Bug 1568058 - pam-u2f module incorrectly handles 'nouserok' parameter (fixed in v1.0.5)
Summary: pam-u2f module incorrectly handles 'nouserok' parameter (fixed in v1.0.5)
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: pam-u2f
Version: 27
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Seth Jennings
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-04-16 16:51 UTC by CJ Oster
Modified: 2018-05-05 22:25 UTC (History)
3 users (show)

Fixed In Version: pam-u2f-1.0.6-1.fc27
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-05-05 22:25:58 UTC
Type: Bug


Attachments (Terms of Use)

Description CJ Oster 2018-04-16 16:51:32 UTC
Description of problem:

The pam-u2f module in v1.0.4 contains a bug in its handling of the option, `nouserok'. This option is intended for system admins to permit users to still be able to login. However, the handling in 1.0.4 fails authentication if the authentication file is missing or empty, and a work around is to create the file and fill it with garbage.

This issue (among many others) has been fixed in v1.0.5, which has been release.


Version-Release number of selected component (if applicable): 1.0.4-6


How reproducible: Consistently


Steps to Reproduce:

(Understand that logging in with the u2f token alone is not it's intended behavior, however, this test is considerably less complicated than full 2FA).

1. Insert the line:

    auth sufficient pam_u2f.so cue nouserok

Into /etc/pam.d/system-auth before the pam_unix auth config.

2. Observe a user without u2f configured cannot login. (Missing ~/.config/Yubico/u2f_keys).

3. Create the file ~/.config/Yubico/u2f_keys and fill it with garbage

    mkdir -p ~/.config/Yubico/ && echo "foo" > ~/.config/Yubico/u2f_keys

4. Observe the user can login with u2f key alone.

Actual results:

U2F authentication should succeed

Expected results:

Users with unconfigured u2f keys should be able to pass authentication if `nouserok' is supplied to the module.

Additional info:

The developer has released V1.0.5 (https://github.com/Yubico/pam-u2f/releases/tag/pam_u2f-1.0.5) fixing this issue.

Comment 1 Fedora Update System 2018-04-16 18:17:36 UTC
pam-u2f-1.0.5-2.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-b4fb4d0b97

Comment 2 Fedora Update System 2018-04-16 18:18:22 UTC
pam-u2f-1.0.5-2.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-6e4315ecb3

Comment 3 Fedora Update System 2018-04-17 03:05:48 UTC
pam-u2f-1.0.5-2.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-6e4315ecb3

Comment 4 Fedora Update System 2018-04-18 03:00:32 UTC
pam-u2f-1.0.5-2.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-b4fb4d0b97

Comment 5 Seth Jennings 2018-04-18 03:17:53 UTC
Reporter requested update be delayed until recently discovered upstream bugs can be resolved.

Comment 6 CJ Oster 2018-04-18 17:49:09 UTC
v1.0.6 has been released[0], fixing a bug (I) introduced into 1.0.5 in an unrelated commit.

[0] - https://github.com/Yubico/pam-u2f/releases/tag/pam_u2f-1.0.6

Comment 7 CJ Oster 2018-04-18 18:09:21 UTC
(In reply to CJ Oster from comment #0)

> Steps to Reproduce:
> 

This should read:

1. Insert the line:

    auth requisite pam_u2f.so cue nouserok

Into /etc/pam.d/system-auth before the pam_unix auth config.

2. Observe a user without u2f configured cannot login. (Missing ~/.config/Yubico/u2f_keys). The pam_u2f.so module fails.

3. Create the file ~/.config/Yubico/u2f_keys and fill it with garbage

    mkdir -p ~/.config/Yubico/ && echo "foo" > ~/.config/Yubico/u2f_keys

4. Observe the user can now login with password because the `nouserok' check causes the pam_u2f.so module to succeed, and the stack passing to pam_unix.so.

Comment 8 Fedora Update System 2018-04-19 20:40:16 UTC
pam-u2f-1.0.6-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-990ca867d2

Comment 9 Fedora Update System 2018-04-19 20:40:48 UTC
pam-u2f-1.0.6-1.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-a5308e1b14

Comment 10 Fedora Update System 2018-04-20 01:50:10 UTC
pam-u2f-1.0.6-1.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-a5308e1b14

Comment 11 Fedora Update System 2018-04-21 05:02:20 UTC
pam-u2f-1.0.6-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-990ca867d2

Comment 12 Fedora Update System 2018-05-05 20:29:12 UTC
pam-u2f-1.0.6-1.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Comment 13 Fedora Update System 2018-05-05 22:25:58 UTC
pam-u2f-1.0.6-1.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.