Cue appears even if incorrect PIN is provided

[ghost]

I have the following at the top of /etc/pam.d/common-auth:

auth    sufficient    pam_u2f.so cue [cue_prompt=Please touch your YubiKey.] pinverification=1

When entering the wrong PIN, the cue prompt still appears, and then authentication immediately fails.

[martelletto]

Hi, thank you for the report. What application are you using in conjunction with pam-u2f?

[ghost]

I’m seeing this behavior with sudo on Ubuntu 21.04.

[martelletto]

Thank you. There is not much we can do to only display the cue if the PIN is correct, as that result isn't available to the application until the device responds. We could, however, ask the application to inform the user about what went wrong, e.g:

$ sudo -i
Please enter the PIN: 
Please touch your YubiKey.
Touch timeout.
$ sudo -i
Please enter the PIN: 
Please touch your YubiKey.
Invalid PIN.

This is implemented in the diff below.

diff --git a/util.c b/util.c
index 5727e8d..86ea4cd 100644
--- a/util.c
+++ b/util.c
@@ -1382,6 +1382,18 @@ int do_authentication(const cfg_t *cfg, const device_t *devices,
             retval = 1;
             goto out;
           }
+        } else {
+          switch (r) {
+            case FIDO_ERR_PIN_INVALID:
+              converse(pamh, PAM_TEXT_INFO, "Invalid PIN.");
+              break;
+            case FIDO_ERR_PIN_BLOCKED:
+              converse(pamh, PAM_TEXT_INFO, "PIN blocked.");
+              break;
+            case FIDO_ERR_ACTION_TIMEOUT:
+              converse(pamh, PAM_TEXT_INFO, "Touch timeout.");
+              break;
+          }
         }
       }
     } else {