Problème utilisation de pam_u2f

Support Debian
, , ,
Tags: #<Tag:0x00007f509c0bc270> #<Tag:0x00007f509c0bc1a8> #<Tag:0x00007f509c0bc0b8> #<Tag:0x00007f509c0c67c0>
#1

Bonjour,
j’essaye de faire en sorte d’utiliser ma clef yubikey 5 NFC pour sudo.
Dans /etc/pam.d/common-auth j’ai:

auth    required                        pam_faillock.so preauth # Added to enable faillock
auth	[success=1 default=ignore]	pam_unix.so nullok
auth    [default=die]                   pam_faillock.so authfail # Added to enable faillock
auth    sufficient                      pam_faillock.so authsucc # Added to enable faillock
auth	requisite			pam_deny.so
auth	required			pam_permit.so
auth	optional			pam_cap.so

et dans /etc/pam.d/sudo j’ai mis:

session    required   pam_limits.so

@include common-auth

auth	required	pam_u2f.so debug cue origin=pam://headquarters

@include common-account
@include common-session-noninteractive

Seulement voilà, dans les logs, il n’y aucune trace du passage par pam_u2f:

2024-02-06T09:49:10.095944+01:00 dsrvtest03 sudo:   zargos : TTY=pts/1 ; PWD=/home/zargos ; USER=root ; COMMAND=/usr/bin/apt update
2024-02-06T09:49:10.098156+01:00 dsrvtest03 sudo: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=1000)
2024-02-06T09:49:16.738858+01:00 dsrvtest03 sudo: pam_unix(sudo:session): session closed for user root
2024-02-06T09:51:17.938768+01:00 dsrvtest03 sudo:   zargos : TTY=pts/1 ; PWD=/home/zargos ; USER=root ; COMMAND=/usr/bin/apt search yubikey
2024-02-06T09:51:17.941699+01:00 dsrvtest03 sudo: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=1000)
2024-02-06T09:51:18.595557+01:00 dsrvtest03 sudo: pam_unix(sudo:session): session closed for user root
2024-02-06T09:51:45.349404+01:00 dsrvtest03 sudo:   zargos : TTY=pts/1 ; PWD=/home/zargos ; USER=root ; COMMAND=/usr/bin/apt search yubikey
2024-02-06T09:51:45.350487+01:00 dsrvtest03 sudo: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=1000)
2024-02-06T09:51:45.996641+01:00 dsrvtest03 sudo: pam_unix(sudo:session): session closed for user root
2024-02-06T09:54:22.726269+01:00 dsrvtest03 sudo:   zargos : TTY=pts/1 ; PWD=/home/zargos ; USER=root ; COMMAND=/usr/bin/apt update
2024-02-06T09:54:22.727116+01:00 dsrvtest03 sudo: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=1000)
2024-02-06T09:54:25.910653+01:00 dsrvtest03 sudo: pam_unix(sudo:session): session closed for user root
2024-02-06T09:54:56.206595+01:00 dsrvtest03 sudo:   zargos : TTY=pts/1 ; PWD=/home/zargos ; USER=root ; COMMAND=/usr/bin/apt update
2024-02-06T09:54:56.207410+01:00 dsrvtest03 sudo: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=1000)
2024-02-06T09:54:59.648631+01:00 dsrvtest03 sudo: pam_unix(sudo:session): session closed for user root
#2

Bon j’ai trouvé:
La ligne pam_u2f dans /etc/pam.d/sudo doit être avant les includes.
Ainsi j’ai non seulement l’authentification Fido2 puis le mot de passe.

1 J'aime