[Bug 2130866] [NEW] libpam-u2f ignores nouserok

Jakob Fri, 07 Nov 2025 01:30:56 -0800

Public bug reported:

I want the following:


Users who added a universal second factor (Yubikey) to u2f authfile should be 
forced to use the token.
Users who does NOT have such a u2f configured, should be able to login without 
a token.

If have added the following line in my pam configurationfiles
/etc/pam.d/login
/etc/pam.d/gdm-password

after the @include common-auth line

```
auth required pam_u2f.so authfile=/etc/u2f_mappings cue [cue_prompt=Token 
berühren] nouserok pinverification=0
```

And this worked, as i expect and described above. So i took this line
and copied it over to my debian-comuter, which works there as well the
same.

A few days a user without configured token tried to login on my ubuntu-
computer and got the response, password is ok, but authentication
failed.

I found, that the option nouserok is ignored since some updates in the
past few month, But i don't know since when exactly.

When i configure a yubikey for this user with pamu2fcfg the user can
login with touching the yubikey. When i remove the line in the file
/etc/u2f_mappings i geht the same error as before.

The documentation says for "nouserok"

"Set to make authentication attempts not fail if the user trying to
authenticate is not found inside authfile, is found but has no
credentials, or if the authfile is missing. "

Therefore i think, some ubuntu patch to the package breaks the nouserok
option.

# dpkg -l|grep u2f
ii  libpam-u2f                                       
1.1.0-1.1+deb12u1build0.24.04.1                   amd64        universal 2nd 
factor (U2F) PAM module
ii  libu2f-udev                                      1.1.10-3build3             
                       all          Universal 2nd Factor (U2F) — transitional 
package
ii  pamu2fcfg                                        
1.1.0-1.1+deb12u1build0.24.04.1                   amd64        universal 2nd 
factor (U2F) PAM module command-line helper tool


It works as expected on a debian bookworm machine with the following versions:
dpkg -l|grep u2f
ii  libpam-u2f                                       1.1.0-1.1+deb12u1          
               amd64        universal 2nd factor (U2F) PAM module
ii  pamu2fcfg                                        1.1.0-1.1+deb12u1          
               amd64        universal 2nd factor (U2F) PAM module command-line 
helper tool

** Affects: pam-u2f (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2130866

Title:
  libpam-u2f ignores nouserok

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pam-u2f/+bug/2130866/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2130866] [NEW] libpam-u2f ignores nouserok

Reply via email to