https://bugzilla.redhat.com/show_bug.cgi?id=1283296 --- Comment #7 from Zbigniew Jędrzejewski-Szmek <zbyszek@xxxxxxxxx> --- > Where can the environment variable DEFAULT_AUTHFILE_DIR_VAR come from? So, this module uses a number of environment variables ($DEFAULT_AUTHFILE_DIR_VAR, $XDG_CONFIG_HOME at least). To try it out, I added "auth require pam_u2f.so debug origin=pam://$HOSTNAME appid=pam://$HOSTNAME" as the first line in /etc/pam.d/su-l, and then I run: $ su - [pam-u2f.c:parse_cfg(48)] called. [pam-u2f.c:parse_cfg(49)] flags 0 argc 3 [pam-u2f.c:parse_cfg(51)] argv[0]=debug [pam-u2f.c:parse_cfg(51)] argv[1]=origin=pam://$HOSTNAME [pam-u2f.c:parse_cfg(51)] argv[2]=appid=pam://$HOSTNAME [pam-u2f.c:parse_cfg(52)] max_devices=0 [pam-u2f.c:parse_cfg(53)] debug=1 [pam-u2f.c:parse_cfg(54)] interactive=0 [pam-u2f.c:parse_cfg(55)] cue=0 [pam-u2f.c:parse_cfg(56)] manual=0 [pam-u2f.c:parse_cfg(57)] nouserok=0 [pam-u2f.c:parse_cfg(58)] alwaysok=0 [pam-u2f.c:parse_cfg(59)] authfile=(null) [pam-u2f.c:parse_cfg(60)] origin=pam://$HOSTNAME [pam-u2f.c:parse_cfg(61)] appid=pam://$HOSTNAME [pam-u2f.c:pam_sm_authenticate(124)] Maximum devices number not set. Using default (24) [pam-u2f.c:pam_sm_authenticate(142)] Requesting authentication for user root [pam-u2f.c:pam_sm_authenticate(153)] Found user root [pam-u2f.c:pam_sm_authenticate(154)] Home directory for root is /root [pam-u2f.c:pam_sm_authenticate(161)] Variable XDG_CONFIG_HOME is not set. Using default value ($HOME/.config/) [pam-u2f.c:pam_sm_authenticate(193)] Using default authentication file /root/.config/Yubico/u2f_keys [util.c:get_devices_from_authfile(34)] Cannot open file: /root/.config/Yubico/u2f_keys (No such file or directory) [pam-u2f.c:pam_sm_authenticate(211)] Unable to get devices from file /root/.config/Yubico/u2f_keys [pam-u2f.c:pam_sm_authenticate(259)] done. [Authentication service cannot retrieve authentication info] Password: Question: I'd expect the auth process to fail, since "require" is used. In the logs I see: Dec 06 19:38:28 rawhide su[9137]: PAM pam_parse: expecting return value; [...require] Looks like an error in the module. Then I run: $ XDG_CONFIG_HOME=/home/test su - [pam-u2f.c:parse_cfg(48)] called. [pam-u2f.c:parse_cfg(49)] flags 0 argc 3 [pam-u2f.c:parse_cfg(51)] argv[0]=debug [pam-u2f.c:parse_cfg(51)] argv[1]=origin=pam://$HOSTNAME [pam-u2f.c:parse_cfg(51)] argv[2]=appid=pam://$HOSTNAME [pam-u2f.c:parse_cfg(52)] max_devices=0 [pam-u2f.c:parse_cfg(53)] debug=1 [pam-u2f.c:parse_cfg(54)] interactive=0 [pam-u2f.c:parse_cfg(55)] cue=0 [pam-u2f.c:parse_cfg(56)] manual=0 [pam-u2f.c:parse_cfg(57)] nouserok=0 [pam-u2f.c:parse_cfg(58)] alwaysok=0 [pam-u2f.c:parse_cfg(59)] authfile=(null) [pam-u2f.c:parse_cfg(60)] origin=pam://$HOSTNAME [pam-u2f.c:parse_cfg(61)] appid=pam://$HOSTNAME [pam-u2f.c:pam_sm_authenticate(124)] Maximum devices number not set. Using default (24) [pam-u2f.c:pam_sm_authenticate(142)] Requesting authentication for user root [pam-u2f.c:pam_sm_authenticate(153)] Found user root [pam-u2f.c:pam_sm_authenticate(154)] Home directory for root is /root [pam-u2f.c:pam_sm_authenticate(178)] Variable XDG_CONFIG_HOME set to /home/test [pam-u2f.c:pam_sm_authenticate(193)] Using default authentication file /home/test/Yubico/u2f_keys [util.c:get_devices_from_authfile(34)] Cannot open file: /home/test/Yubico/u2f_keys (No such file or directory) [pam-u2f.c:pam_sm_authenticate(211)] Unable to get devices from file /home/test/Yubico/u2f_keys [pam-u2f.c:pam_sm_authenticate(259)] done. [Authentication service cannot retrieve authentication info] Password: As you can see, "Requesting authentication for user root", but it's happy to read configuration from a user specified file. This doesn't seem right. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component _______________________________________________ package-review mailing list package-review@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/package-review