2

I have configured

auth sufficient pam_u2f.so cue [cue_prompt=Tap the Yubikey to sudo]

in /etc/pam.d/sudo to be able to sudo by touching my YubiKey. When running a script it might be easy to miss the LED indicator on key, so I configured cue and cue_prompt to print some equivalent to [sudo] Password for user: when using the password.

There's no cue printed ever, it behaves like the two options have not been configured. The options are correct according to https://developers.yubico.com/pam-u2f/. The docs don't say which version they belong to - that'd just be too easy - so maybe there's a mismatch that they're no longer or not yet supported.

I'm using libpam-u2f 1.1.0-1.1build1 on Ubuntu 23.10.

Kalle Richter
  • 6,519

1 Answers1

0

I reverse engineered the meaning of the docs with trial and error and came to the following conclusion:

  1. The meaning of cue remains a mystery as does the difference of interactive and cue. Based on the description cue is what I want, it does not show cue_prompt, though.
  2. Using interactive and prompt comes very close to what I want. There's just the annoyance that I need to tap Enter before I can tap the YubiKey.

debug debug_file=stderr contains no information whether the prompt is supposed to be invoked or not.

The description of nodetect there's mention of preventing the authentication stack to be exposed in the output which might end up in the internet unintentionally. This is a good point which makes me question my idea to show the prompt.

Kalle Richter
  • 6,519