dearsky/pico-fido
1
0
Fork 0
Code Issues 46 Pull Requests 1 Actions Packages Projects Releases 22 Wiki Activity

pamu2fcfg -> error: fido_cred_verify (-7) FIDO_ERR_INVALID_ARGUMENT #54

New Issue
Open
opened 2024-08-20 03:27:46 +08:00 by dietriclX · 9 comments
dietriclX commented 2024-08-20 03:27:46 +08:00 (Migrated from github.com)
Copy Link

I would like to share this error with those of you, who run into the same issue.
After "fixing" this error, I am now able to login without a password ... using the Pico Fido - Pico Keys. A big thanks to those people which made/make this possible.

Summary: There is a difference in the implementation of the pamu2fcfg tool between version "pam_u2f 1.1.0" and "pamu2fcfg 1.3.0". The older version causes the error with Pico Fido.

Even though the pamu2fcfg is working fine with a YubiKey, with the Pico Fido2 it might be failing.
At least, that's what I had observed with pamu2fcfg on my on Debian 12 (bookworm) system.

$ pamu2fcfg --version
pam_u2f 1.1.0
$ pamu2fcfg
Enter PIN for /dev/hidraw6: 
error: fido_cred_verify (-7) FIDO_ERR_INVALID_ARGUMENT

The version from SID is the newest of pamu2fcfg, however comes with two additional new dependencies. So ... I build my own version and in result had been able to retrieve the data required to configure the pam-fido2 process. To be clear, I was only using pamu2fcfg (Version 1.3.0) to retrieving the data from the token.

$ git clone --depth 1 --shallow-submodules --recurse-submodules --branch pam_u2f-1.3.0 https://github.com/Yubico/pam-u2f.git
$ mv pam-u2f pam-u2f.130
$ cd pam-u2f.130
$ sudo apt install --no-install-recommends autoconf automake libtool pkg-config libfido2-dev libpam-dev libssl-dev asciidoc xsltproc libxml2-utils docbook-xml
$ autoreconf --install
$ ./configure
$ make
$ ./pamu2fcfg/pamu2fcfg --version
pamu2fcfg 1.3.0
$ ./pamu2fcfg/pamu2fcfg 
Enter PIN for /dev/hidraw6: 
<UserID>:<KeyHandle1>,<UserKey1>,es256,+presence
_I would like to share this error with those of you, who run into the same issue. After "fixing" this error, I am now able to login without a password ... using the Pico Fido - Pico Keys. A big thanks to those people which made/make this possible._ Summary: There is a difference in the implementation of the pamu2fcfg tool between version "pam_u2f 1.1.0" and "pamu2fcfg 1.3.0". The older version causes the error with Pico Fido. Even though the pamu2fcfg is working fine with a YubiKey, with the Pico Fido2 it might be failing. At least, that's what I had observed with [pamu2fcfg](https://packages.debian.org/bookworm/pamu2fcfg) on my on Debian 12 (bookworm) system. ```console $ pamu2fcfg --version pam_u2f 1.1.0 $ pamu2fcfg Enter PIN for /dev/hidraw6: error: fido_cred_verify (-7) FIDO_ERR_INVALID_ARGUMENT ``` The [version from SID](https://packages.debian.org/sid/pamu2fcfg) is the newest of pamu2fcfg, however comes with two additional new dependencies. So ... I build my own version and in result had been able to retrieve the data required to configure the pam-fido2 process. To be clear, I was only using pamu2fcfg (Version 1.3.0) to retrieving the data from the token. ```console $ git clone --depth 1 --shallow-submodules --recurse-submodules --branch pam_u2f-1.3.0 https://github.com/Yubico/pam-u2f.git $ mv pam-u2f pam-u2f.130 $ cd pam-u2f.130 $ sudo apt install --no-install-recommends autoconf automake libtool pkg-config libfido2-dev libpam-dev libssl-dev asciidoc xsltproc libxml2-utils docbook-xml $ autoreconf --install $ ./configure $ make $ ./pamu2fcfg/pamu2fcfg --version pamu2fcfg 1.3.0 $ ./pamu2fcfg/pamu2fcfg Enter PIN for /dev/hidraw6: <UserID>:<KeyHandle1>,<UserKey1>,es256,+presence `````
🎉 3
polhenarejos commented 2024-08-20 15:57:38 +08:00 (Migrated from github.com)
Copy Link

Is the second snippet using Pico Fido or Yubikey?

Is the second snippet using Pico Fido or Yubikey?
dietriclX commented 2024-08-21 12:13:46 +08:00 (Migrated from github.com)
Copy Link

Is the second snippet using Pico Fido or Yubikey?

The snippets - I shared in the posting - are done using the Pico Fido.

> Is the second snippet using Pico Fido or Yubikey? The snippets - I shared in the posting - are done using the Pico Fido.
ihavetenfingers commented 2024-08-23 07:05:18 +08:00 (Migrated from github.com)
Copy Link

Cool, this fixed the same issue for me. Thanks!

Cool, this fixed the same issue for me. Thanks!
polhenarejos commented 2025-01-31 19:11:04 +08:00 (Migrated from github.com)
Copy Link

Might be related with #91. Try latest nightly development build.

Might be related with #91. Try latest nightly development build.
dietriclX commented 2025-02-01 00:40:35 +08:00 (Migrated from github.com)
Copy Link

Might be related with #91. Try latest nightly development build.

I had given it a try and build it from scratch using Pico SDK 2.1.0 .

Hopefully I took the latest version (nightly source?), by using

git clone https://github.com/polhenarejos/pico-fido
git submodule update --init --recursive
:

Situation is unchanged ... still getting the same error ... never mind ...

PS: Where do I find these?

> Might be related with [#91](https://github.com/polhenarejos/pico-fido/issues/91). Try latest nightly development build. I had given it a try and build it from scratch using Pico SDK 2.1.0 . Hopefully I took the latest version (nightly source?), by using ``` git clone https://github.com/polhenarejos/pico-fido git submodule update --init --recursive : ``` Situation is unchanged ... still getting the same error ... never mind ... PS: Where do I find these?
polhenarejos commented 2025-02-01 19:41:56 +08:00 (Migrated from github.com)
Copy Link

I see the problem.

The thing is that pamu2f does not send the PIN to the authenticator and thus, when you try to log in and get the assertion, it is rejected due to the missing PIN.

For instance, if you try with a fresh firmware without a set PIN, it will work. No PIN is sent, but no PIN is set, so it works. But when you use a PIN, the keys are encrypted with a hash of that PIN. Therefore, you must provide it beforehand to be able to log in.

The solution is to add pinverification=1 to your /etc/pam.d/ file. Do not forget to pamu2cfg again.

I see the problem. The thing is that pamu2f does not send the PIN to the authenticator and thus, when you try to log in and get the assertion, it is rejected due to the missing PIN. For instance, if you try with a fresh firmware without a set PIN, it will work. No PIN is sent, but no PIN is set, so it works. But when you use a PIN, the keys are encrypted with a hash of that PIN. Therefore, you must provide it beforehand to be able to log in. The solution is to add `pinverification=1` to your /etc/pam.d/ file. Do not forget to `pamu2cfg` again.
dietriclX commented 2025-02-02 17:33:32 +08:00 (Migrated from github.com)
Copy Link

I do have added the "pinverification=1", but the situation is unchanged.

Tested with the firmware from 2 days back.

Pico with freshly installed firmware

$ pamu2fcfg
error: fido_cred_verify (-7) FIDO_ERR_INVALID_ARGUMENT

Same Pico, after PIN set (fido2-token -S /dev/hidraw?)

$ pamu2fcfg
Enter PIN for /dev/hidraw4: 
error: fido_cred_verify (-7) FIDO_ERR_INVALID_ARGUMENT

=== /etc/pam.d/common-aut ===

:
# pam-auth-update(8) for details.

auth sufficient pam_u2f.so authfile=/etc/fido2/u2f.keys pinverification=1 cue [c
ue_prompt=Touch Me]

# here are the per-package modules (the "Primary" block)
:
I do have added the "pinverification=1", but the situation is unchanged. Tested with the firmware from 2 days back. Pico with freshly installed firmware ``` $ pamu2fcfg error: fido_cred_verify (-7) FIDO_ERR_INVALID_ARGUMENT ``` Same Pico, after PIN set (`fido2-token -S /dev/hidraw?`) ``` $ pamu2fcfg Enter PIN for /dev/hidraw4: error: fido_cred_verify (-7) FIDO_ERR_INVALID_ARGUMENT ``` === `/etc/pam.d/common-aut` === ``` : # pam-auth-update(8) for details. auth sufficient pam_u2f.so authfile=/etc/fido2/u2f.keys pinverification=1 cue [c ue_prompt=Touch Me] # here are the per-package modules (the "Primary" block) : ```
❤️ 1
FSCSoft commented 2026-02-21 04:06:52 +08:00 (Migrated from github.com)
Copy Link

Hola yo e intentado usarla para pam_u2f y si e podido hacerlo funcionar solamente que cuando desconecto la Pico FIDO tengo que configurar de nuevo como si se borrara o fuera otra lleve en los dos modos que tiene pamu2fcfg -r para hacer el passkey como lo hacen en las web que hay si funciona e incluso la puedo borrar y agregar de nuevo tengo picokey app con licencia

Hola yo e intentado usarla para pam_u2f y si e podido hacerlo funcionar solamente que cuando desconecto la Pico FIDO tengo que configurar de nuevo como si se borrara o fuera otra lleve en los dos modos que tiene pamu2fcfg -r para hacer el passkey como lo hacen en las web que hay si funciona e incluso la puedo borrar y agregar de nuevo tengo picokey app con licencia
FSCSoft commented 2026-02-21 04:13:26 +08:00 (Migrated from github.com)
Copy Link

y tuve ese fallo es el tiempo de presionar del botón esta en 0 y no da tiempo de pisarlo

Image
y tuve ese fallo es el tiempo de presionar del botón esta en 0 y no da tiempo de pisarlo <img width="830" height="360" alt="Image" src="https://github.com/user-attachments/assets/44ffa459-340c-465b-9b2f-6fdc1966610b" />
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
Something isn't working
 documentation
Improvements or additions to documentation
 duplicate
This issue or pull request already exists
 enhancement
New feature or request
 good first issue
Good for newcomers
 help wanted
Extra attention is needed
 invalid
This doesn't seem right
 question
Further information is requested
 wontfix
This will not be worked on
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
dearsky
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: dearsky/pico-fido#54
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?