Yubikey not working

[cwrau]

I'm submitting a…

[X] Bug
[ ] Feature Request
[ ] Other (Please describe in detail)

Current Behavior

When trying to use i3lock, I cannot unlock, which requires my yubikey The yubikey is blinking, but the login is ultimately unsuccessful

Expected Behavior

i3lock unlocks normally

Reproduction Instructions

Setup yubikey required pam auth, run i3lock and try to unlock

Environment

Output of i3lock --version:

i3lock version: 2.10

[eplanet]

Hello! Thanks for reporting the issue, I don't think Yubikey is supported (yet) in i3lock.

I assume you installed PAM module described here? If so, could you follow the instructions in the Troubleshooting section and post the logs here? Don't forget to remove any sensitive information from these logs.

[cwrau]

No, I used the challenge-response method (https://support.yubico.com/support/solutions/articles/15000011355-ubuntu-linux-login-guide-challenge-response), but it's working everywhere, just not in i3lock. My current workaround is to login using another Terminal and then pkilling the i3lock.

The debug doesn't write anything to the file, but this to the terminal:

[../pam_yubico.c:parse_cfg(759)] called.
[../pam_yubico.c:parse_cfg(760)] flags 32768 argc 4
[../pam_yubico.c:parse_cfg(762)] argv[0]=mode=challenge-response
[../pam_yubico.c:parse_cfg(762)] argv[1]=chalresp_path=/var/yubico
[../pam_yubico.c:parse_cfg(762)] argv[2]=debug
[../pam_yubico.c:parse_cfg(762)] argv[3]=debug_file=/var/log/pam_yubico.log
[../pam_yubico.c:parse_cfg(763)] id=0
[../pam_yubico.c:parse_cfg(764)] key=(null)
[../pam_yubico.c:parse_cfg(765)] debug=1
[../pam_yubico.c:parse_cfg(766)] alwaysok=0
[../pam_yubico.c:parse_cfg(767)] verbose_otp=0
[../pam_yubico.c:parse_cfg(768)] try_first_pass=0
[../pam_yubico.c:parse_cfg(769)] use_first_pass=0
[../pam_yubico.c:parse_cfg(770)] authfile=(null)
[../pam_yubico.c:parse_cfg(771)] ldapserver=(null)
[../pam_yubico.c:parse_cfg(772)] ldap_uri=(null)
[../pam_yubico.c:parse_cfg(773)] ldap_bind_user=(null)
[../pam_yubico.c:parse_cfg(774)] ldap_bind_password=(null)
[../pam_yubico.c:parse_cfg(775)] ldap_filter=(null)
[../pam_yubico.c:parse_cfg(776)] ldap_cacertfile=(null)
[../pam_yubico.c:parse_cfg(777)] ldapdn=(null)
[../pam_yubico.c:parse_cfg(778)] user_attr=(null)
[../pam_yubico.c:parse_cfg(779)] yubi_attr=(null)
[../pam_yubico.c:parse_cfg(780)] yubi_attr_prefix=(null)
[../pam_yubico.c:parse_cfg(781)] url=(null)
[../pam_yubico.c:parse_cfg(782)] urllist=(null)
[../pam_yubico.c:parse_cfg(783)] capath=(null)
[../pam_yubico.c:parse_cfg(784)] cainfo=(null)
[../pam_yubico.c:parse_cfg(785)] proxy=(null)
[../pam_yubico.c:parse_cfg(786)] token_id_length=12
[../pam_yubico.c:parse_cfg(787)] mode=chresp
[../pam_yubico.c:parse_cfg(788)] chalresp_path=/var/yubico
[../pam_yubico.c:pam_sm_authenticate(819)] pam_yubico version: 2.23
[../pam_yubico.c:pam_sm_authenticate(834)] get user returned: cwr
[../util.c:check_firmware_version(212)] YubiKey Firmware version: 4.3.7

[../pam_yubico.c:do_challenge_response(483)] Loading challenge from file /var/yubico/cwr-**
[../util.c:load_chalresp_state(363)] Challenge: **, hashed response: **, salt: **, iterations: 10000, slot: 2
[../pam_yubico.c:do_challenge_response(559)] Got the expected response, generating new challenge (63 bytes).
[../pam_yubico.c:do_challenge_response(645)] Challenge-response success!

[shenron]

I think it's not the same problem because my yubikey never blinking. I used this tutorial: https://www.jamesthebard.net/archlinux-and-u2f-login/

The default pam configuration did not work, that why I override the pam config of i3lock and allow or my password or the challenge of the yubikey. My password works, not my yubikey ...

/etc/pam.d/i3lock

auth include system-auth

auth sufficient pam_u2f.so authfile=/etc/u2f_mappings cue auth sufficient pam_unix.so try_first_pass nullok`

Something link to the authfile ? I have no error

journalctl -n 100 --no-page

Nov 02 13:15:24 arch unix_chkpwd[15935]: password check failed for user (shenron) Nov 02 13:15:24 arch i3lock[15932]: pam_unix(i3lock:auth): authentication failure; logname= uid=1000 euid=1000 tty=:0.0 ruser= rhost= user=shenron

Edit:

If I remove the authfile and add the mapping in the default place it work ...

mkdir -p ~/.config/Yubico pamu2fcfg -u"$(whoami)" > ~/.config/Yubico/u2f_keys

[madchap]

The debug doesn't write anything to the file, but this to the terminal:

You'd have to make your pam config change, then fully logout of your i3 session. That worked for me as I am starting i3 with startx.

Yet, I guess you're right... trying to reproduce the issue with i3lock does not log anything to the yubico debug log file. In my case, the yubikey does not even blink (I am also using hmac challenge-response).

[madchap]

A not-so-safe workaround is to give it suid, and it may just go away with some update or other jobs that may fix permissions.

chmod u+s $(which i3lock)

The post that gave me this answer: https://github.com/Yubico/yubico-pam/issues/113

[cwrau]

That is a much better workaround, thanks!

[kpcyrd]

Instead of executing i3lock as root, you probably want to figure out which capabilities are needed and then assigning them with setcap(8).

[cwrau]

Sadly I don't know which capabilities it would need

[stapelberg]

Thanks for providing the workaround. I’ll close this issue, as it seems to me that it’s a shortcoming of the yubikey PAM module and has nothing to do with i3lock itself.