openSUSE Tumbleweed polkit is not working with pam_u2f

[shuja-u]

What version of pam-u2f are you using?

pamu2fcfg 1.4.0

Installed via the standard package manager:
zypper install pam_u2f

What operating system are you using?

openSUSE Tumbleweed x86_64
Linux 7.0.2-1-default
fido2-token -V: 1.16.0

What authenticator are you using?

A YubiKey 5C NFC

ID 1050:0407 Yubico.com Yubikey 4/5 OTP+U2F+CCID

proto: 0x02
major: 0x05
minor: 0x07
build: 0x04
caps: 0x05 (wink, cbor, msg)
version strings: U2F_V2, FIDO_2_0, FIDO_2_1_PRE, FIDO_2_1
extension strings: credProtect, hmac-secret, largeBlobKey, credBlob, minPinLength
transport strings: nfc, usb
algorithms: es256 (public-key), eddsa (public-key), es384 (public-key)
aaguid: d7781e5de35346aaafe23ca49f13332a
options: rk, up, noplat, noalwaysUv, credMgmt, authnrCfg, clientPin, largeBlobs, pinUvAuthToken, setMinPINLength, makeCredUvNotRqd, credentialMgmtPreview
fwversion: 0x50704
maxmsgsiz: 1536
maxcredcntlst: 8
maxcredlen: 128
maxcredblob: 32
maxlargeblob: 4096
maxrpids in minpinlen: 1
remaining rk(s): 100
minpinlen: 4
pin protocols: 2, 1
pin retries: 8
pin change required: false
uv retries: undefined

Problem description

I've got my Yubikey set up as the primary means of authentication for gdm, and sudo. They both work fine. I can't get it to work with polkit though. I have already tried the solution mentioned in #389, it works for my Ubuntu installation but not for my Tumbleweed installation.

My current set up was achieved by first running the following command as both myself and the root user:
pamu2fcfg > ~/.config/Yubico/u2f_keys

Doing it as root is unnecessary on other distributions, but it wouldn't work for sudo without it on Tumbleweed.

The contents of /etc/pam.d/polkit-1 are:

#%PAM-1.0
auth    sufficient    pam_u2f.so	cue	debug	debug_file=syslog
auth       include      common-auth
account    include      common-account
password   include      common-password
session    include      common-session
session    optional     pam_keyinit.so revoke [force]

Here are the logs:

May 07 20:40:17 localhost.localdomain systemd[1]: Created slice Slice /system/polkit-agent-helper.
May 07 20:40:17 localhost.localdomain polkit-agent-helper-1[13021]: debug(pam_u2f): cfg.c:272 (cfg_init): called.
May 07 20:40:17 localhost.localdomain polkit-agent-helper-1[13021]: debug(pam_u2f): cfg.c:273 (cfg_init): flags 0 argc 3
May 07 20:40:17 localhost.localdomain polkit-agent-helper-1[13021]: debug(pam_u2f): cfg.c:275 (cfg_init): argv[0]=cue
May 07 20:40:17 localhost.localdomain polkit-agent-helper-1[13021]: debug(pam_u2f): cfg.c:275 (cfg_init): argv[1]=debug
May 07 20:40:17 localhost.localdomain polkit-agent-helper-1[13021]: debug(pam_u2f): cfg.c:275 (cfg_init): argv[2]=debug_file=syslog
May 07 20:40:17 localhost.localdomain polkit-agent-helper-1[13021]: debug(pam_u2f): cfg.c:277 (cfg_init): max_devices=0
May 07 20:40:17 localhost.localdomain polkit-agent-helper-1[13021]: debug(pam_u2f): cfg.c:278 (cfg_init): debug=1
May 07 20:40:17 localhost.localdomain polkit-agent-helper-1[13021]: debug(pam_u2f): cfg.c:279 (cfg_init): interactive=0
May 07 20:40:17 localhost.localdomain polkit-agent-helper-1[13021]: debug(pam_u2f): cfg.c:280 (cfg_init): cue=1
May 07 20:40:17 localhost.localdomain polkit-agent-helper-1[13021]: debug(pam_u2f): cfg.c:281 (cfg_init): nodetect=0
May 07 20:40:17 localhost.localdomain polkit-agent-helper-1[13021]: debug(pam_u2f): cfg.c:282 (cfg_init): userpresence=-1
May 07 20:40:17 localhost.localdomain polkit-agent-helper-1[13021]: debug(pam_u2f): cfg.c:283 (cfg_init): userverification=-1
May 07 20:40:17 localhost.localdomain polkit-agent-helper-1[13021]: debug(pam_u2f): cfg.c:284 (cfg_init): pinverification=-1
May 07 20:40:17 localhost.localdomain polkit-agent-helper-1[13021]: debug(pam_u2f): cfg.c:285 (cfg_init): manual=0
May 07 20:40:17 localhost.localdomain polkit-agent-helper-1[13021]: debug(pam_u2f): cfg.c:286 (cfg_init): nouserok=0
May 07 20:40:17 localhost.localdomain polkit-agent-helper-1[13021]: debug(pam_u2f): cfg.c:287 (cfg_init): openasuser=0
May 07 20:40:17 localhost.localdomain polkit-agent-helper-1[13021]: debug(pam_u2f): cfg.c:288 (cfg_init): alwaysok=0
May 07 20:40:17 localhost.localdomain polkit-agent-helper-1[13021]: debug(pam_u2f): cfg.c:289 (cfg_init): sshformat=0
May 07 20:40:17 localhost.localdomain polkit-agent-helper-1[13021]: debug(pam_u2f): cfg.c:290 (cfg_init): expand=0
May 07 20:40:17 localhost.localdomain polkit-agent-helper-1[13021]: debug(pam_u2f): cfg.c:291 (cfg_init): authfile=(null)
May 07 20:40:17 localhost.localdomain polkit-agent-helper-1[13021]: debug(pam_u2f): cfg.c:292 (cfg_init): authpending_file=(null)
May 07 20:40:17 localhost.localdomain polkit-agent-helper-1[13021]: debug(pam_u2f): cfg.c:294 (cfg_init): origin=(null)
May 07 20:40:17 localhost.localdomain polkit-agent-helper-1[13021]: debug(pam_u2f): cfg.c:295 (cfg_init): appid=(null)
May 07 20:40:17 localhost.localdomain polkit-agent-helper-1[13021]: debug(pam_u2f): cfg.c:296 (cfg_init): prompt=(null)
May 07 20:40:17 localhost.localdomain polkit-agent-helper-1[13021]: debug(pam_u2f): pam-u2f.c:122 (pam_sm_authenticate): Origin not specified, using "pam://localhost.localdomain"
May 07 20:40:17 localhost.localdomain polkit-agent-helper-1[13021]: debug(pam_u2f): pam-u2f.c:134 (pam_sm_authenticate): Appid not specified, using the value of origin (pam://localhost.localdomain)
May 07 20:40:17 localhost.localdomain polkit-agent-helper-1[13021]: debug(pam_u2f): pam-u2f.c:147 (pam_sm_authenticate): Maximum number of devices not set. Using default (24)
May 07 20:40:17 localhost.localdomain polkit-agent-helper-1[13021]: debug(pam_u2f): pam-u2f.c:170 (pam_sm_authenticate): Requesting authentication for user root
May 07 20:40:17 localhost.localdomain polkit-agent-helper-1[13021]: debug(pam_u2f): pam-u2f.c:181 (pam_sm_authenticate): Found user root
May 07 20:40:17 localhost.localdomain polkit-agent-helper-1[13021]: debug(pam_u2f): pam-u2f.c:182 (pam_sm_authenticate): Home directory for root is /root
May 07 20:40:17 localhost.localdomain polkit-agent-helper-1[13021]: debug(pam_u2f): pam-u2f.c:57 (resolve_authfile_path): Variable XDG_CONFIG_HOME is not set, using default
May 07 20:40:17 localhost.localdomain polkit-agent-helper-1[13021]: debug(pam_u2f): pam-u2f.c:208 (pam_sm_authenticate): Using authentication file /root/.config/Yubico/u2f_keys
May 07 20:40:17 localhost.localdomain polkit-agent-helper-1[13021]: debug(pam_u2f): pam-u2f.c:214 (pam_sm_authenticate): Dropping privileges
May 07 20:40:17 localhost.localdomain polkit-agent-helper-1[13021]: debug(pam_u2f): pam-u2f.c:220 (pam_sm_authenticate): Switched to uid 0
May 07 20:40:17 localhost.localdomain polkit-agent-helper-1[13021]: debug(pam_u2f): util.c:701 (get_devices_from_authfile): Cannot open authentication file: Permission denied
May 07 20:40:17 localhost.localdomain polkit-agent-helper-1[13021]: debug(pam_u2f): pam-u2f.c:230 (pam_sm_authenticate): Restored privileges
May 07 20:40:17 localhost.localdomain polkit-agent-helper-1[13021]: debug(pam_u2f): pam-u2f.c:319 (pam_sm_authenticate): done. [Authentication service cannot retrieve authentication info]
May 07 20:40:24 localhost.localdomain polkit-agent-helper-1[13021]: pam_unix(polkit-1:auth): conversation failed
May 07 20:40:24 localhost.localdomain polkit-agent-helper-1[13021]: pam_unix(polkit-1:auth): auth could not identify password for [root]
May 07 20:40:24 localhost.localdomain polkitd[5195]: Operator of unix-session:1 FAILED to authenticate to gain authorization for action org.freedesktop.policykit.exec for unix-process:12467:167850 [/bin/bash] (owned by unix-user:shuja)
May 07 20:40:24 localhost.localdomain pkexec[13015]: shuja: Error executing command as another user: Request dismissed [USER=root] [TTY=/dev/pts/2] [CWD=/etc/pam.d] [COMMAND=/bin/bash]
May 07 20:40:24 localhost.localdomain systemd[1]: polkit-agent-helper@0-1-5625_21106-1000.service: Main process exited, code=exited, status=1/FAILURE
May 07 20:40:24 localhost.localdomain systemd[1]: polkit-agent-helper@0-1-5625_21106-1000.service: Failed with result 'exit-code'.

It looks like it's unable to read the authfile, I even tried setting the openasuser option and got the same error.

When I move the authfile to /etc/Yubico/u2f_keys, it's able to read the file but I get a different issue. Here are the logs when I set authfile=/etc/Yubico/u2f_keys:

May 07 20:46:03 localhost.localdomain polkit-agent-helper-1[13423]: debug(pam_u2f): cfg.c:272 (cfg_init): called.
May 07 20:46:03 localhost.localdomain polkit-agent-helper-1[13423]: debug(pam_u2f): cfg.c:273 (cfg_init): flags 0 argc 4
May 07 20:46:03 localhost.localdomain polkit-agent-helper-1[13423]: debug(pam_u2f): cfg.c:275 (cfg_init): argv[0]=authfile=/etc/Yubico/u2f_keys
May 07 20:46:03 localhost.localdomain polkit-agent-helper-1[13423]: debug(pam_u2f): cfg.c:275 (cfg_init): argv[1]=cue
May 07 20:46:03 localhost.localdomain polkit-agent-helper-1[13423]: debug(pam_u2f): cfg.c:275 (cfg_init): argv[2]=debug
May 07 20:46:03 localhost.localdomain polkit-agent-helper-1[13423]: debug(pam_u2f): cfg.c:275 (cfg_init): argv[3]=debug_file=syslog
May 07 20:46:03 localhost.localdomain polkit-agent-helper-1[13423]: debug(pam_u2f): cfg.c:277 (cfg_init): max_devices=0
May 07 20:46:03 localhost.localdomain polkit-agent-helper-1[13423]: debug(pam_u2f): cfg.c:278 (cfg_init): debug=1
May 07 20:46:03 localhost.localdomain polkit-agent-helper-1[13423]: debug(pam_u2f): cfg.c:279 (cfg_init): interactive=0
May 07 20:46:03 localhost.localdomain polkit-agent-helper-1[13423]: debug(pam_u2f): cfg.c:280 (cfg_init): cue=1
May 07 20:46:03 localhost.localdomain polkit-agent-helper-1[13423]: debug(pam_u2f): cfg.c:281 (cfg_init): nodetect=0
May 07 20:46:03 localhost.localdomain polkit-agent-helper-1[13423]: debug(pam_u2f): cfg.c:282 (cfg_init): userpresence=-1
May 07 20:46:03 localhost.localdomain polkit-agent-helper-1[13423]: debug(pam_u2f): cfg.c:283 (cfg_init): userverification=-1
May 07 20:46:03 localhost.localdomain polkit-agent-helper-1[13423]: debug(pam_u2f): cfg.c:284 (cfg_init): pinverification=-1
May 07 20:46:03 localhost.localdomain polkit-agent-helper-1[13423]: debug(pam_u2f): cfg.c:285 (cfg_init): manual=0
May 07 20:46:03 localhost.localdomain polkit-agent-helper-1[13423]: debug(pam_u2f): cfg.c:286 (cfg_init): nouserok=0
May 07 20:46:03 localhost.localdomain polkit-agent-helper-1[13423]: debug(pam_u2f): cfg.c:287 (cfg_init): openasuser=0
May 07 20:46:03 localhost.localdomain polkit-agent-helper-1[13423]: debug(pam_u2f): cfg.c:288 (cfg_init): alwaysok=0
May 07 20:46:03 localhost.localdomain polkit-agent-helper-1[13423]: debug(pam_u2f): cfg.c:289 (cfg_init): sshformat=0
May 07 20:46:03 localhost.localdomain polkit-agent-helper-1[13423]: debug(pam_u2f): cfg.c:290 (cfg_init): expand=0
May 07 20:46:03 localhost.localdomain polkit-agent-helper-1[13423]: debug(pam_u2f): cfg.c:291 (cfg_init): authfile=/etc/Yubico/u2f_keys
May 07 20:46:03 localhost.localdomain polkit-agent-helper-1[13423]: debug(pam_u2f): cfg.c:292 (cfg_init): authpending_file=(null)
May 07 20:46:03 localhost.localdomain polkit-agent-helper-1[13423]: debug(pam_u2f): cfg.c:294 (cfg_init): origin=(null)
May 07 20:46:03 localhost.localdomain polkit-agent-helper-1[13423]: debug(pam_u2f): cfg.c:295 (cfg_init): appid=(null)
May 07 20:46:03 localhost.localdomain polkit-agent-helper-1[13423]: debug(pam_u2f): cfg.c:296 (cfg_init): prompt=(null)
May 07 20:46:03 localhost.localdomain polkit-agent-helper-1[13423]: debug(pam_u2f): pam-u2f.c:122 (pam_sm_authenticate): Origin not specified, using "pam://localhost.localdomain"
May 07 20:46:03 localhost.localdomain polkit-agent-helper-1[13423]: debug(pam_u2f): pam-u2f.c:134 (pam_sm_authenticate): Appid not specified, using the value of origin (pam://localhost.localdomain)
May 07 20:46:03 localhost.localdomain polkit-agent-helper-1[13423]: debug(pam_u2f): pam-u2f.c:147 (pam_sm_authenticate): Maximum number of devices not set. Using default (24)
May 07 20:46:03 localhost.localdomain polkit-agent-helper-1[13423]: debug(pam_u2f): pam-u2f.c:170 (pam_sm_authenticate): Requesting authentication for user root
May 07 20:46:03 localhost.localdomain polkit-agent-helper-1[13423]: debug(pam_u2f): pam-u2f.c:181 (pam_sm_authenticate): Found user root
May 07 20:46:03 localhost.localdomain polkit-agent-helper-1[13423]: debug(pam_u2f): pam-u2f.c:182 (pam_sm_authenticate): Home directory for root is /root
May 07 20:46:03 localhost.localdomain polkit-agent-helper-1[13423]: debug(pam_u2f): pam-u2f.c:208 (pam_sm_authenticate): Using authentication file /etc/Yubico/u2f_keys
May 07 20:46:03 localhost.localdomain polkit-agent-helper-1[13423]: debug(pam_u2f): util.c:228 (parse_native_format): Read 198 bytes
May 07 20:46:03 localhost.localdomain polkit-agent-helper-1[13423]: debug(pam_u2f): util.c:232 (parse_native_format): Matched user: root
May 07 20:46:03 localhost.localdomain polkit-agent-helper-1[13423]: debug(pam_u2f): util.c:255 (parse_native_format): KeyHandle for device number 1: a9qpT1gjOkM//Au8igklrY31xLfaH6hEClnNnh0LBVVrHj4Yke8UYC5iaG7ZwsTGb7ASAP7wRbw9e1hPO3u+XQ==
May 07 20:46:03 localhost.localdomain polkit-agent-helper-1[13423]: debug(pam_u2f): util.c:257 (parse_native_format): publicKey for device number 1: LQUjsq0cSUWHVceOWVGrWZCkPdTAJKUO0cbWjH2DFqe3hkd6hcbqTRcBbjbvPXzjUkZastzF0Dh8Ste0/No4fw==
May 07 20:46:03 localhost.localdomain polkit-agent-helper-1[13423]: debug(pam_u2f): util.c:259 (parse_native_format): COSE type for device number 1: es256
May 07 20:46:03 localhost.localdomain polkit-agent-helper-1[13423]: debug(pam_u2f): util.c:261 (parse_native_format): Attributes for device number 1: +presence
May 07 20:46:03 localhost.localdomain polkit-agent-helper-1[13423]: debug(pam_u2f): util.c:777 (get_devices_from_authfile): Found 1 device(s) for user root
May 07 20:46:03 localhost.localdomain polkit-agent-helper-1[13423]: debug(pam_u2f): pam-u2f.c:261 (pam_sm_authenticate): Touch request notifications will be emitted via '/var/run/user/0/pam-u2f-authpending'
May 07 20:46:03 localhost.localdomain polkit-agent-helper-1[13423]: debug(pam_u2f): pam-u2f.c:270 (pam_sm_authenticate): Unable to emit 'authentication started' notification: Permission denied
May 07 20:46:03 localhost.localdomain polkit-agent-helper-1[13423]: debug(pam_u2f): util.c:1197 (do_authentication): Device max index is 0
May 07 20:46:03 localhost.localdomain polkit-agent-helper-1[13423]: debug(pam_u2f): util.c:1211 (do_authentication): Attempting authentication with device number 1
May 07 20:46:03 localhost.localdomain polkit-agent-helper-1[13423]: debug(pam_u2f): util.c:1016 (prepare_assert): Key handle: a9qpT1gjOkM//Au8igklrY31xLfaH6hEClnNnh0LBVVrHj4Yke8UYC5iaG7ZwsTGb7ASAP7wRbw9e1hPO3u+XQ==
May 07 20:46:03 localhost.localdomain polkit-agent-helper-1[13423]: debug(pam_u2f): util.c:977 (set_cdh): Failed to generate challenge
May 07 20:46:03 localhost.localdomain polkit-agent-helper-1[13423]: debug(pam_u2f): util.c:1035 (prepare_assert): Failed to set client data hash
May 07 20:46:03 localhost.localdomain polkit-agent-helper-1[13423]: debug(pam_u2f): util.c:1216 (do_authentication): Failed to prepare assert
May 07 20:46:03 localhost.localdomain polkit-agent-helper-1[13423]: debug(pam_u2f): pam-u2f.c:319 (pam_sm_authenticate): done. [Authentication failure]
May 07 20:46:03 localhost.localdomain polkit-agent-helper-1[13423]: pam_unix(polkit-1:auth): conversation failed
May 07 20:46:03 localhost.localdomain polkit-agent-helper-1[13423]: pam_unix(polkit-1:auth): auth could not identify password for [root]

There's no sensitive data here, these are all test keys in a test VM.

It looks like the polkit-agent-helper has some kind of permission restrictions, but I'm unsure how to remove those and what the security implications would be.