pam_usb icon indicating copy to clipboard operation
pam_usb copied to clipboard
verified publisher icon mcdope

policykit-1 127-1 corrupts pam_usb one-time pad

Open KeyofBlueS opened this issue 3 months ago • 0 comments

Which version of pam_usb are you running?

pamusb-nightly-20251218

Which distribution are you using?

Debian Sid

Which login manager and desktop environment are you using?

lightdm, XFCE 4.20

What happened?

Hello!

After upgrading policykit-1 to version 127-1, starting any application that relies on PolicyKit results in corruption of the one-time pad file on the USB authentication device (the file is truncated to 0 KB). Authentication for the PolicyKit-based application itself fails as well. Once this happens, all subsequent authentication attempts, including those using sudo, also fail with the following output:

$ sudo somecommand
* Authentication request for user "username" (sudo)
* Searching for "USBDEVICE" in the hardware database...
* Authentication device "USBDEVICE" is connected.
* Performing one time pad verification...
* Pad checking failed!
* Access denied.

Authentication can only be restored by manually resetting the pads using: sudo pamusb-conf --reset-pads=username

After resetting the pads, sudo authentication works normally again until another PolicyKit-based application is launched, at which point the pad file is corrupted again and the issue reoccurs.

Additional information: downgrading policykit-1 from version 127-1 to 126-2 fully resolves the issue. After downgrading the following packages (polkitd, pkexec, libpolkit-gobject-1-0, libpolkit-agent-1-0, and gir1.2-polkit-1.0), PolicyKit-based authentication no longer corrupts the pad file, and pam_usb authentication continues to work as expected.

Output of "pamusb-check --debug whoami"

$ pamusb-check --debug `whoami`
* Authentication request for user "username" (pamusb-check)
[src/local.c:281] Checking whether the caller (pamusb-check) is local or not...
[src/local.c:298] 	Checking pid 674689 (pamusb-check)...
[src/local.c:298] 	Checking pid 673653 (bash)...
[src/local.c:298] 	Checking pid 151769 (/usr/bin/xfce4-terminal)...
[src/local.c:298] 	Checking pid      1 (/sbin/init)...
[src/local.c:341] 	Using DISPLAY :0.0 for utmp search
[src/local.c:346] 	DISPLAY contains screen, truncating...
[src/local.c:053] 	No utmp entry found for tty ":0"
[src/local.c:355] 	Trying to get tty from display server
[src/local.c:119] 	Determining tty by display server failed (running 'pamusb-check' as user?)
[src/local.c:365] 		Failed, no result while trying to get TTY from display server
[src/local.c:370] 	Trying to get tty by DISPLAY
[src/local.c:378] 		Failed, no result while searching utmp for display :0 owned by user username
[src/local.c:394] 	Trying to check for remote access by loginctl
[src/local.c:250] 		loginctl considers this session to be remote: no
[src/local.c:399] 	loginctl says this session is local
[src/local.c:443] No remote access detected, seems to be local request - allowing.
* Searching for "USBDEVICE" in the hardware database...
* Authentication device "USBDEVICE" is connected.
* Performing one time pad verification...
[src/volume.c:105] Searching for volume with uuid 2D13-5D84.
[src/volume.c:132] Found mount points: /run/media/username/usbdevice
[src/volume.c:149] Found volume 2D13-5D84.
[src/volume.c:176] Volume 2D13-5D84 is already mounted.
[src/pad.c:317] Loading device pad...
* Can't read device pad!
* Pad checking failed!
* Access denied.

Output of "w"

$ w
 16:39:01 up 48 min,  1 user,  load average: 0,61, 0,66, 0,81
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU  WHAT
username          -                15:55           0.00s   ?    lightdm --session-child 13 16

Output of "loginctl"

$ loginctl
SESSION  UID USER       SEAT  LEADER CLASS   TTY IDLE SINCE
      1 1000 username   seat0 2035   user    -   no   -    
      2 1000 username   -     2057   manager -   no   -    

2 sessions listed.

KeyofBlueS avatar Dec 18 '25 15:12 KeyofBlueS