New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FIDO2 fallback to password #19872
Comments
The timeout is already requested in #10739. What precisely do you mean by "libfido2 itself fails"? Do you have some specific error case in mind? If so, what#s the error you saw? Can you provide the log output of the failure? |
In case of #19842, libfido2 fails with
In such case, no fallback is made to passphrase unlock and systemd switch emergency target. I can provide full log for this use case |
+1 for that. I can reproduce on 249. No fallback happening there, or I did not configure it correctly.
I am not sure you linked the right issue? |
I am also seeing no fallback even after setting a timeout on systemd 250. |
If you set the token-timeout option mentioned in the release notes: https://github.com/systemd/systemd/releases/tag/v250 |
Can anyone confirm that entering an empty pin without the FIDO2 key being present halts the boot process and does not fallback to a password prompt? The only way for me to fall back to the regular password prompt without the FIDO2 key being present is to enter a non-empty pin value first. The pin can be an incorrect one, it just can't be empty. |
I have to enter something, can't be empty for me either |
On Arch Linux, systemd 251, it now falls back to a passphrase after 30 seconds of no key present. My configuration doesn't have a PIN. I don't know how or why that works, but I would much like to find out as I would like to change the timeout (or, even better, fix it so I can manually trigger the fallback instead of having it on a timeout.) |
For me it just fails when the token doesn't work as systemd-cryptsetup just wants to use the token. |
Lines 821 to 825 in 5e81e84
Lines 689 to 698 in 5e81e84
|
I'm interested in the other direction (removing the password), particularly for systemd-homed volumes. The idea is that activation of a user would always require their FIDO2 token, but a locked screen can be unlocked with a password. If I need to raise a separate issue then let me know. |
It would be nice if there was some hotkey to switch to the regular password - or if entering an empty PIN would do that (for devices with pins...). |
I'm running systemd 255 now and it still seems to be the same behavior. Would be nice to see this handled a bit more intuitively. My suggestion:
And thanks for the possibility of fido2 tokens here at all, makes booting a lot less pain :D |
systemd version the issue has been seen with
Used distribution
Linux kernel version used (
uname -a
)CPU architecture issue was seen on
Unexpected behaviour you saw
This is a follow up from #19842. When FIDO2 authentication fails, there is no fallback to passphrase for a user. Two situations happens here.
Is there a plan to allow
The text was updated successfully, but these errors were encountered: