dearsky/pico-fido
1
0
Fork 0
Code Issues 46 Pull Requests 1 Actions Packages Projects Releases 22 Wiki Activity

pam_u2f only works when I use PIN after connect #165

New Issue
Open
opened 2025-06-20 09:51:51 +08:00 by SirMonteiro · 9 comments
SirMonteiro commented 2025-06-20 09:51:51 +08:00 (Migrated from github.com)
Copy Link

I want to use the key to login on my Linux machine using pam_u2f module.
I have borrowed a nano 5C, and when I connect and run "sudo su" it asks to press button and goes root as expected, but with pico it flashes to touch it and skips to password fallback.
It works after I use something that asks PIN like "ykman fido access verify-pin" command, but every time I reconnect it needs to use PIN again to work.
I tried to change alwaysUv to always false, but it didn't seem to work.

This tenstar rp2350 is using pico-fido2 compiled with some custom device flags to ws2812 works and 16mb be recognized, although, "python pico-fido-tool.py memory" shows total only with 2024kb, with correct flash size of 16mb.

I want to use the key to login on my Linux machine using pam_u2f module. I have borrowed a nano 5C, and when I connect and run "sudo su" it asks to press button and goes root as expected, but with pico it flashes to touch it and skips to password fallback. It works after I use something that asks PIN like "ykman fido access verify-pin" command, but every time I reconnect it needs to use PIN again to work. I tried to change alwaysUv to always false, but it didn't seem to work. This tenstar rp2350 is using pico-fido2 compiled with some custom device flags to ws2812 works and 16mb be recognized, although, "python pico-fido-tool.py memory" shows total only with 2024kb, with correct flash size of 16mb.
polhenarejos commented 2025-06-23 02:45:42 +08:00 (Migrated from github.com)
Copy Link

All the data is encrypted in Pico Fido with a hash of your PIN. Without entering the PIN within the current session, the board will remain locked without granting access to any account. This is why it works after you use an app asking for the PIN.
alwaysUv doesn't affect due to this constraint.

In RP2350 the partition for storing data is 2048Kb, regardless of the total flash size, and this is what memory reports.

All the data is encrypted in Pico Fido with a hash of your PIN. Without entering the PIN within the current session, the board will remain locked without granting access to any account. This is why it works after you use an app asking for the PIN. `alwaysUv` doesn't affect due to this constraint. In RP2350 the partition for storing data is 2048Kb, regardless of the total flash size, and this is what `memory` reports.
dolence commented 2025-07-02 02:19:07 +08:00 (Migrated from github.com)
Copy Link

I have a similar issue. I understand that a pin must be entered first to unlock de the board, and I have my greetd pam file set to ask for it. The problem is that when first booting, when I click in the regreet login button it goes from red to blue. Reseting the fido sometimes work. After logged in for the first time I can restart greetd or logout and login again and it works as intended. I think it may be related to op issues.

#%PAM-1.0

auth       required     pam_securetty.so
auth       requisite    pam_nologin.so
#auth 	   sufficient 	pam_u2f.so cue pinverification=1 userpresence=1 nouserok
auth 	   sufficient 	pam_u2f.so cue pinverification=1 nouserok
auth       include      system-local-login
auth       optional     pam_gnome_keyring.so
account    include      system-local-login
session    include      system-local-login
session    optional     pam_gnome_keyring.so auto_start

Edit: the expected behavior occurs if I connect pico fido after the system is running, eg: regreet login screen but not if it is plugged while powering computer. Any thoughts?

I have a similar issue. I understand that a pin must be entered first to unlock de the board, and I have my greetd pam file set to ask for it. The problem is that when first booting, when I click in the regreet login button it goes from red to blue. Reseting the fido sometimes work. After logged in for the first time I can restart greetd or logout and login again and it works as intended. I think it may be related to op issues. ``` #%PAM-1.0 auth required pam_securetty.so auth requisite pam_nologin.so #auth sufficient pam_u2f.so cue pinverification=1 userpresence=1 nouserok auth sufficient pam_u2f.so cue pinverification=1 nouserok auth include system-local-login auth optional pam_gnome_keyring.so account include system-local-login session include system-local-login session optional pam_gnome_keyring.so auto_start ``` Edit: the expected behavior occurs if I connect pico fido after the system is running, eg: regreet login screen but not if it is plugged while powering computer. Any thoughts?
polhenarejos commented 2025-07-02 17:34:51 +08:00 (Migrated from github.com)
Copy Link

A timeout of a OS timer?

A timeout of a OS timer?
dolence commented 2025-07-02 17:58:47 +08:00 (Migrated from github.com)
Copy Link

A timeout of a OS timer?

I think I didn't expressed myself correctly. When it is connected before the boot it doesn't work, unless I unplug and replug after the system is loaded. After that it works fine for sudo for example and even after a logout. If instead I do a manual login using user/password and connecting it work fine too. It just doesn't seem to work if connected o before the boot starts.

> A timeout of a OS timer? I think I didn't expressed myself correctly. When it is connected before the boot it doesn't work, unless I unplug and replug after the system is loaded. After that it works fine for sudo for example and even after a logout. If instead I do a manual login using user/password and connecting it work fine too. It just doesn't seem to work if connected o before the boot starts.
dolence commented 2025-07-03 00:16:41 +08:00 (Migrated from github.com)
Copy Link

A timeout of a OS timer?

After the failure I disconnected the device.

Jul 02 13:06:06 desktop.dolence.com.br greetd[1578]: debug(pam_u2f): pam-u2f.c:122 (pam_sm_authenticate): Origin not specified, using "pam://desktop.dolence.com.br"
Jul 02 13:06:06 desktop.dolence.com.br greetd[1578]: debug(pam_u2f): pam-u2f.c:134 (pam_sm_authenticate): Appid not specified, using the value of origin (pam://desktop.dolence.com.br)
Jul 02 13:06:06 desktop.dolence.com.br greetd[1578]: debug(pam_u2f): pam-u2f.c:147 (pam_sm_authenticate): Maximum number of devices not set. Using default (24)
Jul 02 13:06:06 desktop.dolence.com.br greetd[1578]: debug(pam_u2f): pam-u2f.c:170 (pam_sm_authenticate): Requesting authentication for user dolence
Jul 02 13:06:06 desktop.dolence.com.br greetd[1578]: debug(pam_u2f): pam-u2f.c:181 (pam_sm_authenticate): Found user dolence
Jul 02 13:06:06 desktop.dolence.com.br greetd[1578]: debug(pam_u2f): pam-u2f.c:182 (pam_sm_authenticate): Home directory for dolence is /home/dolence
Jul 02 13:06:06 desktop.dolence.com.br greetd[1578]: debug(pam_u2f): pam-u2f.c:57 (resolve_authfile_path): Variable XDG_CONFIG_HOME is not set, using default
Jul 02 13:06:06 desktop.dolence.com.br greetd[1578]: debug(pam_u2f): pam-u2f.c:208 (pam_sm_authenticate): Using authentication file /home/dolence/.config/Yubico/u2f_keys
Jul 02 13:06:06 desktop.dolence.com.br greetd[1578]: debug(pam_u2f): pam-u2f.c:214 (pam_sm_authenticate): Dropping privileges
Jul 02 13:06:06 desktop.dolence.com.br greetd[1578]: debug(pam_u2f): pam-u2f.c:220 (pam_sm_authenticate): Switched to uid 1000
Jul 02 13:06:06 desktop.dolence.com.br greetd[1578]: debug(pam_u2f): util.c:228 (parse_native_format): Read 373 bytes
Jul 02 13:06:06 desktop.dolence.com.br greetd[1578]: debug(pam_u2f): util.c:232 (parse_native_format): Matched user: dolence
Jul 02 13:06:06 desktop.dolence.com.br greetd[1578]: debug(pam_u2f): util.c:255 (parse_native_format): KeyHandle for device number 1: 8dACAhmdQOD6dLazgRYwAvVV5NQ2ogMn8XlT8KfUXC3yH73yZoH3X+fRcrReeOtHTnU76mrl564qLlMW6fFW5r187cxoWxmLOSnyH4hBbV1S+/AbrETlzZfFGAYt5dHrPy9Z00LNGpXZ/el+t2ghJHso0kZ703K/7/6Bq4FzyZ2N8B/oCUyx9+FffslQElJ+XVkHbbBAYbtWCVcKuNFSjwDhyY5BixeUxZTrXcQk1xC9h9zWMjWtRJS4us+EzmkOAg==
Jul 02 13:06:06 desktop.dolence.com.br greetd[1578]: debug(pam_u2f): util.c:257 (parse_native_format): publicKey for device number 1: QY5PBQiDrrMJTRuFex0wH843tRpBOeOI0LMQazrugVdTtP1+UGxLfzlZJgVaYPjCV0zvRIYGA/Tpv98H9AJH6A==
Jul 02 13:06:06 desktop.dolence.com.br greetd[1578]: debug(pam_u2f): util.c:259 (parse_native_format): COSE type for device number 1: es256
Jul 02 13:06:06 desktop.dolence.com.br greetd[1578]: debug(pam_u2f): util.c:261 (parse_native_format): Attributes for device number 1: +presence
Jul 02 13:06:06 desktop.dolence.com.br greetd[1578]: debug(pam_u2f): util.c:777 (get_devices_from_authfile): Found 1 device(s) for user dolence
Jul 02 13:06:06 desktop.dolence.com.br greetd[1578]: debug(pam_u2f): pam-u2f.c:230 (pam_sm_authenticate): Restored privileges
Jul 02 13:06:06 desktop.dolence.com.br greetd[1578]: debug(pam_u2f): pam-u2f.c:261 (pam_sm_authenticate): Touch request notifications will be emitted via '/var/run/user/0/pam-u2f-authpending'
Jul 02 13:06:06 desktop.dolence.com.br greetd[1578]: debug(pam_u2f): pam-u2f.c:270 (pam_sm_authenticate): Unable to emit 'authentication started' notification: No such file or directory
Jul 02 13:06:06 desktop.dolence.com.br greetd[1578]: debug(pam_u2f): util.c:1197 (do_authentication): Device max index is 0
Jul 02 13:06:06 desktop.dolence.com.br greetd[1578]: debug(pam_u2f): util.c:1211 (do_authentication): Attempting authentication with device number 1
Jul 02 13:06:06 desktop.dolence.com.br greetd[1578]: debug(pam_u2f): util.c:1016 (prepare_assert): Key handle: 8dACAhmdQOD6dLazgRYwAvVV5NQ2ogMn8XlT8KfUXC3yH73yZoH3X+fRcrReeOtHTnU76mrl564qLlMW6fFW5r187cxoWxmLOSnyH4hBbV1S+/AbrETlzZfFGAYt5dHrPy9Z00LNGpXZ/el+t2ghJHso0kZ703K/7/6Bq4FzyZ2N8B/oCUyx9+FffslQElJ+XVkHbbBAYbtWCVcKuNFSjwDhyY5BixeUxZTrXcQk1xC9h9zWMjWtRJS4us+EzmkOAg==
Jul 02 13:06:06 desktop.dolence.com.br greetd[1578]: debug(pam_u2f): util.c:821 (get_authenticators): Working with 0 authenticator(s)
Jul 02 13:06:06 desktop.dolence.com.br greetd[1578]: debug(pam_u2f): util.c:869 (get_authenticators): Key not found
Jul 02 13:06:06 desktop.dolence.com.br greetd[1578]: debug(pam_u2f): util.c:1286 (do_authentication): Device for this keyhandle is not present
Jul 02 13:06:06 desktop.dolence.com.br greetd[1578]: debug(pam_u2f): pam-u2f.c:319 (pam_sm_authenticate): done. [Authentication failure]

This caught my attention:

Jul 02 13:06:06 desktop.dolence.com.br greetd[1578]: debug(pam_u2f): pam-u2f.c:261 (pam_sm_authenticate): Touch request notifications will be emitted via '/var/run/user/0/pam-u2f-authpending'
Jul 02 13:06:06 desktop.dolence.com.br greetd[1578]: debug(pam_u2f): pam-u2f.c:270 (pam_sm_authenticate): Unable to emit 'authentication started' notification: No such file or directory
> A timeout of a OS timer? After the failure I disconnected the device. ``` Jul 02 13:06:06 desktop.dolence.com.br greetd[1578]: debug(pam_u2f): pam-u2f.c:122 (pam_sm_authenticate): Origin not specified, using "pam://desktop.dolence.com.br" Jul 02 13:06:06 desktop.dolence.com.br greetd[1578]: debug(pam_u2f): pam-u2f.c:134 (pam_sm_authenticate): Appid not specified, using the value of origin (pam://desktop.dolence.com.br) Jul 02 13:06:06 desktop.dolence.com.br greetd[1578]: debug(pam_u2f): pam-u2f.c:147 (pam_sm_authenticate): Maximum number of devices not set. Using default (24) Jul 02 13:06:06 desktop.dolence.com.br greetd[1578]: debug(pam_u2f): pam-u2f.c:170 (pam_sm_authenticate): Requesting authentication for user dolence Jul 02 13:06:06 desktop.dolence.com.br greetd[1578]: debug(pam_u2f): pam-u2f.c:181 (pam_sm_authenticate): Found user dolence Jul 02 13:06:06 desktop.dolence.com.br greetd[1578]: debug(pam_u2f): pam-u2f.c:182 (pam_sm_authenticate): Home directory for dolence is /home/dolence Jul 02 13:06:06 desktop.dolence.com.br greetd[1578]: debug(pam_u2f): pam-u2f.c:57 (resolve_authfile_path): Variable XDG_CONFIG_HOME is not set, using default Jul 02 13:06:06 desktop.dolence.com.br greetd[1578]: debug(pam_u2f): pam-u2f.c:208 (pam_sm_authenticate): Using authentication file /home/dolence/.config/Yubico/u2f_keys Jul 02 13:06:06 desktop.dolence.com.br greetd[1578]: debug(pam_u2f): pam-u2f.c:214 (pam_sm_authenticate): Dropping privileges Jul 02 13:06:06 desktop.dolence.com.br greetd[1578]: debug(pam_u2f): pam-u2f.c:220 (pam_sm_authenticate): Switched to uid 1000 Jul 02 13:06:06 desktop.dolence.com.br greetd[1578]: debug(pam_u2f): util.c:228 (parse_native_format): Read 373 bytes Jul 02 13:06:06 desktop.dolence.com.br greetd[1578]: debug(pam_u2f): util.c:232 (parse_native_format): Matched user: dolence Jul 02 13:06:06 desktop.dolence.com.br greetd[1578]: debug(pam_u2f): util.c:255 (parse_native_format): KeyHandle for device number 1: 8dACAhmdQOD6dLazgRYwAvVV5NQ2ogMn8XlT8KfUXC3yH73yZoH3X+fRcrReeOtHTnU76mrl564qLlMW6fFW5r187cxoWxmLOSnyH4hBbV1S+/AbrETlzZfFGAYt5dHrPy9Z00LNGpXZ/el+t2ghJHso0kZ703K/7/6Bq4FzyZ2N8B/oCUyx9+FffslQElJ+XVkHbbBAYbtWCVcKuNFSjwDhyY5BixeUxZTrXcQk1xC9h9zWMjWtRJS4us+EzmkOAg== Jul 02 13:06:06 desktop.dolence.com.br greetd[1578]: debug(pam_u2f): util.c:257 (parse_native_format): publicKey for device number 1: QY5PBQiDrrMJTRuFex0wH843tRpBOeOI0LMQazrugVdTtP1+UGxLfzlZJgVaYPjCV0zvRIYGA/Tpv98H9AJH6A== Jul 02 13:06:06 desktop.dolence.com.br greetd[1578]: debug(pam_u2f): util.c:259 (parse_native_format): COSE type for device number 1: es256 Jul 02 13:06:06 desktop.dolence.com.br greetd[1578]: debug(pam_u2f): util.c:261 (parse_native_format): Attributes for device number 1: +presence Jul 02 13:06:06 desktop.dolence.com.br greetd[1578]: debug(pam_u2f): util.c:777 (get_devices_from_authfile): Found 1 device(s) for user dolence Jul 02 13:06:06 desktop.dolence.com.br greetd[1578]: debug(pam_u2f): pam-u2f.c:230 (pam_sm_authenticate): Restored privileges Jul 02 13:06:06 desktop.dolence.com.br greetd[1578]: debug(pam_u2f): pam-u2f.c:261 (pam_sm_authenticate): Touch request notifications will be emitted via '/var/run/user/0/pam-u2f-authpending' Jul 02 13:06:06 desktop.dolence.com.br greetd[1578]: debug(pam_u2f): pam-u2f.c:270 (pam_sm_authenticate): Unable to emit 'authentication started' notification: No such file or directory Jul 02 13:06:06 desktop.dolence.com.br greetd[1578]: debug(pam_u2f): util.c:1197 (do_authentication): Device max index is 0 Jul 02 13:06:06 desktop.dolence.com.br greetd[1578]: debug(pam_u2f): util.c:1211 (do_authentication): Attempting authentication with device number 1 Jul 02 13:06:06 desktop.dolence.com.br greetd[1578]: debug(pam_u2f): util.c:1016 (prepare_assert): Key handle: 8dACAhmdQOD6dLazgRYwAvVV5NQ2ogMn8XlT8KfUXC3yH73yZoH3X+fRcrReeOtHTnU76mrl564qLlMW6fFW5r187cxoWxmLOSnyH4hBbV1S+/AbrETlzZfFGAYt5dHrPy9Z00LNGpXZ/el+t2ghJHso0kZ703K/7/6Bq4FzyZ2N8B/oCUyx9+FffslQElJ+XVkHbbBAYbtWCVcKuNFSjwDhyY5BixeUxZTrXcQk1xC9h9zWMjWtRJS4us+EzmkOAg== Jul 02 13:06:06 desktop.dolence.com.br greetd[1578]: debug(pam_u2f): util.c:821 (get_authenticators): Working with 0 authenticator(s) Jul 02 13:06:06 desktop.dolence.com.br greetd[1578]: debug(pam_u2f): util.c:869 (get_authenticators): Key not found Jul 02 13:06:06 desktop.dolence.com.br greetd[1578]: debug(pam_u2f): util.c:1286 (do_authentication): Device for this keyhandle is not present Jul 02 13:06:06 desktop.dolence.com.br greetd[1578]: debug(pam_u2f): pam-u2f.c:319 (pam_sm_authenticate): done. [Authentication failure] ``` This caught my attention: ``` Jul 02 13:06:06 desktop.dolence.com.br greetd[1578]: debug(pam_u2f): pam-u2f.c:261 (pam_sm_authenticate): Touch request notifications will be emitted via '/var/run/user/0/pam-u2f-authpending' Jul 02 13:06:06 desktop.dolence.com.br greetd[1578]: debug(pam_u2f): pam-u2f.c:270 (pam_sm_authenticate): Unable to emit 'authentication started' notification: No such file or directory ```
polhenarejos commented 2025-07-03 02:57:16 +08:00 (Migrated from github.com)
Copy Link

/var/run/user/0/pam-u2f-authpending doesn't exist.

`/var/run/user/0/pam-u2f-authpending` doesn't exist.
migue802 commented 2025-08-24 05:32:22 +08:00 (Migrated from github.com)
Copy Link

Off-topic, @SirMonteiro, mind sharing the flags or the process you followed to build pifo-fido? I have the same Tenstar RP2350 and I can't manage to get anything on it, I'm new to this microcode world heh

Off-topic, @SirMonteiro, mind sharing the flags or the process you followed to build pifo-fido? I have the same Tenstar RP2350 and I can't manage to get anything on it, I'm new to this microcode world heh
zequinha-taveira commented 2025-12-03 12:19:05 +08:00 (Migrated from github.com)
Copy Link

@migue802 I got a working build of pico-fido2 for the Tenstar RP2350. You can download the .uf2 directly from here:
Download (RP2350): https://github.com/zequinha-taveira/pico-fido2-Tenstar-RP2350-firmware/releases/
If you want, I can also explain the steps I used to compile it in case you'd like to build it yourself.

@migue802 I got a working build of pico-fido2 for the Tenstar RP2350. You can download the .uf2 directly from here: Download (RP2350): https://github.com/zequinha-taveira/pico-fido2-Tenstar-RP2350-firmware/releases/ If you want, I can also explain the steps I used to compile it in case you'd like to build it yourself.
PepePanDziobak1 commented 2025-12-17 19:08:08 +08:00 (Migrated from github.com)
Copy Link

@zequinha-taveira I also have Tenstar RP2350 but I can't download firmware, repo is private. Explain how to build your own firmware.

@zequinha-taveira I also have Tenstar RP2350 but I can't download firmware, repo is private. Explain how to build your own firmware.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
Something isn't working
 documentation
Improvements or additions to documentation
 duplicate
This issue or pull request already exists
 enhancement
New feature or request
 good first issue
Good for newcomers
 help wanted
Extra attention is needed
 invalid
This doesn't seem right
 question
Further information is requested
 wontfix
This will not be worked on
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
dearsky
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: dearsky/pico-fido#165
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?