Closed cwrau closed 5 years ago
Hello! Thanks for reporting the issue, I don't think Yubikey is supported (yet) in i3lock
.
I assume you installed PAM module described here? If so, could you follow the instructions in the Troubleshooting section and post the logs here? Don't forget to remove any sensitive information from these logs.
No, I used the challenge-response method (https://support.yubico.com/support/solutions/articles/15000011355-ubuntu-linux-login-guide-challenge-response), but it's working everywhere, just not in i3lock
.
My current workaround is to login using another Terminal and then pkill
ing the i3lock
.
The debug doesn't write anything to the file, but this to the terminal:
[../pam_yubico.c:parse_cfg(759)] called.
[../pam_yubico.c:parse_cfg(760)] flags 32768 argc 4
[../pam_yubico.c:parse_cfg(762)] argv[0]=mode=challenge-response
[../pam_yubico.c:parse_cfg(762)] argv[1]=chalresp_path=/var/yubico
[../pam_yubico.c:parse_cfg(762)] argv[2]=debug
[../pam_yubico.c:parse_cfg(762)] argv[3]=debug_file=/var/log/pam_yubico.log
[../pam_yubico.c:parse_cfg(763)] id=0
[../pam_yubico.c:parse_cfg(764)] key=(null)
[../pam_yubico.c:parse_cfg(765)] debug=1
[../pam_yubico.c:parse_cfg(766)] alwaysok=0
[../pam_yubico.c:parse_cfg(767)] verbose_otp=0
[../pam_yubico.c:parse_cfg(768)] try_first_pass=0
[../pam_yubico.c:parse_cfg(769)] use_first_pass=0
[../pam_yubico.c:parse_cfg(770)] authfile=(null)
[../pam_yubico.c:parse_cfg(771)] ldapserver=(null)
[../pam_yubico.c:parse_cfg(772)] ldap_uri=(null)
[../pam_yubico.c:parse_cfg(773)] ldap_bind_user=(null)
[../pam_yubico.c:parse_cfg(774)] ldap_bind_password=(null)
[../pam_yubico.c:parse_cfg(775)] ldap_filter=(null)
[../pam_yubico.c:parse_cfg(776)] ldap_cacertfile=(null)
[../pam_yubico.c:parse_cfg(777)] ldapdn=(null)
[../pam_yubico.c:parse_cfg(778)] user_attr=(null)
[../pam_yubico.c:parse_cfg(779)] yubi_attr=(null)
[../pam_yubico.c:parse_cfg(780)] yubi_attr_prefix=(null)
[../pam_yubico.c:parse_cfg(781)] url=(null)
[../pam_yubico.c:parse_cfg(782)] urllist=(null)
[../pam_yubico.c:parse_cfg(783)] capath=(null)
[../pam_yubico.c:parse_cfg(784)] cainfo=(null)
[../pam_yubico.c:parse_cfg(785)] proxy=(null)
[../pam_yubico.c:parse_cfg(786)] token_id_length=12
[../pam_yubico.c:parse_cfg(787)] mode=chresp
[../pam_yubico.c:parse_cfg(788)] chalresp_path=/var/yubico
[../pam_yubico.c:pam_sm_authenticate(819)] pam_yubico version: 2.23
[../pam_yubico.c:pam_sm_authenticate(834)] get user returned: cwr
[../util.c:check_firmware_version(212)] YubiKey Firmware version: 4.3.7
[../pam_yubico.c:do_challenge_response(483)] Loading challenge from file /var/yubico/cwr-**
[../util.c:load_chalresp_state(363)] Challenge: **, hashed response: **, salt: **, iterations: 10000, slot: 2
[../pam_yubico.c:do_challenge_response(559)] Got the expected response, generating new challenge (63 bytes).
[../pam_yubico.c:do_challenge_response(645)] Challenge-response success!
I think it's not the same problem because my yubikey never blinking. I used this tutorial: https://www.jamesthebard.net/archlinux-and-u2f-login/
The default pam configuration did not work, that why I override the pam config of i3lock and allow or my password or the challenge of the yubikey. My password works, not my yubikey ...
/etc/pam.d/i3lock
auth include system-auth
auth sufficient pam_u2f.so authfile=/etc/u2f_mappings cue auth sufficient pam_unix.so try_first_pass nullok`
Something link to the authfile ? I have no error
journalctl -n 100 --no-page
Nov 02 13:15:24 arch unix_chkpwd[15935]: password check failed for user (shenron) Nov 02 13:15:24 arch i3lock[15932]: pam_unix(i3lock:auth): authentication failure; logname= uid=1000 euid=1000 tty=:0.0 ruser= rhost= user=shenron
Edit:
If I remove the authfile and add the mapping in the default place it work ...
mkdir -p ~/.config/Yubico pamu2fcfg -u"$(whoami)" > ~/.config/Yubico/u2f_keys
The debug doesn't write anything to the file, but this to the terminal:
You'd have to make your pam config change, then fully logout of your i3 session. That worked for me as I am starting i3 with startx.
Yet, I guess you're right... trying to reproduce the issue with i3lock does not log anything to the yubico debug log file. In my case, the yubikey does not even blink (I am also using hmac challenge-response).
A not-so-safe workaround is to give it suid, and it may just go away with some update or other jobs that may fix permissions.
chmod u+s $(which i3lock)
The post that gave me this answer: https://github.com/Yubico/yubico-pam/issues/113
That is a much better workaround, thanks!
Instead of executing i3lock as root, you probably want to figure out which capabilities are needed and then assigning them with setcap(8).
Sadly I don't know which capabilities it would need
Thanks for providing the workaround. I’ll close this issue, as it seems to me that it’s a shortcoming of the yubikey PAM module and has nothing to do with i3lock itself.
I'm submitting a…
Current Behavior
When trying to use i3lock, I cannot unlock, which requires my yubikey The yubikey is blinking, but the login is ultimately unsuccessful
Expected Behavior
i3lock unlocks normally
Reproduction Instructions
Setup yubikey required pam auth, run
i3lock
and try to unlockEnvironment
Output of
i3lock --version
: