New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unable to discover device under Mac OS El Capitan #39

Closed
zero-one-devteam opened this Issue Aug 1, 2016 · 20 comments

Comments

Projects
None yet
3 participants
@zero-one-devteam
Copy link

zero-one-devteam commented Aug 1, 2016

On Mac OS El Capitan (10.11.6), we'll get the following debug message:

debug: pam-u2f.c:209 (pam_sm_authenticate): Using default authentication file /Users/john/.config/Yubico/u2f_keys
debug: util.c:107 (get_devices_from_authfile): Authorization line: john:
debug: util.c:112 (get_devices_from_authfile): Matched user: john
debug: util.c:130 (get_devices_from_authfile): KeyHandle for device number 1:
debug: util.c:157 (get_devices_from_authfile): publicKey for device number 1:
debug: util.c:172 (get_devices_from_authfile): Length of key number 1 is 65
debug: util.c:200 (get_devices_from_authfile): Found 1 device(s) for user john
debug: util.c:252 (do_authentication): Unable to discover device(s), cannot find U2F device
debug: pam-u2f.c:256 (pam_sm_authenticate): do_authentication returned -2

Obviously, the user was found, but after that the device could not be found. Moving the authfile to /etc did not solve the problem.

The /etc/pam.d/su:

auth required /usr/local/Cellar/pam-u2f/1.0.4/lib/pam/pam_u2f.so debug
auth sufficient pam_rootok.so
auth required pam_opendirectory.so
account required pam_group.so no_warn group=admin,wheel ruser root_only fail_safe
account required pam_opendirectory.so no_check_shell
password required pam_opendirectory.so
session required pam_launchd.so

When using pam-u2f in /etc/pam.d/screensaver we also often see the problem that we have to authenticate several times before it works and after that the system seems to be in a state like after a reboot (all previous opened programms restart)

@a-dma

This comment has been minimized.

Copy link
Member

a-dma commented Aug 1, 2016

Looks like your device is not recognized at all.

Can you get U2F to work elsewhere? Say with https://demo.yubico.com/u2f ?

@zero-one-devteam

This comment has been minimized.

Copy link

zero-one-devteam commented Aug 1, 2016

Yes we got it working with openvpn, Dropbox and with your test link without problems. After several authentication tries it works wit pam as well, but not at the first try. We tested on a MacBook Pro late 2015 and MacBook 2016.

@zero-one-devteam

This comment has been minimized.

Copy link

zero-one-devteam commented Aug 1, 2016

For U2F it does not matter how the Yubikey is configured, right? Means, we have a static password on slot 1 and OTP on slot 2. That should not cause any problems I guess ...

@a-dma

This comment has been minimized.

Copy link
Member

a-dma commented Aug 1, 2016

For U2F it does not matter how the Yubikey is configured, right? Means, we have a static password on slot 1 and OTP on slot 2. That should not cause any problems I guess ...

Correct, that doesn't make any difference as long as the U2F mode is enabled.

It looks like libu2f_host can't find your device. Try enabling debug on that.

Unfortunately pam_u2f itself doesn't allow you to turn on debug for libu2f_host, but pamu2fcfg does. The purpose of the tool is to do registration, but the init call is the same. Run it with pamu2fcfg -d and see if you can replicate the issue.

@zero-one-devteam

This comment has been minimized.

Copy link

zero-one-devteam commented Aug 1, 2016

I will shorten the output of pamu2fcfg -d:

No U2F device available, please insert one now, you have 15 secondsUSB send: 00ffffffff8600080807060504030201000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
USB write returned 65
now trying with timeout 2
USB read rc read 64
USB recv: ffffffff86001108070605040302010100d56c020101000100000000000000000000000000000000000000000000000000000000000000000000000000000000
device USB_1050_0114_14200000 discovered as 'Yubikey NEO OTP+U2F'
version (Interface, Major, Minor, Build): 2, 1, 1, 0 capFlags: 1
USB send: 000100d56c8100010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
USB write returned 65
now trying with timeout 2
now trying with timeout 4
now trying with timeout 8
USB read rc read 64
USB recv: 0100d56c810001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

Device found!
...
USB send: 000100d56c8300470001030000004062f458c5e277bf248feeca30a44b917580cceff9b63d2af25e5bb200b0bb38851da7dd24194a5469f9e2c29f8e59dc7170
USB write returned 65
USB send: 000100d56c00411eef01e6bf8c5df1bfb95500180000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
USB write returned 65
now trying with timeout 2
now trying with timeout 4
now trying with timeout 8
USB read rc read 64
USB recv: 0100d56c830002698500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
USB data (len 2): 6985
USB send: 000100d56c8300470001030000004062f458c5e277bf248feeca30a44b917580cceff9b63d2af25e5bb200b0bb38851da7dd24194a5469f9e2c29f8e59dc7170
USB write returned 65
USB send: 000100d56c00411eef01e6bf8c5df1bfb95500180000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
USB write returned 65
now trying with timeout 2
now trying with timeout 4
now trying with timeout 8
...
Unable to generate registration challenge, timeout error (-7)

Hmmm, what does that mean? First it seams, no device was found, but then it was found but after that a timeout happens ...

@a-dma

This comment has been minimized.

Copy link
Member

a-dma commented Aug 1, 2016

That looks like good output to me.
The timeout is because you haven't touched the YubiKey, but the device was found.

@zero-one-devteam

This comment has been minimized.

Copy link

zero-one-devteam commented Aug 1, 2016

Yes, you're right, of course. What I found out: sometimes the device is not found and after several failed logins (the device does not blink after entering username and password) my user will be logged out by the system. So I wonder, why the device is not found. First, I guessed there are some issues with filevault2 which I have enabled. But the problem also occurs while logged in and using su (I have configured /etc/pam.d/su to test). What's weird is that it sometimes works and sometimes does not. Makes it very difficult to debug.

@a-dma

This comment has been minimized.

Copy link
Member

a-dma commented Aug 1, 2016

Can you get the same behavior (device not found) with pamu2fcfg -d ? In that case the debug info might help.

Also, have you noticed any correlation between when the issue arises and whether or not the device was already plugged in vs just plugged in?

@zero-one-devteam

This comment has been minimized.

Copy link

zero-one-devteam commented Aug 1, 2016

Tried pamu2fcfg -d several times without any problems. Problem with pam occurred when the device was already plugged in. It did not start blinking after entering username and password after leaving the screensaver or standby. Could not reproduce it with plugging it in on demand, but I guess that's only a matter of how often I will try.

Is it possible to write the debug to a log file as well? When using it with /etc/pam.d/screensaver I won't get debug information otherwise.

@a-dma

This comment has been minimized.

Copy link
Member

a-dma commented Aug 1, 2016

Currently is only possible to dump debug info to stderr. Maybe I should add a logfile option.

So, there is a problem with libhidapi on Mac where if you have a composite HID device, sometimes the path generated is wrong and you end up opening the wrong device. Would you mind turning off the OTP module in your NEO and see if that solves the problem?

@zero-one-devteam

This comment has been minimized.

Copy link

zero-one-devteam commented Aug 1, 2016

How can I disable OTP? I think I have to configure the slot (in my case it's slot 2) with a static password or can I completely disable it?

@a-dma

This comment has been minimized.

Copy link
Member

a-dma commented Aug 1, 2016

You can disable it with either yubikey-neo-manager (GUI) or ykneomgr (CLI).

We have Mac releases for them. Check developers.yubico.com

@zero-one-devteam

This comment has been minimized.

Copy link

zero-one-devteam commented Aug 1, 2016

Hmmm, when OTP is disabled, u2f works fine (I had to delete my former posting). As soon as OTP is re-activated, u2f shows the behaviour as before, means sometimes working, other times not.

Problem: I need OTP as well (for openvpn, as there are no reliable u2f implementations yet) and I don't line to use a second Yubikey ...

@a-dma

This comment has been minimized.

Copy link
Member

a-dma commented Aug 2, 2016

Yes, this sounds like the issue I described before with libhidapi (which pam-u2f uses).
Not much we can do at this point, besides rewriting libu2f-host to use a native implementation rather than a library, but that would be a major undertaking at this stage.

@zero-one-devteam

This comment has been minimized.

Copy link

zero-one-devteam commented Aug 2, 2016

Ok, thanks for supporting me. So, I will switch to challenge response mode as described here:

https://www.yubico.com/wp-content/uploads/2016/02/Yubico_YubiKeyMacOSXLogin_en.pdf

This seems to be very reliable and offers similar security.

@blahgeek

This comment has been minimized.

Copy link

blahgeek commented Sep 22, 2016

@zero-one-devteam @a-dma It seems that current master version of hidapi resolved this issue (signal11/hidapi#40)

@zero-one-devteam

This comment has been minimized.

Copy link

zero-one-devteam commented Oct 6, 2016

Thanks for getting back to me. I installed the new hidapi as described there but the problem is still present. Maybe I've missed something. libhidapi can be found in /usr/local/lib. Is that the place where pam-u2f is looking for?

@a-dma

This comment has been minimized.

Copy link
Member

a-dma commented Oct 6, 2016

It depends if you have multiple install of the library and how your system is setup. You can find out by calling ldd on pam-u2f.so

@blahgeek

This comment has been minimized.

Copy link

blahgeek commented Oct 7, 2016

I'm using homebrew, brew install --HEAD hidapi and brew install pam-u2f works for me.

@zero-one-devteam

This comment has been minimized.

Copy link

zero-one-devteam commented Oct 7, 2016

Interesting. Did not work for me. I had to compile hidapi manually and replace the libs that have been installed by brew before.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment