Two factor authentication at login screen: authentication fails the first time after key is inserted #207
Comments
|
Hello, As you note (and got pointers for) the debug log would help here. If I understand you correctly your configuration line now is: "auth required pam_yubico.so mode=challenge-response debug debugfile /home//y.txt" ? I'm interested in the debug parameters here, can you make this something like: "auth required pam_yubico.so mode=challenge-response debug debug_file=/tmp/yubico_debug.txt" and then you create the file /tmp/yubico_debug.txt with something like: "touch /tmp/yubico_debug.txt" and then try to use the module? Hopefully we get some debugging information in that file that you can forward to me then (either attached here or mailed to klas@yubico.com). Thanks! |
|
Thanks. My configuration line is now: Having set that line, I logged off - without the Yubikey inserted - and entered my password into the login screen. The password was refused - as expected. Then I inserted the key, waited a few seconds, and entered the password again. The password was again rejected - which was expected from previous behaviour but not what should happen. Then I entered the password again and (as expected) the password was accepted. A log was indeed generated. I attach it. |
|
Hey. Sorry for being a bit slow responding here. Reading your original question I notice that you write that you have pam_yubico.so before common-auth ? That will lead to problems like this. What happens is that pam_yubico.so tries to load and do it's work as soon as the login screen loads (since it doesn't need any keyboard input), and at this point there's no YubiKey inserted. It will typically give you better behaviour if it's running after password collection, you achieve this by putting it after common-auth (or in common-auth and modify the pam_unix.so line. |
I was exactly on the money in writing (as I did above) of the 'consequential double typo'. The problem is that the instructions here told the user, twice, to insert the 'pam_yubico.so' line 'below above' (sic) the 'common-auth' line. So, you caused this problem (because I had to guess whether you meant 'above' or 'below' and I guessed wrongly). I notice though that the instructions have been fixed (presumably as a result of my filing a support ticket about them.) Moving the 'pam_yubico.so' line does seem to fix the problem. Please note that your lack of proof-reading has put me to considerable trouble. |
If the Yubikey is plugged in before the login manager loads then all is well. If I insert the key after the manager loads then, it seems, the first attempt to authenticate always fails (even if one waits some twenty seconds before making the attempt); only with a second attempt will the system unlock. This is a pretty serious bug.
My system
OS: Linux Mint 19.3 Tricia x86_64
Host: 2325L19 ThinkPad X230
Kernel: 5.3.18-050318-generic
Shell: bash 4.4.20
Resolution: 1366x768 @ 60.02Hz
DE: Cinnamon 4.4.8
Login manager: slick-greeter, which is basedon LightDM.
Yubikey software:
Debug log
Apparently and understandably for a bug report such as this I should enable debugging. To that end I appended 'debug debugfile /home//y.txt ' to the yubico line in the relevant
pam.dfile - namely, `/etc/pam.d/lightdm'. Then I logged on. However, y.txt seems not to have been created.EDIT: some further information
In case what I am trying to do is unclear, let me add: I am trying to use two-factor authentication and to do so (only) for logging in. I created my setup by following two sets of instructions - one set being provided by Yubico (which were somewhat unclear, and which contain a consequential double typo, for which I filed a bug report) and some third-party ones. The resulting (hybrid) instructions amounted to the following (which I paste from notes that I created).
The text was updated successfully, but these errors were encountered: