From cfe102b26fa532dd6dc3e0cdde0724e3aec73573 Mon Sep 17 00:00:00 2001 From: The_miro Date: Thu, 21 May 2026 20:29:30 +0200 Subject: [PATCH] fix(installer): run pamu2fcfg outside arch-chroot to fix FIDO2 user enrollment Inside the chroot the host's udev manages /dev/hidraw* with permissions scoped to live-system groups; the new user has none of them, so pamu2fcfg timed out with "No FIDO authenticator found". Move enrollment to after CHROOT_EOF where it runs as root on the live system, then fix ownership using the new system's UID/GID. Co-Authored-By: Claude Sonnet 4.6 --- setup/archbaseos-guided-install.sh | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/setup/archbaseos-guided-install.sh b/setup/archbaseos-guided-install.sh index 02ce53e..597b19b 100755 --- a/setup/archbaseos-guided-install.sh +++ b/setup/archbaseos-guided-install.sh @@ -379,17 +379,29 @@ sed -i "s|^GRUB_CMDLINE_LINUX=.*|GRUB_CMDLINE_LINUX=\"$GRUB_CMDLINE\"|" /etc/def grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=GRUB grub-mkconfig -o /boot/grub/grub.cfg -# User login FIDO2 +# User login FIDO2 — directory + PAM only; key enrollment happens outside chroot if [[ "$ENABLE_FIDO_USER" == "YES" ]]; then - echo "Enrolling FIDO2 for user login" mkdir -p "/home/$USERNAME/.config/Yubico" chown "$USERNAME:$USERNAME" "/home/$USERNAME/.config/Yubico" - sudo -u "$USERNAME" bash -c "pamu2fcfg >> /home/$USERNAME/.config/Yubico/u2f_keys" echo "auth required pam_u2f.so" >> /etc/pam.d/system-auth fi CHROOT_EOF +# pamu2fcfg must run outside arch-chroot: inside the chroot the host's udev manages +# /dev/hidraw* permissions and the new user has no access to the device. +if [[ "$ENABLE_FIDO_USER" == "YES" ]]; then + echo "Enrolling FIDO2 key for user login (outside chroot)..." + U2F_KEYFILE="/mnt/home/${USERNAME}/.config/Yubico/u2f_keys" + mkdir -p "/mnt/home/${USERNAME}/.config/Yubico" + pamu2fcfg -u "$USERNAME" > "$U2F_KEYFILE" + _NEWUID=$(arch-chroot /mnt id -u "$USERNAME" 2>/dev/null || echo "1000") + _NEWGID=$(arch-chroot /mnt id -g "$USERNAME" 2>/dev/null || echo "1000") + chown -R "$_NEWUID:$_NEWGID" "/mnt/home/${USERNAME}/.config/Yubico" + chmod 600 "$U2F_KEYFILE" + echo "FIDO2 key enrolled for $USERNAME." +fi + ############################################ # DOTFILES SETUP (in-chroot, optional) ############################################