Description of problem: libu2f-host is responsible for issuing u2f queries to attached tokens and waiting for user response. However, if a "check-only" authentication request[0] is presented, the sleep logic still delays for a full second before returning the results when no delay is necessary. This was fixed in PR#97[1], which is included in relase v1.1.6 in the upstream. This issue was discovered because pam-u2f 1.0.6 or later issues a check-only authentication as a security measure to avoid leaking information about the authentication stack in certain scenarios. Ergo, if using pam-u2f 1.0.6 or later (1.0.7 contains a workaround), every u2f authentication takes a 1-second delay. [0] - https://fidoalliance.org/specs/fido-u2f-v1.0-nfc-bt-amendment-20150514/fido-u2f-raw-message-formats.html [1] - https://github.com/Yubico/libu2f-host/pull/97 Version-Release number of selected component (if applicable): 1.1.3-3.fc27 How reproducible: Always Steps to Reproduce: 1. Install and configure pam-u2f 1.0.6 or later. 2. Observe that every u2f authentication sleeps for a second before requesting user input. Actual results: There is a one-second delay between the previous pam module and the u2f user-presence authentication. Expected results: User-presence authentication should begin immediately. Additional info: pam-u2f 1.0.7 contains an option to avoid this early detection as either a workaround for this issue, or for hypothetical tokens that do not tolerate it. Either way, there's no reason for the delay in a check-only authentication.
Is this enough to get pam-u2f bumped to version 1.0.7 also?
I'll attempt it this evening. Thanks for the detail!
libu2f-host-1.1.6-1.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-6683593d48
libu2f-host-1.1.6-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-826d839ccf
pam-u2f and libu2f-host have been updated to latest upstream versions for f27 and later: https://bodhi.fedoraproject.org/users/sjenning
libu2f-host-1.1.6-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-826d839ccf
libu2f-host-1.1.6-1.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-6683593d48
libu2f-host-1.1.6-1.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
libu2f-host-1.1.6-1.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.