Bug 1568058
| Summary: | pam-u2f module incorrectly handles 'nouserok' parameter (fixed in v1.0.5) | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | CJ Oster <cjo> |
| Component: | pam-u2f | Assignee: | Seth Jennings <sethdjennings> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 27 | CC: | cjo, sethdjennings, sjenning |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | pam-u2f-1.0.6-1.fc27 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-05-05 22:25:58 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
pam-u2f-1.0.5-2.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-b4fb4d0b97 pam-u2f-1.0.5-2.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-6e4315ecb3 pam-u2f-1.0.5-2.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-6e4315ecb3 pam-u2f-1.0.5-2.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-b4fb4d0b97 Reporter requested update be delayed until recently discovered upstream bugs can be resolved. v1.0.6 has been released[0], fixing a bug (I) introduced into 1.0.5 in an unrelated commit. [0] - https://github.com/Yubico/pam-u2f/releases/tag/pam_u2f-1.0.6 (In reply to CJ Oster from comment #0) > Steps to Reproduce: > This should read: 1. Insert the line: auth requisite pam_u2f.so cue nouserok Into /etc/pam.d/system-auth before the pam_unix auth config. 2. Observe a user without u2f configured cannot login. (Missing ~/.config/Yubico/u2f_keys). The pam_u2f.so module fails. 3. Create the file ~/.config/Yubico/u2f_keys and fill it with garbage mkdir -p ~/.config/Yubico/ && echo "foo" > ~/.config/Yubico/u2f_keys 4. Observe the user can now login with password because the `nouserok' check causes the pam_u2f.so module to succeed, and the stack passing to pam_unix.so. pam-u2f-1.0.6-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-990ca867d2 pam-u2f-1.0.6-1.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-a5308e1b14 pam-u2f-1.0.6-1.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-a5308e1b14 pam-u2f-1.0.6-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-990ca867d2 pam-u2f-1.0.6-1.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report. pam-u2f-1.0.6-1.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: The pam-u2f module in v1.0.4 contains a bug in its handling of the option, `nouserok'. This option is intended for system admins to permit users to still be able to login. However, the handling in 1.0.4 fails authentication if the authentication file is missing or empty, and a work around is to create the file and fill it with garbage. This issue (among many others) has been fixed in v1.0.5, which has been release. Version-Release number of selected component (if applicable): 1.0.4-6 How reproducible: Consistently Steps to Reproduce: (Understand that logging in with the u2f token alone is not it's intended behavior, however, this test is considerably less complicated than full 2FA). 1. Insert the line: auth sufficient pam_u2f.so cue nouserok Into /etc/pam.d/system-auth before the pam_unix auth config. 2. Observe a user without u2f configured cannot login. (Missing ~/.config/Yubico/u2f_keys). 3. Create the file ~/.config/Yubico/u2f_keys and fill it with garbage mkdir -p ~/.config/Yubico/ && echo "foo" > ~/.config/Yubico/u2f_keys 4. Observe the user can login with u2f key alone. Actual results: U2F authentication should succeed Expected results: Users with unconfigured u2f keys should be able to pass authentication if `nouserok' is supplied to the module. Additional info: The developer has released V1.0.5 (https://github.com/Yubico/pam-u2f/releases/tag/pam_u2f-1.0.5) fixing this issue.