The_miro
/
Dotfiles
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix(installer): run pamu2fcfg outside arch-chroot to fix FIDO2 user enrollment 

Inside the chroot the host's udev manages /dev/hidraw* with permissions
scoped to live-system groups; the new user has none of them, so pamu2fcfg
timed out with "No FIDO authenticator found". Move enrollment to after
CHROOT_EOF where it runs as root on the live system, then fix ownership
using the new system's UID/GID.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
main
Amir Alexander Abdelbaki 2026-05-21 20:29:30 +02:00
parent aae5042258
commit cfe102b26f
1 changed files with 15 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
setup/archbaseos-guided-install.sh
View File

@ -379,17 +379,29 @@ sed -i "s|^GRUB_CMDLINE_LINUX=.*|GRUB_CMDLINE_LINUX=\"$GRUB_CMDLINE\"|" /etc/def
grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=GRUB grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=GRUB
grub-mkconfig -o /boot/grub/grub.cfg grub-mkconfig -o /boot/grub/grub.cfg
# User login FIDO2 # User login FIDO2 — directory + PAM only; key enrollment happens outside chroot
if [[ "$ENABLE_FIDO_USER" == "YES" ]]; then if [[ "$ENABLE_FIDO_USER" == "YES" ]]; then
echo "Enrolling FIDO2 for user login"
mkdir -p "/home/$USERNAME/.config/Yubico" mkdir -p "/home/$USERNAME/.config/Yubico"
chown "$USERNAME:$USERNAME" "/home/$USERNAME/.config/Yubico" chown "$USERNAME:$USERNAME" "/home/$USERNAME/.config/Yubico"
sudo -u "$USERNAME" bash -c "pamu2fcfg >> /home/$USERNAME/.config/Yubico/u2f_keys"
echo "auth required pam_u2f.so" >> /etc/pam.d/system-auth echo "auth required pam_u2f.so" >> /etc/pam.d/system-auth
fi fi
CHROOT_EOF CHROOT_EOF
# pamu2fcfg must run outside arch-chroot: inside the chroot the host's udev manages
# /dev/hidraw* permissions and the new user has no access to the device.
if [[ "$ENABLE_FIDO_USER" == "YES" ]]; then
echo "Enrolling FIDO2 key for user login (outside chroot)..."
U2F_KEYFILE="/mnt/home/${USERNAME}/.config/Yubico/u2f_keys"
mkdir -p "/mnt/home/${USERNAME}/.config/Yubico"
pamu2fcfg -u "$USERNAME" > "$U2F_KEYFILE"
_NEWUID=$(arch-chroot /mnt id -u "$USERNAME" 2>/dev/null || echo "1000")
_NEWGID=$(arch-chroot /mnt id -g "$USERNAME" 2>/dev/null || echo "1000")
chown -R "$_NEWUID:$_NEWGID" "/mnt/home/${USERNAME}/.config/Yubico"
chmod 600 "$U2F_KEYFILE"
echo "FIDO2 key enrolled for $USERNAME."
fi
############################################ ############################################
# DOTFILES SETUP (in-chroot, optional) # DOTFILES SETUP (in-chroot, optional)
############################################ ############################################