Pamu2fcfg and keyhandle


Can someone help please? I’m on manjaro and up-to-date as of today, with a Model T (firmware 2.4.3)

I have:

  • trezor-bridge-bin 2.0.30-4
  • python-trezor 0.13.0-1

I am trying to setup with pam to enable authentication for sudo etc. I have followed the guides on the Arch wiki and on the Trezor userguide (U2F - Trezor Wiki). I also have a Feitian U2F device that works as expected. The Trezor seems to be misbehaving however:
When I use either

  • pamu2fcg -u myname
  • pamu2cfg -n

I keep getting different keyhandles being generated. With debug on in /etc/pam.d/sudo for instance and authentication set up as “sufficient”, I then see the following error and am prompted for my password:

debug(pam_u2f): util.c:984 (get_authenticators): Key not found in authenticator 0
debug(pam_u2f): util.c:995 (get_authenticators): Key not found
debug(pam_u2f): util.c:1450 (do_authentication): Device for this keyhandle is not present
debug(pam_u2f): pam-u2f.c:450 (pam_sm_authenticate): do_authentication returned -2
debug(pam_u2f): pam-u2f.c:489 (pam_sm_authenticate): done. [Authentication failure]

(This happens only after having previously entered the pin - not when it is merely connected like the Feitian. If I enter the pin, wait for the Trezor to sleep/timeout I am prompted for my pin, but the same error is printed. The Feitian works fine with the same configuration. I’ve also tried this with a fresh install rather than trying to configure u2f_keys with multiple device entries on one line).

Is this a bug, or is it expected that keyhandles will be different each time?

Thanks in advance.

Forgot to add i also have
pam-u2f 1.2.0-1 (providing pamu2fcfg)