Passwordless sudo with Nitrokey 3?

Hi,

I’ve set up my 2 nitrokeys (primary + backup) for linux login, so far so good.

If if set my account to password needed for sudo I get a prompt to touch the key.
If I go passwordless sudo I directly get sudo access, I was expecting a need to touch the key to confirm the sudo command.

Here is my pam.d common-auth :

auth    [success=1 default=ignore]      pam_unix.so nullok
auth    requisite                       pam_deny.so
auth    required                        pam_permit.so
auth    required pam_u2f.so authfile=/etc/Nitrokey/u2f_keys cue prompt

Here is my sudoers file

root    ALL=(ALL:ALL) ALL
%sudo   ALL=(ALL:ALL) ALL
myusername  ALL=(ALL) NOPASSWD: ALL
@includedir /etc/sudoers.d

I’ve also tried to set-up only /etc/pam.d/sudo and I did not change anything.

Did I miss something ? Does anyone got a proper passwordless sudo with a Nk3 ?

Regards

I don’t know if you added this line, but in case you did - have a read of `man pam_permit’ and undo it.

To enable it for sudo, you should configure that in /etc/pam.d/sudo indeed. If it does not work, try adding userpresence=1 to the pam_u2f.so line.

Thanks for your answer.

pam_permit is a default value with the following comment

prime the stack with a positive return value if there isn't one already;
this avoids us returning an error just because nothing sets a success code
since the modules above will each just jump around

I’ve removed it from common-auth, and made change in the sudo file as proposed but I still can sudo without the key. Here’s my updated files

pam.d/common-auth

# here are the per-package modules (the "Primary" block)
auth    [success=1 default=ignore]      pam_unix.so nullok
# here's the fallback if no module succeeds
auth    requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
# and here are more per-package modules (the "Additional" block)
#Nitrokey FIDO2 con
auth    required pam_u2f.so cue authfile=/etc/Nitrokey/u2f_keys
# end of pam-auth-update config

pam.d/sudo

#%PAM-1.0
# Set up user limits from /etc/security/limits.conf.
session    required   pam_limits.so
auth    required pam_u2f.so cue authfile=/etc/Nitrokey/u2f_keys userpresence=1

@include common-auth
@include common-account
@include common-session-noninteractive

Everything except the line for the nitrokey is default in this file

Fascinating a distro to put that comment into a pam config.

I missed your sudoers earlier. You have

in it. The regular way is to have “myusername” added to the sudo group. By the looks this is overridden, but it does not make sense that you get asked for a password in some cases then.
That leads me to a point where I don’t really want to make suggestions, because I don’t know your distro’s regular setup and it’s easy to lock yourself out with trial-error changes.

Instead, here is how I use the nitrokey for sudo authentication: I left the config file in the user’s .config path and just added the following to /etc/pam.d/sudo for my distro:
auth sufficient pam_u2f.so cue origin=pam://hostname appid=pam://hostname

(edit: hostname needs replaced by your system’s name)
Using “sufficient” I get prompted for the password when the NK is unplugged and can touch-authenticate when plugged. And my sudoers file has no username mods, instead we assign the “wheel” group for sudo access.