pamu2fcfg -> error: fido_cred_verify (-7) FIDO_ERR_INVALID_ARGUMENT

[dietriclX]

I would like to share this error with those of you, who run into the same issue. After "fixing" this error, I am now able to login without a password ... using the Pico Fido - Pico Keys. A big thanks to those people which made/make this possible.

Summary: There is a difference in the implementation of the pamu2fcfg tool between version "pam_u2f 1.1.0" and "pamu2fcfg 1.3.0". The older version causes the error with Pico Fido.

Even though the pamu2fcfg is working fine with a YubiKey, with the Pico Fido2 it might be failing. At least, that's what I had observed with pamu2fcfg on my on Debian 12 (bookworm) system.

$ pamu2fcfg --version
pam_u2f 1.1.0
$ pamu2fcfg
Enter PIN for /dev/hidraw6: 
error: fido_cred_verify (-7) FIDO_ERR_INVALID_ARGUMENT

The version from SID is the newest of pamu2fcfg, however comes with two additional new dependencies. So ... I build my own version and in result had been able to retrieve the data required to configure the pam-fido2 process. To be clear, I was only using pamu2fcfg (Version 1.3.0) to retrieving the data from the token.

$ git clone --depth 1 --shallow-submodules --recurse-submodules --branch pam_u2f-1.3.0 https://github.com/Yubico/pam-u2f.git
$ mv pam-u2f pam-u2f.130
$ cd pam-u2f.130
$ sudo apt install --no-install-recommends autoconf automake libtool pkg-config libfido2-dev libpam-dev libssl-dev asciidoc xsltproc libxml2-utils docbook-xml
$ autoreconf --install
$ ./configure
$ make
$ ./pamu2fcfg/pamu2fcfg --version
pamu2fcfg 1.3.0
$ ./pamu2fcfg/pamu2fcfg 
Enter PIN for /dev/hidraw6: 
<UserID>:<KeyHandle1>,<UserKey1>,es256,+presence

[polhenarejos]

Is the second snippet using Pico Fido or Yubikey?

[dietriclX]

Is the second snippet using Pico Fido or Yubikey?

The snippets - I shared in the posting - are done using the Pico Fido.

[ihavetenfingers]

Cool, this fixed the same issue for me. Thanks!