Delay in Yubikey touch request after Swaylock authentication

Dmitry · 27 January 2024 14:36

Hi,

Have some small issue with Yubikey straight after Swaylock authentication.
In particular my setup requesting to touch Yubikey after every authentication in Swaylock but making it with some delay (10-15 sec), sometimes without it BUT in all other cases like - logon screen or sudo privileges it happens without any noticeable delays.

Once again my system setup requires Yubikey to be presented during any authentication (logon, sudo or ssh operations) and working without any problem so far excluding only delay after screen unlocking.

So I would be grateful for any suggestions, if anyone had some similar experience or ideas/suggestions where to look or how to solve this ‘just annoying problem’

PS Maybe, I am not correctly understand ‘pam’ files …

Thanks,

My garuda-inxi:

System:
  Kernel: 6.7.1-zen1-1-zen arch: x86_64 bits: 64 compiler: gcc v: 13.2.1
    clocksource: tsc available: hpet,acpi_pm
    parameters: BOOT_IMAGE=/@/boot/vmlinuz-linux-zen
    root=UUID=5793ae16-f1e7-4078-a854-777471cee4e2 rw rootflags=subvol=@
    loglevel=3 ibt=off
  Desktop: sway v: 0.3.2 info: waybar vt: 1 dm: SDDM Distro: Garuda Linux
    base: Arch Linux
Machine:
  Type: Desktop System: Gigabyte product: Z590I AORUS ULTRA v: -CF
    serial: <superuser required>
  Mobo: Gigabyte model: Z590I AORUS ULTRA serial: <superuser required>
    UEFI: American Megatrends LLC. v: F9 date: 06/07/2023
CPU:
  Info: model: 11th Gen Intel Core i7-11700K bits: 64 type: MT MCP
    arch: Rocket Lake gen: core 11 level: v4 note: check built: 2021+
    process: Intel 14nm family: 6 model-id: 0xA7 (167) stepping: 1
    microcode: 0x5D
  Topology: cpus: 1x cores: 8 tpc: 2 threads: 16 smt: enabled cache:
    L1: 640 KiB desc: d-8x48 KiB; i-8x32 KiB L2: 4 MiB desc: 8x512 KiB
    L3: 16 MiB desc: 1x16 MiB
  Speed (MHz): avg: 4133 high: 4717 min/max: 800/4900:5000 scaling:
    driver: intel_pstate governor: performance cores: 1: 4600 2: 4599 3: 4600
    4: 4600 5: 4600 6: 800 7: 4600 8: 4606 9: 4606 10: 4600 11: 4600 12: 800
    13: 4600 14: 4600 15: 4610 16: 4717 bogomips: 115200
  Flags: avx avx2 ht lm nx pae sse sse2 sse3 sse4_1 sse4_2 ssse3 vmx
  Vulnerabilities: <filter>
Graphics:
  Device-1: Intel DG2 [Arc A750] driver: i915 v: kernel arch: Gen-12.7
    code: Alchemist process: TSMC n6 (7nm) built: 2022+ pcie: gen: 1
    speed: 2.5 GT/s lanes: 1 ports: active: DP-2,DP-3 empty: DP-1, DP-4,
    HDMI-A-1, HDMI-A-2, HDMI-A-3 bus-ID: 03:00.0 chip-ID: 8086:56a1
    class-ID: 0300
  Device-2: Logitech HD Pro Webcam C920 driver: snd-usb-audio,uvcvideo
    type: USB rev: 2.0 speed: 480 Mb/s lanes: 1 mode: 2.0 bus-ID: 1-3.3:7
    chip-ID: 046d:082d class-ID: 0102 serial: <filter>
  Display: wayland server: X.org v: 1.21.1.11 with: Xwayland v: 23.2.4
    compositor: sway v: 0.3.2 driver: X: loaded: modesetting
    alternate: fbdev,intel,vesa dri: iris gpu: i915 d-rect: 5120x1440
    display-ID: 1
  Monitor-1: DP-2 pos: right model: Dell S2721DGF serial: <filter>
    built: 2022 res: 2560x1440 hz: 144 dpi: 109 gamma: 1.2 scale: 1
    size: 597x336mm (23.5x13.23") diag: 685mm (27") ratio: 16:9 modes:
    max: 2560x1440 min: 720x400
  Monitor-2: DP-3 pos: primary,left model: Dell U2715H serial: <filter>
    built: 2017 res: 2560x1440 hz: 60 dpi: 109 gamma: 1.2 scale: 1
    size: 597x336mm (23.5x13.23") diag: 685mm (27") ratio: 16:9 modes:
    max: 2560x1440 min: 720x400
  API: EGL v: 1.5 hw: drv: intel iris platforms: device: 0 drv: iris
    device: 1 drv: swrast surfaceless: drv: iris wayland: drv: iris x11:
    drv: iris inactive: gbm
  API: OpenGL v: 4.6 compat-v: 4.5 vendor: intel mesa v: 23.3.4-arch1.2
    glx-v: 1.4 direct-render: yes renderer: Mesa Intel Arc A750 Graphics (DG2)
    device-ID: 8086:56a1 memory: 7.75 GiB unified: no
  API: Vulkan v: 1.3.276 layers: 7 device: 0 type: discrete-gpu name: Intel
    Arc A750 Graphics (DG2) driver: mesa intel v: 23.3.4-arch1.2
    device-ID: 8086:56a1 surfaces: xcb,xlib,wayland device: 1 type: cpu
    name: llvmpipe (LLVM 16.0.6 256 bits) driver: mesa llvmpipe
    v: 23.3.4-arch1.2 (LLVM 16.0.6) device-ID: 10005:0000
    surfaces: xcb,xlib,wayland
Audio:
  Device-1: Intel Tiger Lake-H HD Audio vendor: Gigabyte driver: snd_hda_intel
    v: kernel alternate: snd_sof_pci_intel_tgl bus-ID: 00:1f.3
    chip-ID: 8086:43c8 class-ID: 0403
  Device-2: Intel DG2 Audio driver: snd_hda_intel v: kernel pcie: gen: 1
    speed: 2.5 GT/s lanes: 1 bus-ID: 04:00.0 chip-ID: 8086:4f90 class-ID: 0403
  Device-3: Logitech HD Pro Webcam C920 driver: snd-usb-audio,uvcvideo
    type: USB rev: 2.0 speed: 480 Mb/s lanes: 1 mode: 2.0 bus-ID: 1-3.3:7
    chip-ID: 046d:082d class-ID: 0102 serial: <filter>
  Device-4: Dell AC511 Sound Bar driver: hid-generic,snd-usb-audio,usbhid
    type: USB rev: 1.1 speed: 12 Mb/s lanes: 1 mode: 1.1 bus-ID: 1-4.2:10
    chip-ID: 413c:a503 class-ID: 0300
  Device-5: SteelSeries ApS Arctis 5
    driver: hid-generic,snd-usb-audio,usbhid type: USB rev: 2.0 speed: 12 Mb/s
    lanes: 1 mode: 1.1 bus-ID: 1-7:8 chip-ID: 1038:12aa class-ID: 0300
    serial: <filter>
  API: ALSA v: k6.7.1-zen1-1-zen status: kernel-api tools: N/A
  Server-1: sndiod v: N/A status: off tools: aucat,midicat,sndioctl
  Server-2: PipeWire v: 1.0.1 status: active with: 1: pipewire-pulse
    status: active 2: wireplumber status: active 3: pipewire-alsa type: plugin
    4: pw-jack type: plugin tools: pactl,pw-cat,pw-cli,wpctl
Network:
  Device-1: Intel Ethernet I225-V vendor: Gigabyte driver: igc v: kernel pcie:
    gen: 2 speed: 5 GT/s lanes: 1 port: N/A bus-ID: 09:00.0 chip-ID: 8086:15f3
    class-ID: 0200
  IF: enp9s0 state: up speed: 1000 Mbps duplex: full mac: <filter>
  Device-2: Intel Wi-Fi 6 AX200 driver: iwlwifi v: kernel pcie: gen: 2
    speed: 5 GT/s lanes: 1 bus-ID: 0a:00.0 chip-ID: 8086:2723 class-ID: 0280
  IF: wlp10s0 state: down mac: <filter>
Bluetooth:
  Device-1: Intel AX200 Bluetooth driver: btusb v: 0.8 type: USB rev: 2.0
    speed: 12 Mb/s lanes: 1 mode: 1.1 bus-ID: 1-14:19 chip-ID: 8087:0029
    class-ID: e001
  Report: btmgmt ID: hci0 rfk-id: 2 state: up address: <filter> bt-v: 5.2
    lmp-v: 11 status: discoverable: no pairing: no class-ID: 6c0104
Drives:
  Local Storage: total: 3.64 TiB used: 219.14 GiB (5.9%)
  SMART Message: Unable to run smartctl. Root privileges required.
  ID-1: /dev/nvme0n1 maj-min: 259:0 vendor: Samsung model: SSD 990 PRO 1TB
    size: 931.51 GiB block-size: physical: 512 B logical: 512 B speed: 63.2 Gb/s
    lanes: 4 tech: SSD serial: <filter> fw-rev: 4B2QJXD7 temp: 62.9 C
    scheme: GPT
  ID-2: /dev/nvme1n1 maj-min: 259:5 model: Nextorage SSD NE1N2TB
    size: 1.82 TiB block-size: physical: 512 B logical: 512 B speed: 63.2 Gb/s
    lanes: 4 tech: SSD serial: <filter> fw-rev: EIFS31.2 temp: 59.9 C
    scheme: GPT
  ID-3: /dev/sda maj-min: 8:0 vendor: Seagate model: ST31000524NS
    size: 931.51 GiB block-size: physical: 512 B logical: 512 B type: USB
    rev: 3.0 spd: 5 Gb/s lanes: 1 mode: 3.2 gen-1x1 tech: HDD rpm: 7200
    serial: <filter>
Partition:
  ID-1: / raw-size: 1.82 TiB size: 1.82 TiB (100.00%) used: 219.14 GiB (11.8%)
    fs: btrfs dev: /dev/nvme1n1p2 maj-min: 259:7
  ID-2: /boot/efi raw-size: 300 MiB size: 299.4 MiB (99.80%)
    used: 588 KiB (0.2%) fs: vfat dev: /dev/nvme1n1p1 maj-min: 259:6
  ID-3: /home raw-size: 1.82 TiB size: 1.82 TiB (100.00%)
    used: 219.14 GiB (11.8%) fs: btrfs dev: /dev/nvme1n1p2 maj-min: 259:7
  ID-4: /var/log raw-size: 1.82 TiB size: 1.82 TiB (100.00%)
    used: 219.14 GiB (11.8%) fs: btrfs dev: /dev/nvme1n1p2 maj-min: 259:7
  ID-5: /var/tmp raw-size: 1.82 TiB size: 1.82 TiB (100.00%)
    used: 219.14 GiB (11.8%) fs: btrfs dev: /dev/nvme1n1p2 maj-min: 259:7
Swap:
  Kernel: swappiness: 133 (default 60) cache-pressure: 100 (default) zswap: no
  ID-1: swap-1 type: zram size: 31.21 GiB used: 0 KiB (0.0%) priority: 100
    comp: zstd avail: lzo,lzo-rle,lz4,lz4hc,842 max-streams: 16 dev: /dev/zram0
Sensors:
  System Temperatures: cpu: 63.0 C mobo: 62.0 C
  Fan Speeds (rpm): cpu: 3813 mobo: 1167
  Power: 12v: N/A 5v: N/A 3.3v: 3.38 vbat: 3.17
Info:
  Processes: 437 Uptime: 1h 19m wakeups: 0 Memory: total: 32 GiB
  available: 31.21 GiB used: 8.94 GiB (28.7%) Init: systemd v: 255
  default: graphical tool: systemctl Compilers: gcc: 13.2.1 Packages: 1677
  pm: pacman pkgs: 1663 libs: 451 tools: paru,yay pm: flatpak pkgs: 14
  Shell: fish v: 3.7.0 running-in: tmux: inxi: 3.3.31
Garuda (2.6.22-1):
  System install date:     2023-11-11
  Last full system update: 2024-01-27
  Is partially upgraded:   No
  Relevant software:       snapper NetworkManager dracut
  Windows dual boot:       Probably (Run as root to verify)
  Failed units:

BluishHumility · 29 January 2024 03:30

I think PAM does act kind of funny with Swaylock for some reason. I remember when I was trying to get Swaylock to take a fingerprint it was very inconsistent. For fingerprints, there is a fork (swaylock-fprintd) fork which solves this annoying behavior somehow, but I see no such fork for a Yubikey unfortunately.

Still, maybe this thread would be worth reading through:

github.com/swaywm/swaylock

Have to scan fingerprint after entering password

opened 08:49PM - 19 Mar 19 UTC

erazemk

Swaylock version: 1.3 OS: Arch Linux Sway version: 1.0 Laptop: Thinkpad T540p… If I lock the screen with swaylock I have to enter the password (obviously), but after entering the correct password, it will not let me in. This is when my fingerprint reader starts showing its "scanning" light. It only lets me in when I scan my fingerprint. The scanner doesn't start until I enter something (Not necessarily my actual password - can even press Enter) and doesn't work even if entering right password (until I scan my fingerprint). It appears that the fingerprint scanner doesn't start automatically until a key press triggers the login process.

A fingerprint is different than a Yubikey of course, but the underlying issue seems very similar. See this comment, for example:

Have to scan fingerprint after entering password · Issue #61 · swaywm/swaylock · GitHub

Whilst I can unlock with my fingerprint reader, I am unclear as to what the actual method is! For instance, sometimes it’ll happen instantly other times after 10 seconds. Sometimes it helps by pressing Enter once and other times twice.

I have:
auth            sufficient      pam_unix.so try_first_pass likeauth nullok
auth            sufficient      pam_fprintd.so
and no .config/swaylock/config (hence I assume there is no ignore-empty-password set).

Perhaps you could try some of the workarounds described in that topic, like this one, except adapt for your Yubikey setup instead of using pam_fprintd.so.

Dmitry · 29 January 2024 21:49

Thank you for your help and links!

Right now trying and testing different ways…
… no success yet…

will revert with progress.

Dmitry · 31 January 2024 11:15

So, I’ve just stopped on the next solution - editing /etc/pam.d/swaylock file accordingly:

auth            required        pam_u2f.so
auth            include         system-login
account         include         system-login
password        include         system-login
session         include         system-login

I couldn’t say that it totally eliminate the problem but at least increased Yubikey response after screen unlocking (subjectively).

system · 14 February 2024 11:16

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.