Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create interactive prompt for use when fido device is not detected #322

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Create interactive prompt for use when fido device is not detected #322

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions README
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -186,6 +186,11 @@ interactive::
Set to prompt a message and wait before testing the presence of a FIDO
device. Recommended if your device doesn't have a tactile trigger.

interactivenodevice::
Set to prompt a message and wait if no FIDO device is detected.
Avoids silent authentication failures at the cost of notifying attackers
fido devices are used for authentication

[prompt=your prompt here]::
Set individual prompt message for interactive mode. Watch the square
brackets around this parameter to get spaces correctly recognized by
Expand Down
3 changes: 3 additions & 0 deletions pam-u2f.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,8 @@ static void parse_cfg(int flags, int argc, const char **argv, cfg_t *cfg) {
cfg->alwaysok = 1;
} else if (strcmp(argv[i], "interactive") == 0) {
cfg->interactive = 1;
} else if (strcmp(argv[i], "interactivenodevice") == 0) {
cfg->interactivenodevice = 1;
} else if (strcmp(argv[i], "cue") == 0) {
cfg->cue = 1;
} else if (strcmp(argv[i], "nodetect") == 0) {
Expand Down Expand Up @@ -100,6 +102,7 @@ static void parse_cfg(int flags, int argc, const char **argv, cfg_t *cfg) {
debug_dbg(cfg, "max_devices=%d", cfg->max_devs);
debug_dbg(cfg, "debug=%d", cfg->debug);
debug_dbg(cfg, "interactive=%d", cfg->interactive);
debug_dbg(cfg, "interactivenodevice=%d", cfg->interactivenodevice);
debug_dbg(cfg, "cue=%d", cfg->cue);
debug_dbg(cfg, "nodetect=%d", cfg->nodetect);
debug_dbg(cfg, "userpresence=%d", cfg->userpresence);
Expand Down
17 changes: 16 additions & 1 deletion util.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1146,6 +1146,7 @@ int do_authentication(const cfg_t *cfg, const device_t *devices,
struct opts opts;
struct pk pk;
char *pin = NULL;
int foundauth = 0;

init_opts(&opts);
#ifndef WITH_FUZZING
Expand Down Expand Up @@ -1200,7 +1201,21 @@ int do_authentication(const cfg_t *cfg, const device_t *devices,
goto out;
}

if (get_authenticators(cfg, devlist, ndevs, assert,
if((cfg->interactivenodevice) && !get_authenticators(cfg, devlist, ndevs, assert,
is_resident(devices[i].keyHandle), authlist))
{
char *tmp = NULL;

tmp = converse(pamh, PAM_PROMPT_ECHO_ON,
cfg->prompt != NULL ? cfg->prompt : DEFAULT_PROMPT);

free(tmp);
}
else
{
foundauth = 1;
}
if (foundauth || get_authenticators(cfg, devlist, ndevs, assert,
is_resident(devices[i].keyHandle), authlist)) {
for (size_t j = 0; authlist[j] != NULL; j++) {
/* options used during authentication */
Expand Down
1 change: 1 addition & 0 deletions util.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ typedef struct {
int openasuser;
int alwaysok;
int interactive;
int interactivenodevice;
int cue;
int nodetect;
int userpresence;
Expand Down