Conversation
Add support for storing an encrypted auth token in u2f_keys. The auth token is passed to PAM and may be used by other PAM modules. The encryption key is derived using the FIDO2 hmac-secret extension.
Debug log whether authtok is enabled and when token descryption is successful. Yubico#294 (comment)
`brew` has for some time packaged libfido2. We can use those builds to simplify our pipeline. Ensure linking to the same OpenSSL version as libfido2 through `brew deps`.
For some reason, openssl@3 is sometimes not listed as "installed". Be less restrictive and list all dependencies regardless of their currently perceived state by brew.
Add preprocessor constant `DEVLIST_LEN` to replace magic number 64 in allocations of device info list.
- Attempting to install `pkg-config` or `pkgconf` results in brew complaining about conflicts. Rely on whatever version already present. - macos-14 seemingly needs an explicit libtool install.
CodeQL action v2 will be deprecated on 2024-12-05.
Under Linux the read call seems to accept NULL as a parameter:
$ cat try.c
#include <unistd.h>
#include <err.h>
int main(void)
{
int i = read(0, NULL, 4);
err(1, "read");
return 0;
}
$ make try
cc try.c -o try
$ ./try </dev/random
try: read: Bad address
Such behaviour is not specified by POSIX, so we should
catch it.
Since we are at it, catching read(-1, ...) is probably a good
idea, since code that does that is arguably wrong.
Instead, use more meaningful status codes:
- PAM_SYSTEM_ERR if getpwuid_r(), gethostname(), or
pam_modutil_{drop,regain}_priv() fails;
- PAM_BUF_ERR if memory allocation routines fails; and
- PAM_ABORT for any uncaught errors.
This commit is part of a fix for YSA-2025-01 / CVE-2025-23013.
Move PAM return value handling to get_devices_from_authfile(): If `nouserok` is set, return - PAM_IGNORE if open() returns ENOENT; - PAM_IGNORE if user is not found in the authfile; - PAM_IGNORE if user is found in the but have no credentials; - PAM_AUTHINFO_UNAVAIL otherwise. If `nouserok` is *not* set, return - PAM_USER_UNKNOWN if user is not found in the authfile; - PAM_USER_UNKNOWN if user is found but have no credentials; - PAM_AUTHINFO_UNAVAIL otherwise. This commit is part of a fix for YSA-2025-01 / CVE-2025-23013.
This simplifies reasoning about the return value in pam_sm_authenticate(). Function returns PAM_SUCCESS if successful, PAM_AUTH_ERR otherwise.
autoconf/automake/libtool are only needed if building from git, as the dist tarball is not depending on autotools. The reference to GNU Autotools has been moved under "Building from Git", since this detail is interesting only for those who clone the project.
While fixing terminology, I noticed redundant variations of the same logging message in strings(1). This is not very important, but less is more.
Ensure path is absolute if provided (the script would fail if FAKEROOT is supplied as relative path) Erase FAKEROOT before exiting if created with `mktemp -d`
Split options on multiple lines and sort Invoke 'cmake --build' instead of 'make' (drop assumptions on underlying build system) Drop pushd/popd in favour of supplied build and source directories. Use subshell when necessary. Cache `nproc` into a variable
Use ninja for faster build. Drop autoconf/automake/libtool from workflow dependencies, and add ninja.
The current revision of the script does not use any bashism nor pipes that require 'pipefail'. We can downgrade to the plain sh interpreter.
This fixes the following warning by libfuzzer: WARNING: no interesting inputs were found so far. Is the code instrumented for coverage?
- clone libfido2 and libcbor only if not previously done - libcbor is patched with libfido2/fuzz/README only on first clone - use existing corpus if available
Generate the file-level coverage summary report (`llvm-cov report`) and print it on stdout. Optionally generate the line-oriented coverage report (`llvm-cov show`). This is enabled if the WITH_COVERAGE_REPORT environment variable is defined. The report will be generated in a directory called "cov-report" under $WORKDIR.
The release procedure assumes that gpg will not armor the detached signature. The assumption might turn out wrong if the user sets the `armor` option in their ~/.gnupg/gpg.conf.
Will be removed by GitHub 2025-04-01.
afoxman
commented
Dec 20, 2025
| int debug; | ||
| int verbose; | ||
| int nouser; | ||
| int authtok; |
Owner
Author
There was a problem hiding this comment.
authtok covered, the rest were removed
afoxman
commented
Dec 20, 2025
| { "verbose", no_argument, NULL, 'v' }, | ||
| { "username", required_argument, NULL, 'u' }, | ||
| { "nouser", no_argument, NULL, 'n' }, | ||
| { "authtok", no_argument, NULL, 'a' }, |
Owner
Author
There was a problem hiding this comment.
added authtok as password, ditched the pam args
afoxman
commented
Dec 20, 2025
| " authenticator, defaults to the current user name\n" | ||
| " -n, --nouser Print only registration information (key handle,\n" | ||
| " public key, and options), useful for appending\n" | ||
| " -a, --authtok Read a PAM auth token (usually a password) that\n" |
afoxman
commented
Dec 20, 2025
| "\n" | ||
| "Report bugs at <" PACKAGE_BUGREPORT ">.\n"; | ||
| /* clang-format on */ | ||
| char *saveptr = NULL; |
afoxman
commented
Dec 20, 2025
| args->pam_pinverification = -1; | ||
|
|
||
| while ((c = getopt_long(argc, argv, "ho:i:t:rPNVdvu:n", options, NULL)) != | ||
| while ((c = getopt_long(argc, argv, "ho:i:t:rPNVdvu:nap:", options, NULL)) != |
afoxman
commented
Dec 20, 2025
| case 'n': | ||
| args->nouser = 1; | ||
| break; | ||
| case 'a': |
Owner
Author
There was a problem hiding this comment.
covered as password, not authtok. removed pam stuff
afoxman
commented
Dec 20, 2025
| size_t enc_authtok_len = 0; | ||
|
|
||
| parse_args(argc, argv, &args); | ||
| if (args.authtok && args.no_user_presence) { |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.