View previous topic :: View next topic |
Author |
Message |
MorgothSauron Tux's lil' helper
Joined: 24 Sep 2020 Posts: 76
|
Posted: Thu Sep 24, 2020 5:28 pm Post subject: [solved] Cannot use Yubikey (U2F) in Firefox |
|
|
Hello,
I installed Gentoo for the first time few days ago. Everything it working fine except the Yubikey in Firefox (68.12.0) when I login to my Nextlcoud instance (U2F enabled).
Firefox do show the dialog to inform me about the authentication request. However I can't login. When I press on the yubikey it just outputs character to the search box. Same thing if I try to login to my Google account.
In Firefox I have security.webauth.u2f enabled
The device is visible in lsusb:
Code: | $ lsusb | grep U2F
Bus 001 Device 005: ID 1050:0407 Yubico.com Yubikey 4 OTP+U2F+CCID
$ |
The permissions are the following (my user is member of the usb group):
Code: | $ /bin/ls -al /dev/bus/usb/001/005
crw-rw---- 1 root usb 189, 4 Sep 24 19:01 /dev/bus/usb/001/005
$ |
I tried with the latest binary from Mozilla and it doesn't work either.
I also tried to install sys-auth/pam_u2f, with no luck.
Any suggestions ?
Thank you
Last edited by MorgothSauron on Fri Sep 25, 2020 8:34 pm; edited 1 time in total |
|
Back to top |
|
|
alamahant Advocate
Joined: 23 Mar 2019 Posts: 3879
|
Posted: Thu Sep 24, 2020 8:27 pm Post subject: |
|
|
Hi
Welcome to Gentoo Forums.
Why dont you try it once with "google-chrome"?
It is a binary therefore you will have it emerged very quickly.
Maybe it is a Firefox specific issue.
|
|
Back to top |
|
|
MorgothSauron Tux's lil' helper
Joined: 24 Sep 2020 Posts: 76
|
Posted: Fri Sep 25, 2020 5:01 pm Post subject: |
|
|
I tried with google-chrome and it doesn't work either. I enter my user and password as usual. I then have the page asking for U2F, but pressing on the key does nothing.
I also had a look at dmesg when I connect the key, but nothing suspicious there
Code: | [Sep25 18:56] usb 1-6: new full-speed USB device number 7 using xhci_hcd
[ +0.141400] usb 1-6: New USB device found, idVendor=1050, idProduct=0407, bcdDevice= 5.26
[ +0.000006] usb 1-6: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[ +0.000004] usb 1-6: Product: YubiKey OTP+FIDO+CCID
[ +0.000003] usb 1-6: Manufacturer: Yubico
[ +0.003360] input: Yubico YubiKey OTP+FIDO+CCID as /devices/pci0000:00/0000:00:14.0/usb1/1-6/1-6:1.0/0003:1050:0407.000F/input/input43
[ +0.055876] hid-generic 0003:1050:0407.000F: input,hidraw6: USB HID v1.10 Keyboard [Yubico YubiKey OTP+FIDO+CCID] on usb-0000:00:14.0-6/input0
[ +0.001137] hid-generic 0003:1050:0407.0010: hiddev98,hidraw7: USB HID v1.10 Device [Yubico YubiKey OTP+FIDO+CCID] on usb-0000:00:14.0-6/input1 |
Code: | $ pwd
/sys/devices/pci0000:00/0000:00:14.0/usb1/1-6/1-6:1.0/0003:1050:0407.000F/input/input43
$ cat name
Yubico YubiKey OTP+FIDO+CCID
$ |
Code: | $ lsusb | grep U2F
Bus 001 Device 007: ID 1050:0407 Yubico.com Yubikey 4 OTP+U2F+CCID
$ pwd
/dev/bus/usb/001
$ ls -al 007
crw-rw---- 1 root usb 189, 6 Sep 25 18:56 007
$ |
This is something that used to work last week, but with Arch. This is why I think I'm missing something
Edit: Besides sys-auth/pam_u2f that I already installed, emerge search doesn't find a lot of packages: app-crypt/libu2f-host and app-crypt/libu2f-server. Maybe installing one of those will help.
Last edited by MorgothSauron on Fri Sep 25, 2020 5:20 pm; edited 1 time in total |
|
Back to top |
|
|
Dr.Willy Guru
Joined: 15 Jul 2007 Posts: 547 Location: NRW, Germany
|
Posted: Fri Sep 25, 2020 5:17 pm Post subject: |
|
|
Are you using udev or eudev? Something I ran into when I setup my keys was that udev has some special-case handling for FIDO devices, which - at that time - eudev didnt have. _________________ gentoo repos: kakoune | oil | hyper-v |
|
Back to top |
|
|
MorgothSauron Tux's lil' helper
Joined: 24 Sep 2020 Posts: 76
|
Posted: Fri Sep 25, 2020 5:24 pm Post subject: |
|
|
Normally I'm using eudev.
Code: | $equery list "*dev*"
* Searching for *dev* ...
[IP-] [ ] acct-group/plugdev-0:0
[IP-] [ ] dev-libs/libevdev-1.9.1:0
[IP-] [ ] dev-libs/libgudev-233-r1:0/0
[IP-] [ ] dev-python/sphinxcontrib-devhelp-1.0.2:0
[IP-] [ ] kde-plasma/powerdevil-5.18.5:5
[IP-] [ ] sys-fs/eudev-3.2.9:0
[IP-] [ ] sys-fs/udev-init-scripts-33:0
[IP-] [ ] sys-libs/libblockdev-2.24:0
[IP-] [ ] sys-libs/mtdev-1.1.6:0
[IP-] [ ] virtual/dev-manager-0-r2:0
[IP-] [ ] virtual/libudev-232-r3:0/1
[IP-] [ ] virtual/udev-217:0 |
I used emerge to search for u2f and it finds only 2 packages: app-crypt/libu2f-host and app-crypt/libu2f-server. Maybe I need to install one of them, or both. |
|
Back to top |
|
|
MorgothSauron Tux's lil' helper
Joined: 24 Sep 2020 Posts: 76
|
Posted: Fri Sep 25, 2020 8:33 pm Post subject: |
|
|
I was able to make it work with both Firefox and Google Chrome.
Here are the steps I performed:
1) Install app-crypt/libu2f-host
2) Create a new udev rule /etc/udev/rules.d/70-u2f.rules.
The latest rule can be found at the following URL: https://github.com/Yubico/libu2f-host/blob/master/70-u2f.rules
Code: | # Copyright (C) 2013-2015 Yubico AB
#
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation; either version 2.1, or (at your option)
# any later version.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser
# General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public License
# along with this program; if not, see <http://www.gnu.org/licenses/>.
# this udev file should be used with udev 188 and newer
ACTION!="add|change", GOTO="u2f_end"
# Yubico YubiKey
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0113|0114|0115|0116|0120|0121|0200|0402|0403|0406|0407|0410", TAG+="uaccess", GROUP="plugdev", MODE="0660"
# Happlink (formerly Plug-Up) Security KEY
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="2581", ATTRS{idProduct}=="f1d0", TAG+="uaccess", GROUP="plugdev", MODE="0660"
# Neowave Keydo and Keydo AES
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1e0d", ATTRS{idProduct}=="f1d0|f1ae", TAG+="uaccess", GROUP="plugdev", MODE="0660"
# HyperSecu HyperFIDO
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="096e|2ccf", ATTRS{idProduct}=="0880", TAG+="uaccess", GROUP="plugdev", MODE="0660"
# Feitian ePass FIDO, BioPass FIDO2
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="096e", ATTRS{idProduct}=="0850|0852|0853|0854|0856|0858|085a|085b|085d|0866|0867", TAG+="uaccess", GROUP="plugdev", MODE="0660"
# JaCarta U2F
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="24dc", ATTRS{idProduct}=="0101|0501", TAG+="uaccess", GROUP="plugdev", MODE="0660"
# U2F Zero
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="10c4", ATTRS{idProduct}=="8acf", TAG+="uaccess", GROUP="plugdev", MODE="0660"
# VASCO SecureClick
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1a44", ATTRS{idProduct}=="00bb", TAG+="uaccess", GROUP="plugdev", MODE="0660"
# Bluink Key
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="2abe", ATTRS{idProduct}=="1002", TAG+="uaccess", GROUP="plugdev", MODE="0660"
# Thetis Key
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1ea8", ATTRS{idProduct}=="f025", TAG+="uaccess", GROUP="plugdev", MODE="0660"
# Nitrokey FIDO U2F, Nitrokey FIDO2, Safetech SafeKey
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="20a0", ATTRS{idProduct}=="4287|42b1|42b3", TAG+="uaccess", GROUP="plugdev", MODE="0660"
# Google Titan U2F
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="18d1", ATTRS{idProduct}=="5026", TAG+="uaccess", GROUP="plugdev", MODE="0660"
# Tomu board + chopstx U2F + SoloKeys
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="cdab|a2ca", TAG+="uaccess", GROUP="plugdev", MODE="0660"
# SoloKeys
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1209", ATTRS{idProduct}=="5070|50b0", TAG+="uaccess", GROUP="plugdev", MODE="0660"
# Trezor
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="534c", ATTRS{idProduct}=="0001", TAG+="uaccess", GROUP="plugdev", MODE="0660"
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1209", ATTRS{idProduct}=="53c1", TAG+="uaccess", GROUP="plugdev", MODE="0660"
# Infineon FIDO
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="058b", ATTRS{idProduct}=="022d", TAG+="uaccess", GROUP="plugdev", MODE="0660"
# Ledger Nano S and Nano X
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="2c97", ATTRS{idProduct}=="0001|0004", TAG+="uaccess", GROUP="plugdev", MODE="0660"
# Kensington VeriMark
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="06cb", ATTRS{idProduct}=="0088", TAG+="uaccess", GROUP="plugdev", MODE="0660"
# Longmai mFIDO
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="4c4d", ATTRS{idProduct}=="f703", TAG+="uaccess", GROUP="plugdev", MODE="0660"
# eWBM FIDO2 - Goldengate 310, 320, 500, 450
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="311f", ATTRS{idProduct}=="4a1a|4c2a|5c2f|f47c", TAG+="uaccess", GROUP="plugdev", MODE="0660"
# OnlyKey (FIDO2 / U2F)
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1d50", ATTRS{idProduct}=="60fc", TAG+="uaccess", GROUP="plugdev", MODE="0660"
# GoTrust Idem Key
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1fc9", ATTRS{idProduct}=="f143", TAG+="uaccess", GROUP="plugdev", MODE="0660"
# ellipticSecure MIRKey
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="a2ac", TAG+="uaccess", GROUP="plugdev", MODE="0660"
LABEL="u2f_end" |
3) Add my used to the plugdev group
4) Reboot.
5) Verify |
|
Back to top |
|
|
ennui n00b
Joined: 24 Apr 2003 Posts: 19 Location: Copenhagen, Denmark
|
Posted: Wed Oct 27, 2021 12:54 pm Post subject: |
|
|
MorgothSauron wrote: | I was able to make it work with both Firefox and Google Chrome.
Here are the steps I performed: |
Just wanted to post an update that I got my YubiKey 5 Nano working in Firefox with the above steps, though using dev-libs/libfido2, udev rules from https://github.com/Yubico/libfido2/blob/master/udev/70-u2f.rules, and enabling CONFIG_HIDRAW.
Sorry to bump an old thread. |
|
Back to top |
|
|
wwdev16 n00b
Joined: 29 Aug 2018 Posts: 52
|
Posted: Tue Sep 05, 2023 7:29 am Post subject: |
|
|
Just a note for future forum searchers. As of 2023-09 dev-libs/libfido2-1.13.0 installs Code: | /lib/udev/rules.d/70-libfido2-u2f.rules |
These udev rules actually set the permissions on the created /dev/hidraw devices so that the plugdev group can access them. This is required for firefox-116.0.3 to use the seciruty key (probably all versions of firefox in portage). Without these rules only root can access the devices.
The package dev-libs/libfido2 installs the above mentioned udev rules and the group plugdev. There are many types of keys defined including YubiKey 5 models. Remember to also ensure the user allowed to access the key is in the plugdev group.
For my system, equery d libfido2 returns: Code: | net-misc/openssh[security-key]
sys-auth/pam_u2f |
Note that as of 2023-09 these packages do not depend on libfido2: Code: | app-crypt/yubikey-manager
app-crypt/yubikey-manager-qt
sys-auth/libyubikey
sys-auth/yubico-piv-tool
sys-auth/yubikey-personalization-gui
sys-auth/ykpers
dev-python/fido2 |
So it will generally be required to explicitly install dev-libs/libfido2. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|