Fixing issues with Yubico's PAM U2F bindings in version 1.3.1
I've been using a Yubikey for years, now, and on each computer I use, I install their U2F (Universal 2 Factor) bindings for the linux Pluggable Authentication Modules (PAM) support, requiring usage of my Yubikey for login and sudo access.
Today, I updated my work machine, and didn't even notice that there were new pamu2fcfg and libpam-u2f packages, updating to version 1.3.1; I never really care, as everything just works. But when I came back to my machine after lunch, I was unable to login: I'd provide my password, but my Yubikey wouldn't activate.
I tested it on my personal machine, and everything was working fine. I tried pressing the key on my work machine, when in the password field, and it pasted in the OTP code, so clearly there's no USB issue.
So, after booting my rescue USB drive and disabling the U2F support, I (a) discovered that I'd had updates for the PAM U2F support earlier, and (b) searched for the phrase "yubikey pam u2f 1.3.1 breaks", which took me to this report.
The gist?
Due to a CVE, the PAM U2F bindings now require that the u2f_keys
file is writeable only by the owner.
This can be accomplished pretty easily:
### If you have systemwide keys:
sudo chmod g-w,o-w /etc/yubico/u2f_keys
### If you have per-user keys:
chmod g-w,o-w $HOME/.config/Yubico/u2f_keys
Once I did that, I re-enabled my PAM U2F bindings, rebooted, and all worked fine again.
Final thoughts
I rarely think about permissions in my $HOME/.config
directory, but I'm well aware that configuration for things like SSH and GPG require similar permissions masks. I think it's great that Yubico is doing this, but (a) it should have likely been like this all along, and (b) they really should have provided some sort of tooling or messaging with the update to help folks fix permissions issues before they become a problem. The fact that I only found out when I was unable to login to my machine was horrible, and I feel incredibly fortunate and privileged that I (a) had a rescue USB drive handy, and (b) the knowledge of what I needed to do to disable U2F so I could access my machine. Not all their users will be in that position.