2

I have configured

auth sufficient pam_u2f.so cue [cue_prompt=Tap the Yubikey to sudo]

in /etc/pam.d/sudo to be able to sudo by touching my YubiKey. When running a script it might be easy to miss the LED indicator on key, so I configured cue and cue_prompt to print some equivalent to [sudo] Password for user: when using the password.

There's no cue printed ever, it behaves like the two options have not been configured. The options are correct according to https://developers.yubico.com/pam-u2f/. The docs don't say which version they belong to - that'd just be too easy - so maybe there's a mismatch that they're no longer or not yet supported.

I'm using libpam-u2f 1.1.0-1.1build1 on Ubuntu 23.10.

Kalle Richter
  • 6,549

1 Answers1

0

I reverse engineered the meaning of the docs with trial and error and came to the following conclusion:

  1. The meaning of cue remains a mystery as does the difference of interactive and cue. Based on the description cue is what I want, it does not show cue_prompt, though.
  2. Using interactive and prompt comes very close to what I want. There's just the annoyance that I need to tap Enter before I can tap the YubiKey.

debug debug_file=stderr contains no information whether the prompt is supposed to be invoked or not.

The description of nodetect there's mention of preventing the authentication stack to be exposed in the output which might end up in the internet unintentionally. This is a good point which makes me question my idea to show the prompt.

Kalle Richter
  • 6,549
  • This is maybe not the best possible answer. Feel free to post an answer which shows how to avoid the need for [Enter]. – Kalle Richter Aug 04 '24 at 11:39
  • You might file a launchpad bug and let the devs decide if it's a missing feature or a documentation error. – ubfan1 Aug 04 '24 at 16:29
  • Passing cue and cue_prompt works for me without having to manually press the Enter key. Note that I am using version 1.3.0-1 of libpam-u2f on Ubuntu 24.04, so perhaps there was a bug in an earlier version (although I did not see anything along those lines in the release notes). Not sure if Ubuntu 23.10 is a hard requirement for you. If so, see if you can manually install a later release. – TenicioBelDoro Nov 27 '24 at 21:36