No passwordless login with solokey u2f and Manjaro Gnome

Hi guys,

I’m new here, so please don’t blame me too much for newbie questions :slight_smile:

have a problem I cannot solve myself with a solo key u2f fido2 (somu) and passwordless login on my Manjaro Surface Go2.

I’ve configured my solo key as described here and the key works for example with webauthn.io like a charm, but no way to log me in just with the key.
I ve added the necessary strings in the etc/pam.d/gdm files but no success. Weird I don’t have the mentioned folder “gdm” from the above link.

So do somebody has an idea. I put you also some info:

System:
  Kernel: 5.8.11-1-MANJARO x86_64 bits: 64 compiler: N/A 
  parameters: BOOT_IMAGE=/boot/vmlinuz-5.8-x86_64 
  root=UUID=51888f8c-231f-4eae-9c8f-cb0901d266a3 rw quiet apparmor=1 
  security=apparmor udev.log_priority=3 
  Desktop: GNOME 3.36.6 tk: GTK 3.24.23 wm: gnome-shell 
  dm: GDM 3.36.3, LightDM 1.30.0 Distro: Manjaro Linux 
Machine:
  Type: Laptop System: Microsoft product: Surface Go 2 v: 1 serial: <filter> 
  Chassis: type: 9 serial: <filter> 
  Mobo: Microsoft model: Surface Go 2 serial: <filter> UEFI: Microsoft 
  v: 1.0.10 date: 04/22/2020 
Battery:
  ID-1: BAT1 charge: 19.7 Wh condition: 26.7/26.9 Wh (99%) volts: 8.0/7.7 
  model: SMP Uhu type: Li-ion serial: N/A status: Discharging cycles: 12 
  Device-1: hid-0018:04F3:2A1C.0001-battery model: ELAN9038:00 04F3:2A1C 
  serial: N/A charge: N/A status: N/A 
CPU:
  Topology: Dual Core model: Intel Core m3-8100Y bits: 64 type: MT MCP 
  arch: Amber Lake family: 6 model-id: 8E (142) stepping: 9 microcode: D6 
  L2 cache: 4096 KiB 
  flags: avx avx2 lm nx pae sse sse2 sse3 sse4_1 sse4_2 ssse3 vmx 
  bogomips: 12805 
  Speed: 700 MHz min/max: 400/3400 MHz Core speeds (MHz): 1: 700 2: 700 3: 701 
  4: 701 
  Vulnerabilities: Type: itlb_multihit status: KVM: VMX disabled 
  Type: l1tf 
  mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable 
  Type: mds mitigation: Clear CPU buffers; SMT vulnerable 
  Type: meltdown mitigation: PTI 
  Type: spec_store_bypass 
  mitigation: Speculative Store Bypass disabled via prctl and seccomp 
  Type: spectre_v1 
  mitigation: usercopy/swapgs barriers and __user pointer sanitization 
  Type: spectre_v2 mitigation: Full generic retpoline, IBPB: conditional, 
  IBRS_FW, STIBP: conditional, RSB filling 
  Type: srbds mitigation: Microcode 
  Type: tsx_async_abort status: Not affected 
Graphics:
  Device-1: Intel UHD Graphics 615 vendor: QUANTA driver: i915 v: kernel 
  bus ID: 00:02.0 chip ID: 8086:591c 
  Display: x11 server: X.org 1.20.9 compositor: gnome-shell driver: intel 
  unloaded: modesetting alternate: fbdev,vesa resolution: <xdpyinfo missing> 
  OpenGL: renderer: Mesa Intel UHD Graphics 615 (AML-KBL) v: 4.6 Mesa 20.1.8 
  direct render: Yes 
Audio:
  Device-1: Intel Xeon E3-1200 v5/E3-1500 v5/6th Gen Core Processor Imaging 
  Unit 
  vendor: QUANTA driver: ipu3-imgu alternate: ipu3_imgu bus ID: 00:05.0 
  chip ID: 8086:1919 
  Device-2: Intel CSI-2 Host driver: ipu3-cio2 alternate: ipu3_cio2 
  bus ID: 00:14.3 chip ID: 8086:9d32 
  Device-3: Intel Sunrise Point-LP HD Audio vendor: QUANTA 
  driver: snd_hda_intel v: kernel alternate: snd_soc_skl bus ID: 00:1f.3 
  chip ID: 8086:9d71 
  Sound Server: ALSA v: k5.8.11-1-MANJARO 
Network:
  Device-1: Intel Wi-Fi 6 AX200 driver: iwlwifi v: kernel port: 3000 
  bus ID: 01:00.0 chip ID: 8086:2723 
  IF: wlp1s0 state: up mac: <filter> 
Drives:
  Local Storage: total: 119.24 GiB used: 19.51 GiB (16.4%) 
  SMART Message: Required tool smartctl not installed. Check --recommends 
  ID-1: /dev/nvme0n1 model: HFB1M8MQ331C0MR size: 119.24 GiB block size: 
  physical: 512 B logical: 512 B speed: 31.6 Gb/s lanes: 4 serial: <filter> 
  rev: 80042C00 scheme: GPT 
Partition:
  ID-1: / raw size: 19.73 GiB size: 19.30 GiB (97.80%) used: 8.47 GiB (43.9%) 
  fs: ext4 dev: /dev/nvme0n1p4 
  ID-2: /home raw size: 15.53 GiB size: 15.22 GiB (98.03%) 
  used: 11.02 GiB (72.4%) fs: ext4 dev: /dev/nvme0n1p6 
Swap:
  Kernel: swappiness: 60 (default) cache pressure: 100 (default) 
  ID-1: swap-1 type: partition size: 5.91 GiB used: 0 KiB (0.0%) priority: -2 
  dev: /dev/nvme0n1p5 
Sensors:
  System Temperatures: cpu: 37.0 C mobo: N/A 
  Fan Speeds (RPM): N/A 
Info:
  Processes: 256 Uptime: 4m Memory: 7.64 GiB used: 1.63 GiB (21.3%) 
  Init: systemd v: 246 Compilers: gcc: N/A Packages: pacman: 1220 lib: 339 
  flatpak: 0 Shell: Zsh v: 5.8 running in: gnome-terminal inxi: 3.1.05

and my usb dmesg:

[    0.606621] usbcore: registered new interface driver usbfs
[    0.606621] usbcore: registered new interface driver hub
[    0.606621] usbcore: registered new device driver usb
[    0.858998] usbcore: registered new interface driver usbserial_generic
[    0.859001] usbserial: USB Serial support registered for generic
[    1.200546] usb usb1: New USB device found, idVendor=1d6b, idProduct=0002, bcdDevice= 5.08
[    1.200548] usb usb1: New USB device strings: Mfr=3, Product=2, SerialNumber=1
[    1.200556] usb usb1: Product: xHCI Host Controller
[    1.200559] usb usb1: Manufacturer: Linux 5.8.11-1-MANJARO xhci-hcd
[    1.200561] usb usb1: SerialNumber: 0000:00:14.0
[    1.203820] usb usb2: New USB device found, idVendor=1d6b, idProduct=0003, bcdDevice= 5.08
[    1.203822] usb usb2: New USB device strings: Mfr=3, Product=2, SerialNumber=1
[    1.203824] usb usb2: Product: xHCI Host Controller
[    1.203825] usb usb2: Manufacturer: Linux 5.8.11-1-MANJARO xhci-hcd
[    1.203827] usb usb2: SerialNumber: 0000:00:14.0
[    1.205530] usb: port power management may be unreliable
[    1.534417] usb 1-5: new full-speed USB device number 2 using xhci_hcd
[    1.679239] usb 1-5: New USB device found, idVendor=8087, idProduct=0029, bcdDevice= 0.01
[    1.679242] usb 1-5: New USB device strings: Mfr=0, Product=0, SerialNumber=0
[    1.801075] usb 1-7: new full-speed USB device number 3 using xhci_hcd
[    1.942187] usb 1-7: New USB device found, idVendor=045e, idProduct=09b5, bcdDevice= 0.04
[    1.942189] usb 1-7: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[    1.942191] usb 1-7: Product: Surface Keyboard
[    1.942193] usb 1-7: Manufacturer: Microsoft
[    3.510995] usbcore: registered new interface driver btusb
[    5.920342] input: Microsoft Surface Keyboard as /devices/pci0000:00/0000:00:14.0/usb1/1-7/1-7:1.0/0003:045E:09B5.0004/input/input41
[    5.976034] hid-generic 0003:045E:09B5.0004: input,hidraw1: USB HID v1.11 Keyboard [Microsoft Surface Keyboard] on usb-0000:00:14.0-7/input0
[    5.976800] input: Microsoft Surface Keyboard Consumer Control as /devices/pci0000:00/0000:00:14.0/usb1/1-7/1-7:1.1/0003:045E:09B5.0005/input/input42
[    6.031261] input: Microsoft Surface Keyboard as /devices/pci0000:00/0000:00:14.0/usb1/1-7/1-7:1.1/0003:045E:09B5.0005/input/input44
[    6.031429] hid-generic 0003:045E:09B5.0005: input,hiddev0,hidraw2: USB HID v1.11 Device [Microsoft Surface Keyboard] on usb-0000:00:14.0-7/input1
[    6.032045] hid-generic 0003:045E:09B5.0006: hiddev1,hidraw3: USB HID v1.11 Device [Microsoft Surface Keyboard] on usb-0000:00:14.0-7/input2
[    6.035125] input: Microsoft Surface Keyboard Mouse as /devices/pci0000:00/0000:00:14.0/usb1/1-7/1-7:1.3/0003:045E:09B5.0007/input/input45
[    6.035294] input: Microsoft Surface Keyboard Touchpad as /devices/pci0000:00/0000:00:14.0/usb1/1-7/1-7:1.3/0003:045E:09B5.0007/input/input46
[    6.035518] hid-multitouch 0003:045E:09B5.0007: input,hiddev2,hidraw4: USB HID v1.11 Mouse [Microsoft Surface Keyboard] on usb-0000:00:14.0-7/input3
[    6.035593] usbcore: registered new interface driver usbhid
[    6.035594] usbhid: USB HID core driver
[   19.494654] usb 1-1: new full-speed USB device number 4 using xhci_hcd
[   19.636028] usb 1-1: New USB device found, idVendor=0483, idProduct=a2ca, bcdDevice= 1.00
[   19.636034] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[   19.636037] usb 1-1: Product: Solo 3.0.0
[   19.636040] usb 1-1: Manufacturer: SoloKeys
[   19.636043] usb 1-1: SerialNumber: 209C39A2384B
[   19.638472] hid-generic 0003:0483:A2CA.0008: hiddev3,hidraw5: USB HID v1.11 Device [SoloKeys Solo 3.0.0] on usb-0000:00:14.0-1/input0

So he got the solo key recognized.

When I switch to kernel 5.8.16 or surface kernel my system crashes all the time…so for now I would like to stick to the 5.8.11

:+1: Welcome to Manjaro! :+1:

You did this, but did you do all that too?

If yes, please provide the contents of all the text files you edited.

:+1:

Yes for sure I did alll the setup stuff you mentioned. I would say that is the reason why the key works and is recognized by webauth.

I edited at the end all files in /etc/pam.d with gdm in the name or login.

i will post the details later, but I insert in every file the phrase

auth sufficient pam_u2f.so

Thanks for your support.

Cheers.

Rob

1 Like

Sorry for answering late, but I crashed my bootloader and dual boot while I try to fix a xcb qt problem so it took some time to have my old system back :slight_smile:

gdm-autologin:

auth required pam_shells.so
auth sufficient pam_u2f.so
auth requisite pam_nologin.so
auth optional pam_permit.so
auth required pam_env.so
auth [success=ok default=1] pam_gdm.so
auth optional pam_gnome_keyring.so
auth sufficient pam_u2f.so
account include system-local-login
password required pam_deny.so
auth sufficient pam_u2f.so
session include system-local-login
session optional pam_gnome_keyring.so auto_start
<

1 Like

system-login:

auth required pam_shells.so
auth requisite pam_nologin.so
auth sufficient pam_u2f.so
auth include system-auth
account required pam_access.so
account required pam_nologin.so
account include system-auth
password include system-auth
session optional pam_loginuid.so
session optional pam_keyinit.so force revoke
session include system-auth
session optional pam_motd.so motd=/etc/motd
session optional pam_mail.so dir=/var/spool/mail standard quiet
-session optional pam_systemd.so
session required pam_env.so user_readenv=1

system-local-login:

auth sufficient pam_u2f.so
auth include system-login
account include system-login
password include system-login
session include system-login

gdm-password:

auth sufficient pam_u2f.so
auth include system-local-login
auth optional pam_gnome_keyring.so
account include system-local-login
password include system-local-login
password optional pam_gnome_keyring.so use_authtok
session include system-local-login
session optional pam_gnome_keyring.so auto_start

…but I dont have a sole file “gdm” that was mentioned in the above mentioned “how to…” in my folder etc/pam.d

Pam.d looks like:

chage
gdm-smartcard
passwd
system-auth
chfn
groupadd
polkit-1
systemd-user
chgpasswd
groupdel
rlogin
system-local-login
chpasswd
groupmems
rsh
system-login
chsh
groupmod
runuser
system-remote-login
crond
lightdm
runuser-l
system-services
cups
lightdm-autologin
shadow
useradd
gdm-autologin
lightdm-greeter
sshd
userdel
gdm-fingerprint
login
su
usermod
gdm-launch-environment
newusers
sudo
vlock
gdm-password
other
su-l

I ve tried also lightdm but I dont like that there is no screensaver…
And solo also downst work with lightdm…

Thanks for suggestions

Cheers, Rob

and login:

auth required pam_securetty.so
auth requisite pam_nologin.so
auth sufficient pam_u2f.so
auth include system-local-login
account include system-local-login
session include system-local-login

  • Change auth required pam_shells.so to auth sufficient pam_shells.so
  • remove the second auth sufficient pam_u2f.so
  • Change password required pam_deny.so to password optional pam_deny.so

And try logging in as any user except root

Hi,

tried with my account with admin rights and with a guest account with standard user rights…doesnt work…;-(

Cheers

1 Like

All out of ideas then…

:sob:

I also have a Solo and am using LightDM with XFCE and got it working. I’ll look into my pam.d files this afternoon and see if I can help. :smiley:

Thanks, do you have a screenlock feature with lightdm?!

I guess xflock4 bound to Ctrl + Alt + Del would be the closest to a screen lock.

❯ cat /etc/pam.d/lightdm
#%PAM-1.0
auth	    sufficient	pam_u2f.so nouserok origin=pam://zill appid=pam://zill
auth        include     system-login
-auth       optional    pam_gnome_keyring.so
account     include     system-login
password    include     system-login
session     include     system-login
-session    optional    pam_gnome_keyring.so auto_start
❯ cat /etc/pam.d/sudo
#%PAM-1.0
auth		sufficient	pam_u2f.so origin=pam://zill appid=pam://zill
auth		include		system-auth
account		include		system-auth
session		include		system-auth

This is my configuration for lightdm and sudo. You will have to replace ‘zill’ with your Host name.

I think this configuration either came from old documentation of Solo or from the Arch Wiki.
If that doesn’t work: Have you tried to authenticate sudo with the key?

I’ve changed the sudo file in the first line, then he doesnt ask me for insert a sudo pw and directly accepts the sudo command, even if I dont have the solo key insert…
:thinking:
sudo:

#%PAM-1.0
auth sufficient pam_u2f.so orig=pam://robo appid=pam://robo
auth sufficient pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so try_first_pass likeauth nullok
auth required pam_deny.so
auth include system-auth
account include system-auth
session include system-auth

hmmm…interesting,
indeed he asks for the pw once a session.
if I insert the solo key he seems to do something, but it doesnt work…

That is probably because you entered your sudo password in the terminal session already.

If you have the solo inserted and you do sudo ls for example it should not prompt for the password. If you then press the button it should execute the command. It does not show an alert to press the button, however it will prompt you for the password if some time has passed without you interacting with your key.

Also I just realized you have the somu key. Does it come with a button like the other keys?

yee, the somu has also the button.
I will try later again with sudo ls…
on the street now.
Thanks.

I’ve even changed my sudo to the following and it doesnt work…;-(

#%PAM-1.0
auth sufficient pam_u2f.so orig=pam://robo appid=pam://robo
auth include system-auth
account include system-auth
session include system-auth

when I scan my system with

sudo journalctl -p 3 -xb

I found the following:

Nov 08 00:02:34 robo-manjaro systemd-udevd[227]: /etc/udev/rules.d/70-u2f.rules:87 Unknown group ‘plugdev’, ignoring
Nov 08 00:02:34 robo-manjaro systemd-udevd[260]: could not read from ‘/sys/module/pcc_cpufreq/initstate’: No such de>
Nov 08 00:02:41 robo-manjaro bluetoothd[782]: Failed to set mode: Blocked through rfkill (0x12)
Nov 08 00:02:55 robo-manjaro gdm-password][1324]: gkr-pam: unable to locate daemon control file
Nov 08 00:03:00 robo-manjaro systemd[1328]: Failed to start Application launched by gnome-session-binary.
░░ Subject: A start job for unit UNIT has failed
░░ Defined-By: systemd
░░ Support: https://forum.manjaro.org/c/support
░░
░░ A start job for unit UNIT has finished with a failure.
░░
░░ The job identifier is 335 and the job result is failed.
Nov 08 00:03:36 robo-manjaro kernel: ucsi_acpi USBC000:00: PPM init failed (-110)
Nov 08 00:14:05 robo-manjaro bluetoothd[782]: src/profile.c:ext_start_servers() RFCOMM server failed for Headset Voi>
Nov 08 00:14:05 robo-manjaro bluetoothd[782]: src/profile.c:ext_start_servers() RFCOMM server failed for Headset uni>
lines 15-39/39 (END)

maybe a lead…?!

It shoud be “origin” rather than “orig”.
I don’t know if the journalctl logs are related to the Solo though.

1 Like