Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow concatenating u2f_keys #305

Closed
wants to merge 1 commit into from
Closed

Allow concatenating u2f_keys #305

wants to merge 1 commit into from

Conversation

TomMD
Copy link

@TomMD TomMD commented Oct 10, 2023

The u2f_keys parsing is pretty harsh and requires sed or manual editing, making it unfriendly to scripts.

Recall the format is:

<username>:<cose>:<pubkey>...:<cose2>:<pubkey2>:...

If the same username appears more than once then the prior lines are ignored (well, parsed by later discarded). Instead, just allow separate lines. In addition to being backward compatible, there is a nice sysadmin-friendly behavior allowing concatenation. Ignore the obvious bash code nits, but effectively allowing:

pam_u2fconfig -u user >> $u2f_keys_file
# or perhaps a setup that has already collected auth info
cat auth_tokens/user/*  >> /var/yubico/u2f_keys

@TomMD
Copy link
Author

TomMD commented Oct 10, 2023

CI fails to build libfido2, which is very much not an issue with this PR but a more general problem.

@LDVG
Copy link
Contributor

LDVG commented Oct 11, 2023
edited
Loading

Hi,

Strictly speaking, this is in fact breaking current behavior. Have you considered

$ pamu2fcfg --user alice >> authfile
$ pamu2fcfg --user alice --no-user >> authfile

to register multiple credentials for a particular user?

If this is insufficient for some reason, maybe it's better for pamu2fcfg to learn how to append credentials to an existing authfile, help the user merge multiple entries, or something else.

CI fails to build libfido2, which is very much not an issue with this PR but a more general problem.

Thanks for the heads-up. We've resolved this separately through #307 .

@TomMD
Copy link
Author

TomMD commented Oct 11, 2023

Yes, it does change current behavior. "Backwards compatible" is only in the sense of allowing one line, but not allowing lines to override.

I see the proposal for --no-user but it feels clumsy since it's a auth-generation time change and keeps a format that has to be carefully constructed.

An admin working with scripts in the form:

cat authtokens/user/* >> u2f_keys

could instead use --no-user (or sed to edit existing tokens) and then:

echo -n 'user:' >> u2f_keys
cat authtokens/user/* >> u2f_keys

It seems more fragile having to create a single legal line from different inputs (user name, token 1, token 2) collected at different times.

@LDVG
Copy link
Contributor

LDVG commented Nov 3, 2023
edited
Loading

In the understanding that this would be a breaking change or requires another module option introducing additional complexity, I will close this. We can revisit changing the authfile format on a major version change. Thank you for your contributions!

@LDVG LDVG closed this Nov 3, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@TomMD @LDVG