Bug#898519: marked as done (libpam-u2f: upgrade to 1.0.6 breaks authentication with u2fzero device)

[Debian Bug Tracking System]

Your message dated Thu, 28 Jun 2018 19:19:45 +0000
with message-id <e1fycsh-0000oo...@fasolo.debian.org>
and subject line Bug#898519: fixed in pam-u2f 1.0.7-1
has caused the Debian Bug report #898519,
regarding libpam-u2f: upgrade to 1.0.6 breaks authentication with u2fzero device
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
898519: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=898519
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: libpam-u2f
Version: 1.0.6-1
Severity: important

Dear Maintainer,

during a system upgrade on buster the package libpam-u2f is upgraded from 1.0.4 
to 1.0.6.

After the upgrade the PAM modules fails to authenticate with the U2Fzero device 
(u2fzero.com).
A manual downgrade to 1.0.4 solves all issues.

This is severe: if the system is rebooted directly, authentication would fail.
The user would be locked out from machine.

A quick look at the code shows a lot changes between the two (minor) versions. 
But i couldn't
figure out the exact lines involved yet.

While with the 1.0.4 version the u2f device shows a red light as signal for 
pressing the button,
the 1.0.6 version makes the device just light up bright green.


My Configuration files:


/etc/pam.d/u2f:

auth required pam_u2f.so authfile=/etc/u2f_keys cue debug openasuser


/etc/pam.d/sudo:

#%PAM-1.0
@include common-auth
@include common-account
@include common-session-noninteractive
@include u2f



Output with debug option enabled:

jkur@durruti:~$ sudo su
[sudo] Passwort für jkur: 
[../pam-u2f.c:parse_cfg(64)] called.
[../pam-u2f.c:parse_cfg(65)] flags 32768 argc 3
[../pam-u2f.c:parse_cfg(67)] argv[0]=authfile=/etc/u2f_keys
[../pam-u2f.c:parse_cfg(67)] argv[1]=cue
[../pam-u2f.c:parse_cfg(67)] argv[2]=debug
[../pam-u2f.c:parse_cfg(68)] max_devices=0
[../pam-u2f.c:parse_cfg(69)] debug=1
[../pam-u2f.c:parse_cfg(70)] interactive=0
[../pam-u2f.c:parse_cfg(71)] cue=1
[../pam-u2f.c:parse_cfg(72)] manual=0
[../pam-u2f.c:parse_cfg(73)] nouserok=0
[../pam-u2f.c:parse_cfg(74)] alwaysok=0
[../pam-u2f.c:parse_cfg(75)] authfile=/etc/u2f_keys
[../pam-u2f.c:parse_cfg(76)] origin=(null)
[../pam-u2f.c:parse_cfg(77)] appid=(null)
[../pam-u2f.c:pam_sm_authenticate(119)] Origin not specified, using 
"pam://durruti"
[../pam-u2f.c:pam_sm_authenticate(130)] Appid not specified, using the same 
value of origin (pam://durruti)
[../pam-u2f.c:pam_sm_authenticate(140)] Maximum devices number not set. Using 
default (24)
[../pam-u2f.c:pam_sm_authenticate(158)] Requesting authentication for user jkur
[../pam-u2f.c:pam_sm_authenticate(169)] Found user jkur
[../pam-u2f.c:pam_sm_authenticate(170)] Home directory for jkur is /home/jkur
[../pam-u2f.c:pam_sm_authenticate(221)] Using authentication file /etc/u2f_keys
[../util.c:get_devices_from_authfile(107)] Authorization line: 
jkur:bz1_psgGoVqj7EF6woABHuu4FSQ_oTJz_5zwzE-mIm_KRib_,047d360b8d4c2077430d1c42ff0f39788ec45e805bdc95a8f6b645d781ac00056b19289a9a1519bdbe94de5f7e4a98858811e7e09e34d4c51763287bd9d971134d
[../util.c:get_devices_from_authfile(112)] Matched user: jkur
[../util.c:get_devices_from_authfile(130)] KeyHandle for device number 1: 
bz1_psgGoVqj7EF6woABHuu4FSQ_oTJz_5zwzE-mIm_KRib_
[../util.c:get_devices_from_authfile(157)] publicKey for device number 1: 
047d360b8d4c2077430d1c42ff0f39788ec45e805bdc95a8f6b645d781ac00056b19289a9a1519bdbe94de5f7e4a98858811e7e09e34d4c51763287bd9d971134d
[../util.c:get_devices_from_authfile(172)] Length of key number 1 is 65
[../util.c:get_devices_from_authfile(200)] Found 1 device(s) for user jkur
Please touch the device.
[../util.c:do_authentication(262)] Device max index is 0
[../util.c:do_authentication(288)] Attempting authentication with device number 
1
[../util.c:do_authentication(310)] Challenge: { "keyHandle": 
"bz1_psgGoVqj7EF6woABHuu4FSQ_oTJz_5zwzE-mIm_KRib_", "version": "U2F_V2", 
"challenge": "frqCM5S0XEXkVNKHoRD96P9jVFLmDI0M-jdLWb_kK0U", "appId": 
"pam:\/\/durruti" }
[../util.c:do_authentication(316)] Response: { "signatureData": 
"AQAAAcgwRQIgRoPNq_hryxmrH6m2VWM5ANsHptaUTefUmUEjtKehr_gCIQDHVex3x3XYKQfXBbTGGDndLklGbh80DkEHff2e9KvKbA",
 "clientData": 
"eyAiY2hhbGxlbmdlIjogImZycUNNNVMwWEVYa1ZOS0hvUkQ5NlA5alZGTG1ESTBNLWpkTFdiX2tLMFUiLCAib3JpZ2luIjogInBhbTpcL1wvZHVycnV0aSIsICJ0eXAiOiAibmF2aWdhdG9yLmlkLmdldEFzc2VydGlvbiIgfQ",
 "keyHandle": "bz1_psgGoVqj7EF6woABHuu4FSQ_oTJz_5zwzE-mIm_KRib_" }
[../pam-u2f.c:pam_sm_authenticate(275)] done. [Erfolg]
root@durruti:/home/jkur# 
root@durruti:/home/jkur# 
root@durruti:/home/jkur# 
root@durruti:/home/jkur# exit
jkur@durruti:~$ sudo su
[sudo] Passwort für jkur: 
debug(pam_u2f): ../pam-u2f.c:89 (parse_cfg): called.
debug(pam_u2f): ../pam-u2f.c:90 (parse_cfg): flags 32768 argc 4
debug(pam_u2f): ../pam-u2f.c:92 (parse_cfg): argv[0]=authfile=/etc/u2f_keys
debug(pam_u2f): ../pam-u2f.c:92 (parse_cfg): argv[1]=cue
debug(pam_u2f): ../pam-u2f.c:92 (parse_cfg): argv[2]=debug
debug(pam_u2f): ../pam-u2f.c:92 (parse_cfg): argv[3]=openasuser
debug(pam_u2f): ../pam-u2f.c:94 (parse_cfg): max_devices=0
debug(pam_u2f): ../pam-u2f.c:95 (parse_cfg): debug=1
debug(pam_u2f): ../pam-u2f.c:96 (parse_cfg): interactive=0
debug(pam_u2f): ../pam-u2f.c:97 (parse_cfg): cue=1
debug(pam_u2f): ../pam-u2f.c:98 (parse_cfg): manual=0
debug(pam_u2f): ../pam-u2f.c:99 (parse_cfg): nouserok=0
debug(pam_u2f): ../pam-u2f.c:100 (parse_cfg): openasuser=1
debug(pam_u2f): ../pam-u2f.c:101 (parse_cfg): alwaysok=0
debug(pam_u2f): ../pam-u2f.c:102 (parse_cfg): authfile=/etc/u2f_keys
debug(pam_u2f): ../pam-u2f.c:103 (parse_cfg): origin=(null)
debug(pam_u2f): ../pam-u2f.c:104 (parse_cfg): appid=(null)
debug(pam_u2f): ../pam-u2f.c:105 (parse_cfg): prompt=(null)
debug(pam_u2f): ../pam-u2f.c:146 (pam_sm_authenticate): Origin not specified, 
using "pam://durruti"
debug(pam_u2f): ../pam-u2f.c:156 (pam_sm_authenticate): Appid not specified, 
using the same value of origin (pam://durruti)
debug(pam_u2f): ../pam-u2f.c:165 (pam_sm_authenticate): Maximum devices number 
not set. Using default (24)
debug(pam_u2f): ../pam-u2f.c:183 (pam_sm_authenticate): Requesting 
authentication for user jkur
debug(pam_u2f): ../pam-u2f.c:194 (pam_sm_authenticate): Found user jkur
debug(pam_u2f): ../pam-u2f.c:195 (pam_sm_authenticate): Home directory for jkur 
is /home/jkur
debug(pam_u2f): ../pam-u2f.c:235 (pam_sm_authenticate): Using authentication 
file /etc/u2f_keys
debug(pam_u2f): ../pam-u2f.c:245 (pam_sm_authenticate): Switched to uid 1000
debug(pam_u2f): ../util.c:102 (get_devices_from_authfile): Authorization line: 
jkur:bz1_psgGoVqj7EF6woABHuu4FSQ_oTJz_5zwzE-mIm_KRib_,047d360b8d4c2077430d1c42ff0f39788ec45e805bdc95a8f6b645d781ac00056b19289a9a1519bdbe94de5f7e4a98858811e7e09e34d4c51763287bd9d971134d
debug(pam_u2f): ../util.c:107 (get_devices_from_authfile): Matched user: jkur
debug(pam_u2f): ../util.c:134 (get_devices_from_authfile): KeyHandle for device 
number 1: bz1_psgGoVqj7EF6woABHuu4FSQ_oTJz_5zwzE-mIm_KRib_
debug(pam_u2f): ../util.c:153 (get_devices_from_authfile): publicKey for device 
number 1: 
047d360b8d4c2077430d1c42ff0f39788ec45e805bdc95a8f6b645d781ac00056b19289a9a1519bdbe94de5f7e4a98858811e7e09e34d4c51763287bd9d971134d
debug(pam_u2f): ../util.c:164 (get_devices_from_authfile): Length of key number 
1 is 65
debug(pam_u2f): ../util.c:191 (get_devices_from_authfile): Found 1 device(s) 
for user jkur
debug(pam_u2f): ../pam-u2f.c:256 (pam_sm_authenticate): Switched back to uid 0
USB send: 
00ffffffff8600080807060504030201000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
USB write returned 65
now trying with timeout 2
now trying with timeout 4
USB read rc read 64
USB recv: 
ffffffff8600110807060504030201cafebabe020200000315cea8f3b6d054ce7c6c8da9afb5f9fffb44fc6228a4ecd4dcbacb6d63baba57bc97ec53860e39ae
device /dev/hidraw0 discovered as 'U2F Zero'
  version (Interface, Major, Minor, Build): 2, 2, 0, 0  capFlags: 3
debug(pam_u2f): ../util.c:269 (do_authentication): Device max index is 0
debug(pam_u2f): ../util.c:300 (do_authentication): Attempting authentication 
with device number 1
debug(pam_u2f): ../util.c:322 (do_authentication): Challenge: { "keyHandle": 
"bz1_psgGoVqj7EF6woABHuu4FSQ_oTJz_5zwzE-mIm_KRib_", "version": "U2F_V2", 
"challenge": "XB4nnk8WJwvN6kEmE4bxG_zwHTB0BnPiOa9YkKcL1nA", "appId": 
"pam:\/\/durruti" }
JSON: { "keyHandle": "bz1_psgGoVqj7EF6woABHuu4FSQ_oTJz_5zwzE-mIm_KRib_", 
"version": "U2F_V2", "challenge": 
"XB4nnk8WJwvN6kEmE4bxG_zwHTB0BnPiOa9YkKcL1nA", "appId": "pam:\/\/durruti" }
JSON challenge URL-B64: XB4nnk8WJwvN6kEmE4bxG_zwHTB0BnPiOa9YkKcL1nA
client data: { "challenge": "XB4nnk8WJwvN6kEmE4bxG_zwHTB0BnPiOa9YkKcL1nA", 
"origin": "pam:\/\/durruti", "typ": "navigator.id.getAssertion" }
JSON: { "keyHandle": "bz1_psgGoVqj7EF6woABHuu4FSQ_oTJz_5zwzE-mIm_KRib_", 
"version": "U2F_V2", "challenge": 
"XB4nnk8WJwvN6kEmE4bxG_zwHTB0BnPiOa9YkKcL1nA", "appId": "pam:\/\/durruti" }
JSON app_id pam://durruti
JSON: { "keyHandle": "bz1_psgGoVqj7EF6woABHuu4FSQ_oTJz_5zwzE-mIm_KRib_", 
"version": "U2F_V2", "challenge": 
"XB4nnk8WJwvN6kEmE4bxG_zwHTB0BnPiOa9YkKcL1nA", "appId": "pam:\/\/durruti" }
JSON keyHandle URL-B64: bz1_psgGoVqj7EF6woABHuu4FSQ_oTJz_5zwzE-mIm_KRib_
USB send: 
00cafebabe83006e00020700000065a549964c3b62b878f71cebda3fe1a8a4b50b38645ca277ebb1dbc24f52d67af739e9eb27ecdb0c00b8e469121d93a9d569
USB write returned 65
USB send: 
00cafebabe00021d4f2cbc287aea8b36c7eba054246f3d7fa6c806a15aa3ec417ac280011eebb815243fa13273ff9cf0cc4fa6226fca4626ff00000000000000
USB write returned 65
now trying with timeout 2
now trying with timeout 4
now trying with timeout 8
now trying with timeout 16
now trying with timeout 32
now trying with timeout 64
now trying with timeout 128
now trying with timeout 256
now trying with timeout 512
now trying with timeout 1024
USB read rc read 64
USB recv: 
cafebabe830002698400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
USB data (len 2): 6984
debug(pam_u2f): ../util.c:348 (do_authentication): Device for this keyhandle is 
not present.
USB send: 
00cafebabe8100010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
USB write returned 65
now trying with timeout 2
now trying with timeout 4
now trying with timeout 8
now trying with timeout 16
now trying with timeout 32
now trying with timeout 64
now trying with timeout 128
now trying with timeout 256
now trying with timeout 512
now trying with timeout 1024
now trying with timeout 2048
now trying with timeout 4096
^CUSB read rc read 64
Device /dev/hidraw0 failed ping, dead.
USB send: 
00ffffffff8600080807060504030201000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
^C^C^C^CUSB write returned -1
debug(pam_u2f): ../util.c:355 (do_authentication): Unable to discover devices
debug(pam_u2f): ../pam-u2f.c:293 (pam_sm_authenticate): do_authentication 
returned -2
debug(pam_u2f): ../pam-u2f.c:312 (pam_sm_authenticate): done. [Fehler bei 
Authentifizierung]
sudo: 1 Fehlversuch bei der Passwort-Eingabe




Best regargs,
   Jörg


 



-- System Information:
Debian Release: buster/sid
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'testing'), (500, 'stable'), (150, 
'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.14.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), 
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libpam-u2f depends on:
ii  libc6           2.27-3
ii  libpam0g        1.1.8-3.7
ii  libu2f-host0    1.1.4-1
ii  libu2f-server0  1.1.0-1

Versions of packages libpam-u2f recommends:
ii  pamu2fcfg  1.0.6-1

libpam-u2f suggests no packages.

-- no debconf information

-- 
Jörg (j...@corsario.org)
GPG-ID: 0xFAE26711E6EBF94D
Fingerprint: 8A79 8BF8 0A04 60EA A004  7E42 FAE2 6711 E6EB F94D

--- End Message ---

--- Begin Message ---

Source: pam-u2f
Source-Version: 1.0.7-1

We believe that the bug you reported is fixed in the latest version of
pam-u2f, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 898...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nicolas Braud-Santoni <nico...@braud-santoni.eu> (supplier of updated pam-u2f 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 29 May 2018 14:33:06 +0200
Source: pam-u2f
Binary: libpam-u2f pamu2fcfg
Architecture: source amd64
Version: 1.0.7-1
Distribution: unstable
Urgency: high
Maintainer: Debian Authentication Maintainers <team+a...@tracker.debian.org>
Changed-By: Nicolas Braud-Santoni <nico...@braud-santoni.eu>
Description:
 libpam-u2f - universal 2nd factor (U2F) PAM module
 pamu2fcfg  - universal 2nd factor (U2F) PAM module command-line helper tool
Closes: 898519
Changes:
 pam-u2f (1.0.7-1) unstable; urgency=high
 .
   * New upstream version 1.0.7 (2018-05-15)
     Closes: #898519
   * Update & complete debian/copyright
   * Move the packaging repository to salsa.d.o
   * Use the tracker.debian.org email address for the maintainers.
   * Switch to debhelper 11
Checksums-Sha1:
 a5682765f352a3f827409e766972f7eb1097002c 2371 pam-u2f_1.0.7-1.dsc
 5b49857a286b4b0622e10296932b10d8036362cf 378513 pam-u2f_1.0.7.orig.tar.gz
 f2ecc3ed4f1b2252f4f356c9d4fbebc7937ad200 534 pam-u2f_1.0.7.orig.tar.gz.asc
 3e6c861b9835da6f0d4c62422a64775f58a22c87 50324 pam-u2f_1.0.7-1.debian.tar.xz
 8852ac9d4f45ad288ff0c825e46334b641a6a802 19780 
libpam-u2f-dbgsym_1.0.7-1_amd64.deb
 b6c7b2d0d562d0600301698227f38f0c37baf52d 26924 libpam-u2f_1.0.7-1_amd64.deb
 7bce001eabe9cec91a33d17fa646e9e16caca935 6535 pam-u2f_1.0.7-1_amd64.buildinfo
 cf304b54cdfa7d45900e766dec1917ca107d570d 15368 
pamu2fcfg-dbgsym_1.0.7-1_amd64.deb
 0a48aa6a70f95501c7db4d4ceb859259e3e6778e 17068 pamu2fcfg_1.0.7-1_amd64.deb
Checksums-Sha256:
 13c54274b7b577742b9407dc59b30b29ebb3782e188851be04761d09e9473caa 2371 
pam-u2f_1.0.7-1.dsc
 034aad8e29b159443dd6c1b7740006addc83d0659304fc4b0b4fb592f768e7cf 378513 
pam-u2f_1.0.7.orig.tar.gz
 533ab8740815f09cfda3386459a196ddc5facb9edbbeca54f7d1756942d3c542 534 
pam-u2f_1.0.7.orig.tar.gz.asc
 07def8013606bf2f33dfebdf0eff7f20552da62358a8ff854dde4240d59ad856 50324 
pam-u2f_1.0.7-1.debian.tar.xz
 96aa87a1691134af17a0a2521093451b6202a8da76b28d176fd265fbc7b3f279 19780 
libpam-u2f-dbgsym_1.0.7-1_amd64.deb
 82cb4359f75867229ccbe05b43a229a1f1efa74a1f6e35e2c392671906f7a9f2 26924 
libpam-u2f_1.0.7-1_amd64.deb
 e74f449d6d2325d32a99e585ad4da4b87855f53d51d7dec0e4425c105bd7cb31 6535 
pam-u2f_1.0.7-1_amd64.buildinfo
 8d47ab0455cb01b722111c7ce962a58ec5b433364ffb1a3ac6c2ee3f016f837e 15368 
pamu2fcfg-dbgsym_1.0.7-1_amd64.deb
 42aba8bb84191ac1ae287e4e066a9f550e5988c96250fcef3ea1d65b3314e069 17068 
pamu2fcfg_1.0.7-1_amd64.deb
Files:
 0d9b8913c91b87ecaa7f4c70976f76d9 2371 admin optional pam-u2f_1.0.7-1.dsc
 b34e91a03e7e454abd3b5374e76d6221 378513 admin optional 
pam-u2f_1.0.7.orig.tar.gz
 6bee22abab3e59cfe0a73f688d2d9db3 534 admin optional 
pam-u2f_1.0.7.orig.tar.gz.asc
 59eb7464eca356d4451569cbd6088e02 50324 admin optional 
pam-u2f_1.0.7-1.debian.tar.xz
 65c4a21a9210dd9586c243fa003d648c 19780 debug optional 
libpam-u2f-dbgsym_1.0.7-1_amd64.deb
 a712a4504d5a74d8c6626bcc3c22443a 26924 admin optional 
libpam-u2f_1.0.7-1_amd64.deb
 503a161edabeec937920c81a77b91065 6535 admin optional 
pam-u2f_1.0.7-1_amd64.buildinfo
 f5f57f3d356399160796c579eaea33dc 15368 debug optional 
pamu2fcfg-dbgsym_1.0.7-1_amd64.deb
 cd188d8b472f3639d66a829dcd9f5329 17068 admin optional 
pamu2fcfg_1.0.7-1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQJDBAEBCgAtFiEExyA8CpIGcL+U8AuxsB0acqyNyaEFAls1L78PHGpjY0BkZWJp
YW4ub3JnAAoJELAdGnKsjcmhIdwQALVEsZrrLPQSBiyGM9u+zwJWTcDbOYfCIrvE
S1WgF4nSQJeTBHjMp6fW7CRZ0NN1DjEItwSHaiXGkzdeG+LTJWn1f6q9LAIIETFb
0w83ssCBbNV4erD7MUbrp3Hg8gzxazXsJes/GYnES4KwgjGeUvpjIsMOeKQANIW9
zlNAvKwW/+784Bb5ucMK6ZRWWV3HKSKDVYyYUOOVw6TihWM+xUqv6lMguAGuP1GD
cxHoto/WkPpuIzvonkKQIfRcrv71C8jyspxwFd2GqN0c5Q6WCZfUHGLI3xsk8zls
O7AM266mcds4XHY0GIBLfIOls4OgCcLd46ya0u58FC4YC5Y/hAj6xQ7HbkrWWA8B
yMG1Ttux3f88UJ0+IHjKww1kVkRi9uYbuFJPTUMsuzCXjt/vSKRYIvuekssJtsUw
QqrxgOQNMVz5aq7Drveotm8a2thAsv99+BLZ34pgQTLnwddOXuYbezgkoEmYLaqh
m0tlOmwrjERaAOZD8SkTK5CIkO5UjTVwyzUW8uoMpoKGoKeE26tKoUVwl2BUcE/f
xEVd7YXkQpNo1/0H+Moi7zwOU3rnjxYyZsV0xAVsXunsym8oGuvwlVYRjmOJ7+XY
uj9KGvYqi8WhyNCxgtSdQJ53JVcwCIPJVkwQpOKjSz8kvDkQGvkbvV74SL1Wmkp4
1trZyJQ/
=nbzx
-----END PGP SIGNATURE-----

--- End Message ---