timeout

[roidelapluie]

It would be great if this module could take 2 timeouts options:

• timeout for the user to plug a key (with a message "Please insert your U2F dongle")
• timeout for the user to press the button

[a-dma]

The first one can be done, even though exchanging messages in PAM is kind of painful.

The touch timeout is a feature of the authenticator/token itself and can not be configured.

[roidelapluie]

You mean that with my yubikey plugged in, it will timeout at a certain time already?

[a-dma]

No because the protocol mandates for requests to be sent continuously to the device and each requests resets the internal timeout.

Although, it would be possible for libu2f-host to stop listening for responses after x seconds...

[joelpurra]

Am, too, missing presence/touch timeout functionality, in particular because neither Esc, Ctrl+D, nor Ctrl+C(#108) works to cancel a sudo prompt while the Yubikey is blinking.

Workaround: use timeout 1m sudo as a 1-minute (configurable) presence/touch timeout.

# NOTE: for testing, request/validate sudo privileges without calling a command.
timeout 1m sudo --validate

# NOTE: for faster testing, drop sudo privileges.
sudo --reset-timestamp

GNU timeout man page. Interestingly, the default signal SIGTERM doesn't completely kill sudo -- instead it "advances" authentication from pam_u2f.so to regular password input. (Only applies to the first attempt though, not if the password prompt failed too.)

Using a Yubikey 4 on Ubuntu 22.04 with libpam-u2f v1.1.0-1.1build1.