pam-u2f icon indicating copy to clipboard operation
pam-u2f copied to clipboard

Published 20 hours ago verified publisher icon Yubico

Handle Ctrl+C to abort "Please touch the device" prompt

Open max-baz opened this issue 7 years ago • 12 comments

  • Run "sudo -s"
  • See "Please touch the device" prompt
  • Press Ctrl+C to change your mind and abort.

Expected: command is aborted immediately

Actual: command hangs until you touch the device or it times-out.

This has been on my wish-list for so long, I would be really happy to see this implemented. I can try implementing it as well, if you could give me some pointers?

max-baz avatar Nov 16 '18 19:11 max-baz

Point is, the "Please touch the device" prompt does not even show until you successfully authenticated. At least here on Ubuntu disco. That msg is useles as is.

corbolais avatar Oct 05 '19 17:10 corbolais

+1 for this.

Also happy to help implement.

loshz avatar Dec 28 '20 13:12 loshz

@corbolais That is not the case for me, and certainly a different issue to this anyway.

OJFord avatar Jun 14 '21 10:06 OJFord

Point is, the "Please touch the device" prompt does not even show until you successfully authenticated. At least here on Ubuntu disco. That msg is useles as is.

Are you using cue_prompt?

e.g.:

auth		sufficient	pam_u2f.so authfile=/etc/u2f_keys cue [cue_prompt=🔐 Waiting for key...]

WhyNotHugo avatar Jul 10 '21 20:07 WhyNotHugo

Point is, the "Please touch the device" prompt does not even show until you successfully authenticated. At least here on Ubuntu disco. That msg is useles as is.

Are you using cue_prompt?

e.g.:

auth		sufficient	pam_u2f.so authfile=/etc/u2f_keys cue [cue_prompt=🔐 Waiting for key...]

Yes, I am:

auth      required pam_u2f.so authfile=.ssh/u2f_keys [prompt=Please insert your FIDO2 device, then press ENTER.] interactive cue [cue_prompt=Please touch your FIDO2 device now.] nodetect

corbolais avatar Jul 10 '21 20:07 corbolais

I've resorted to using pkexec as a workaround (e.g.: pkexec whoami). The agent gives a gui prompt which you can dismiss, and get your shell back.

E.g.: Instead of Ctrl+c, I just use Esc on the gui prompt.

I'm sure there's a way to get a polkit prompt in the terminal, but I already have this set up for things like gparted anyway.

WhyNotHugo avatar Sep 02 '21 21:09 WhyNotHugo

The workaround timeout 1m sudo helps -- if you remember to use it. The timeout is configurable, and conveniently falls back to the regular sudo password prompt afterwards. See also #25.

joelpurra avatar Oct 15 '22 14:10 joelpurra

That still leaves the key locked for 1m.

My workaround has been to press Ctrl+C and then tap the key. pam authentication succeeds, but sudo never executes the requested command anyway.

WhyNotHugo avatar Oct 15 '22 14:10 WhyNotHugo

2023, still an issue :disappointed:

ckdarby avatar Jan 29 '23 21:01 ckdarby

I only have enough C programming knowledge to be dangerous, but I took a look at what it would take to support Ctrl+C when using pam-u2f with sudo. As a proof-of-concept this change worked for me:

  • https://github.com/Yubico/pam-u2f/pull/315

However, in the process I discovered why that naive approach is actually a bad idea (see the linked PR for details). I have no plans to continue the change forward myself, but I wanted to write up my findings to leave breadcrumbs for the next person.

mkropat avatar Apr 04 '24 04:04 mkropat