Hi,
Can someone help please? I’m on manjaro and up-to-date as of today, with a Model T (firmware 2.4.3)
I have:
- trezor-bridge-bin 2.0.30-4
- python-trezor 0.13.0-1
I am trying to setup with pam to enable authentication for sudo etc. I have followed the guides on the Arch wiki and on the Trezor userguide (U2F - Trezor Wiki). I also have a Feitian U2F device that works as expected. The Trezor seems to be misbehaving however:
When I use either
- pamu2fcg -u myname
or - pamu2cfg -n
I keep getting different keyhandles being generated. With debug on in /etc/pam.d/sudo for instance and authentication set up as “sufficient”, I then see the following error and am prompted for my password:
debug(pam_u2f): util.c:984 (get_authenticators): Key not found in authenticator 0
debug(pam_u2f): util.c:995 (get_authenticators): Key not found
debug(pam_u2f): util.c:1450 (do_authentication): Device for this keyhandle is not present
debug(pam_u2f): pam-u2f.c:450 (pam_sm_authenticate): do_authentication returned -2
debug(pam_u2f): pam-u2f.c:489 (pam_sm_authenticate): done. [Authentication failure]
(This happens only after having previously entered the pin - not when it is merely connected like the Feitian. If I enter the pin, wait for the Trezor to sleep/timeout I am prompted for my pin, but the same error is printed. The Feitian works fine with the same configuration. I’ve also tried this with a fresh install rather than trying to configure u2f_keys with multiple device entries on one line).
Is this a bug, or is it expected that keyhandles will be different each time?
Thanks in advance.