Control: severity -1 serious Control: tag -1 + upstream moreinfo sid buster Control: forward -1 https://github.com/Yubico/pam-u2f/issues/97
On Sun, May 13, 2018 at 01:55:28AM +0200, Jörg Kurlbaum wrote: > Package: libpam-u2f > Version: 1.0.6-1 > Severity: important > > Dear Maintainer, Hi Jörg, Sorry for only getting back to you now, and sorry for letting this bug slip by into sid and buster unnoticed. :( > during a system upgrade on buster the package libpam-u2f is upgraded from > 1.0.4 to 1.0.6. > > After the upgrade the PAM modules fails to authenticate with the U2Fzero > device (u2fzero.com). > A manual downgrade to 1.0.4 solves all issues. As I do not have a U2Fzero device, and was unable to reproduce the issue with my own, it is complicated for me to debug, but the debug logs hints at an issue in the low-level communication with the device, which is implemented by libu2f-host. Did you recently update that library? (I doubt that's the issue, though, as downgrading fixes the problem) In the meantime, I am forwarding this bug upstream (against pam-u2f), who might be able to pinpoint the issue faster than I would. (OTOH, several of the pam-u2f upstream developers are in the relevant packaging team and should have received the bug report anyhow.) > This is severe: if the system is rebooted directly, authentication would fail. > The user would be locked out from machine. Agreed; as such, I am upgrading the severity to serious, as it makes pam-u2f unsuitable for release. This will eventually result in pam-u2f getting deleted from buster, but I hope we can fix this before then :) Best, nicoo > A quick look at the code shows a lot changes between the two (minor) > versions. But i couldn't > figure out the exact lines involved yet. > > While with the 1.0.4 version the u2f device shows a red light as signal for > pressing the button, > the 1.0.6 version makes the device just light up bright green. > > > My Configuration files: > > > /etc/pam.d/u2f: > > auth required pam_u2f.so authfile=/etc/u2f_keys cue debug openasuser > > > /etc/pam.d/sudo: > > #%PAM-1.0 > @include common-auth > @include common-account > @include common-session-noninteractive > @include u2f Those config files look perfectly reasonable. > [...] > > -- System Information: > Debian Release: buster/sid > APT prefers stable-updates > APT policy: (500, 'stable-updates'), (500, 'testing'), (500, 'stable'), > (150, 'unstable') > Architecture: amd64 (x86_64) > Foreign Architectures: i386 > > Kernel: Linux 4.14.0-3-amd64 (SMP w/4 CPU cores) > Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), > LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) > Shell: /bin/sh linked to /bin/dash > Init: systemd (via /run/systemd/system) > LSM: AppArmor: enabled > > Versions of packages libpam-u2f depends on: > ii libc6 2.27-3 > ii libpam0g 1.1.8-3.7 > ii libu2f-host0 1.1.4-1 > ii libu2f-server0 1.1.0-1 > > Versions of packages libpam-u2f recommends: > ii pamu2fcfg 1.0.6-1 > > libpam-u2f suggests no packages. > > -- no debconf information > > -- > Jörg (j...@corsario.org) > GPG-ID: 0xFAE26711E6EBF94D > Fingerprint: 8A79 8BF8 0A04 60EA A004 7E42 FAE2 6711 E6EB F94D >
