So my Linux user account authentication with Nitrokey 3 using U2F was only working as long as my network cable was plugged in…
Thought I was going crazy until I found this webpage
sudo pamu2fcfg --origin='pam://localhost' > /etc/2fa/u2f/u2f_keys
[...]
You can change --origin='pam://localhost' to a string of your liking
You can also omit --origin='pam://localhost', in which case it will default to your actual hostname.
The --origin will be encoded into the authorization file and has to match the origin used by PAM when you log in. So you will be locked out, if you use the default and your hostname changes for whatever reason! For example, depending on what network you connect to. So it seems safer to explicitly set --origin here and also explicitly set it in the PAM configuration.
[...]
auth required pam_u2f.so origin=pam://localhost authfile=/etc/2fa/u2f/
So pamu2fcfg defaults to using your hostname in the encoding of the key file.
Since my hostname changes when I unplug my cable, pam_u2f.so doesn’t execute and I get a normal password prompt (I have U2F auth set as sufficient).
The solution is to add the hostname you used during pamu2fcfg setup to your pam.d auth file
auth required pam_u2f.so origin=pam://[your-hostname-during-pamu2fcfg] authfile=/etc/2fa/u2f/
and it works with whatever hostname you currently have.
I guess a hostname change isn’t that far fetched so it might be a good idea to include a note in the documentation that mentions that pam_u2f needs the right origin to work. Especially if people use “auth required” as that will effectively lock people out as soon as they change their hostname.