Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nixos/pam: Include the "cue" option to the pam_u2f.so invocation. #45905

Closed
wants to merge 1 commit into from
Closed

nixos/pam: Include the "cue" option to the pam_u2f.so invocation. #45905

wants to merge 1 commit into from

Conversation

AmandaCameron
Copy link
Contributor

Motivation for this change

This makes it clear to the user that they are expected to touch the button on their U2F token to do the action that they're requesting.

I'm having some trouble finding resources for how to test this, so as of yet it's untested, however since it's just a string change I'm not sure there would be any issues.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Fits CONTRIBUTING.md.

nixos/pam: Include the "cue" option to the pam_u2f.so invocation.
8e24f40 
This makes it much clearer to the user what's happening, and that they
need to touch the u2f token.
@xeji
Copy link
Contributor

xeji commented Sep 1, 2018

What's your specific use case that motivated this change? And how exactly does it change system behavior compared to the current situation?

@AmandaCameron
Copy link
Contributor Author

I've configured sudo to verify my action with my u2f token, however occasionally I'll forget that I did that, or hit the token too soon before it's being requested, and thus the sudo command just hangs there for a while, eventually just timing out.

By default the pam_u2f.so module doesn't output any message, or show any prompt at all. The cue argument passed to it makes it show a prompt in the console, or in the gdm / polkit authorisiation dialogs (though neither of those cases actually work atm due to #21860 seeming to have fallen through the cracks)

@xeji
Copy link
Contributor

xeji commented Sep 1, 2018

Thanks for explaining.

I'm having some trouble finding resources for how to test this, so as of yet it's untested,

Why can't you test this with your u2f token? At least a console message should work.

@AmandaCameron
Copy link
Contributor Author

I just now managed to figyure out how to replace the pam.nix with my fork's version (disabledModules + import) and here's the before and after -- in the "before" i tapped the u2f token after a couple seconds, then my echo "foo" went through, on the second you can see the prompt added by cue

@vlaci
Copy link
Contributor

vlaci commented Sep 23, 2018

I have extended the builtin u2f module with an option to make such customization possible. In my oppinion it would be much more flexible to implement configuration options for passing arbitrary arguments to PAM modules.

@kalbasit
Copy link
Member

I'm going to close this pull request as a duplicate of #11886 and #40455

@kalbasit kalbasit closed this Jan 25, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
6.topic: nixos 8.has: module (update) 10.rebuild-darwin: 0 10.rebuild-linux: 0 12. first-time contribution
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@AmandaCameron @xeji @vlaci @kalbasit @GrahamcOfBorg @Janik-Haag