|Summary:||libu2f-host before 1.1.6 unnecessarily delays check-only authentication|
|Product:||[Fedora] Fedora||Reporter:||CJ Oster <cjo>|
|Component:||libu2f-host||Assignee:||Seth Jennings <sethdjennings>|
|Status:||CLOSED ERRATA||QA Contact:||Fedora Extras Quality Assurance <extras-qa>|
|Fixed In Version:||libu2f-host-1.1.6-1.fc27||Doc Type:||If docs needed, set a value|
|Doc Text:||Story Points:||---|
|Last Closed:||2018-05-24 14:26:00 UTC||Type:||Bug|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
Description CJ Oster 2018-05-15 19:49:25 UTC
Description of problem: libu2f-host is responsible for issuing u2f queries to attached tokens and waiting for user response. However, if a "check-only" authentication request is presented, the sleep logic still delays for a full second before returning the results when no delay is necessary. This was fixed in PR#97, which is included in relase v1.1.6 in the upstream. This issue was discovered because pam-u2f 1.0.6 or later issues a check-only authentication as a security measure to avoid leaking information about the authentication stack in certain scenarios. Ergo, if using pam-u2f 1.0.6 or later (1.0.7 contains a workaround), every u2f authentication takes a 1-second delay.  - https://fidoalliance.org/specs/fido-u2f-v1.0-nfc-bt-amendment-20150514/fido-u2f-raw-message-formats.html  - https://github.com/Yubico/libu2f-host/pull/97 Version-Release number of selected component (if applicable): 1.1.3-3.fc27 How reproducible: Always Steps to Reproduce: 1. Install and configure pam-u2f 1.0.6 or later. 2. Observe that every u2f authentication sleeps for a second before requesting user input. Actual results: There is a one-second delay between the previous pam module and the u2f user-presence authentication. Expected results: User-presence authentication should begin immediately. Additional info: pam-u2f 1.0.7 contains an option to avoid this early detection as either a workaround for this issue, or for hypothetical tokens that do not tolerate it. Either way, there's no reason for the delay in a check-only authentication.
Comment 1 CJ Oster 2018-05-15 19:59:30 UTC
Is this enough to get pam-u2f bumped to version 1.0.7 also?
Comment 2 Seth Jennings 2018-05-15 20:05:25 UTC
I'll attempt it this evening. Thanks for the detail!
Comment 3 Fedora Update System 2018-05-16 03:42:40 UTC
libu2f-host-1.1.6-1.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-6683593d48
Comment 4 Fedora Update System 2018-05-16 03:43:04 UTC
libu2f-host-1.1.6-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-826d839ccf
Comment 5 Seth Jennings 2018-05-16 03:44:55 UTC
pam-u2f and libu2f-host have been updated to latest upstream versions for f27 and later: https://bodhi.fedoraproject.org/users/sjenning
Comment 6 Fedora Update System 2018-05-16 14:13:25 UTC
libu2f-host-1.1.6-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-826d839ccf
Comment 7 Fedora Update System 2018-05-16 15:13:23 UTC
libu2f-host-1.1.6-1.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-6683593d48
Comment 8 Fedora Update System 2018-05-24 13:56:22 UTC
libu2f-host-1.1.6-1.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2018-05-24 14:26:00 UTC
libu2f-host-1.1.6-1.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.