ChallengeResponse authentication fails on screensaver

Bug #1619280 reported by Ilias Bartolini
This bug affects 1 person
Affects Status Importance Assigned to Milestone
yubico-pam (Ubuntu)

Bug Description

I'm currently using yubikey as 2nd factor authentication with "challenge-response" method.
After locking the desktop screen I'm currently unable to login again from gnome-screensaver.

Using Ubuntu 16.04 current version of libpam-yubico is 2.20-1

I tracked down the bug to this one already fixed upstream in version 2.22:

Detailed example to reproduce:
eg. my /etc/pam.d/common-auth contains
#auth required mode=challenge-response chalresp_path=/var/yubico

After authentication in gdm or textual login screen the challenge response file permission get changed to the one of the process that is authenticating (root-root).

My initial permission of the challenge file
-rw------- 1 root root

If I change permissions to
-rw------- 1 my-user my-user
the lockscreen authentication works again correctly.

As soon as I login again from gdm the permissions go back to:
-rw------- 1 root root

description: updated
description: updated
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers