been fixed (presumably as a result of my filing a support ticket about them.) Moving the 'pam_yubico.so' line does seem to fix the problem. Please note that your lack of proof-reading has put me to considerable trouble.