Handle Ctrl+C to abort "Please touch the device" prompt

[maximbaz]

• Run "sudo -s"
• See "Please touch the device" prompt
• Press Ctrl+C to change your mind and abort.

Expected: command is aborted immediately

Actual: command hangs until you touch the device or it times-out.

This has been on my wish-list for so long, I would be really happy to see this implemented. I can try implementing it as well, if you could give me some pointers?

[corbolais]

Point is, the "Please touch the device" prompt does not even show until you successfully authenticated. At least here on Ubuntu disco. That msg is useles as is.

[loshz]

+1 for this.

Also happy to help implement.

[OJFord]

@corbolais That is not the case for me, and certainly a different issue to this anyway.

[WhyNotHugo]

Point is, the "Please touch the device" prompt does not even show until you successfully authenticated. At least here on Ubuntu disco. That msg is useles as is.

Are you using cue_prompt?

e.g.:

auth		sufficient	pam_u2f.so authfile=/etc/u2f_keys cue [cue_prompt=🔐 Waiting for key...]

[corbolais]

Point is, the "Please touch the device" prompt does not even show until you successfully authenticated. At least here on Ubuntu disco. That msg is useles as is.

Are you using cue_prompt?

e.g.:

auth		sufficient	pam_u2f.so authfile=/etc/u2f_keys cue [cue_prompt=🔐 Waiting for key...]

Yes, I am:

auth      required pam_u2f.so authfile=.ssh/u2f_keys [prompt=Please insert your FIDO2 device, then press ENTER.] interactive cue [cue_prompt=Please touch your FIDO2 device now.] nodetect

[WhyNotHugo]

I've resorted to using pkexec as a workaround (e.g.: pkexec whoami). The agent gives a gui prompt which you can dismiss, and get your shell back.

E.g.: Instead of Ctrl+c, I just use Esc on the gui prompt.

I'm sure there's a way to get a polkit prompt in the terminal, but I already have this set up for things like gparted anyway.

[joelpurra]

The workaround timeout 1m sudo helps -- if you remember to use it. The timeout is configurable, and conveniently falls back to the regular sudo password prompt afterwards. See also #25.

[WhyNotHugo]

That still leaves the key locked for 1m.

My workaround has been to press Ctrl+C and then tap the key. pam authentication succeeds, but sudo never executes the requested command anyway.

[ckdarby]

2023, still an issue 😞

[mkropat]

I only have enough C programming knowledge to be dangerous, but I took a look at what it would take to support Ctrl+C when using pam-u2f with sudo. As a proof-of-concept this change worked for me:

• pam: Allow SIGINT (Ctrl+C) while waiting for device press [proof of concept] #315

However, in the process I discovered why that naive approach is actually a bad idea (see the linked PR for details). I have no plans to continue the change forward myself, but I wanted to write up my findings to leave breadcrumbs for the next person.