Ubuntu
firefox package

U2F FIDO authentication doesn't work

Bug #1741768 reported by Antoine Pitrou
16
This bug affects 2 people
Affects Status Importance Assigned to Milestone
firefox (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

I have a Yubico U2F security key. If I download the upstream Firefox binary for 57.0.4 and go to https://demo.yubico.com/u2f?tab=register, the test page works fine: I can register with a username/password, my key starts blinking and I can touch it to validate.

If I go to the same page using the official Ubuntu package of Firefox, the U2F device is not recognized and the page displays the following error:

"""
Registration failed!

Make sure you have a U2F device connected, and try again.

 Traceback (most recent call last):
  File "/root/python-u2flib-server-demo/examples/yubiauth_server.py", line 161, in __call__
    raise Exception("FIDO Client error: %s" % error)
Exception: FIDO Client error: 1 (OTHER ERROR)
"""

Note that in both cases, I did enable the required options in "about:config" (as outlined in e.g. https://www.yubico.com/2017/11/how-to-navigate-fido-u2f-in-firefox-quantum/).

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: firefox 57.0.4+build1-0ubuntu0.16.04.1
ProcVersionSignature: Ubuntu 4.13.0-21.24~16.04.1-generic 4.13.13
Uname: Linux 4.13.0-21-generic x86_64
NonfreeKernelModules: zfs zunicode zavl zcommon znvpair nvidia_uvm nvidia_drm nvidia_modeset nvidia
AddonCompatCheckDisabled: False
ApportVersion: 2.20.1-0ubuntu2.15
Architecture: amd64
AudioDevicesInUse:
 USER PID ACCESS COMMAND
 /dev/snd/controlC0: antoine 3844 F.... pulseaudio
 /dev/snd/controlC1: antoine 3844 F.... pulseaudio
BuildID: 20180104112904
Channel: Unavailable
CurrentDesktop: XFCE
Date: Sun Jan 7 17:32:38 2018
DefaultProfileIncompatibleExtensions: Default - {972ce4c6-7e08-4474-a285-3208198ce6fd}
DefaultProfilePrefErrors: 'utf-8' codec can't decode byte 0xe9 in position 2410: invalid continuation byte
ForcedLayersAccel: False
IfupdownConfig:
 # interfaces(5) file used by ifup(8) and ifdown(8)
 auto lo
 iface lo inet loopback
InstallationDate: Installed on 2013-04-12 (1730 days ago)
InstallationMedia: Xubuntu 13.04 "Raring Ringtail" - Alpha amd64 (20130409)
MostRecentCrashID: bp-eb109c63-e3b5-4c21-a920-d262b2150407
Profile1Extensions: extensions.sqlite corrupt or missing
Profile1IncompatibleExtensions: Unavailable (corrupt or non-existant compatibility.ini or extensions.sqlite)
Profile1Locales: extensions.sqlite corrupt or missing
Profile1PrefSources: prefs.js
Profile1Themes: extensions.sqlite corrupt or missing
Profile2Extensions: extensions.sqlite corrupt or missing
Profile2IncompatibleExtensions: Unavailable (corrupt or non-existant compatibility.ini or extensions.sqlite)
Profile2Locales: extensions.sqlite corrupt or missing
Profile2PrefSources: prefs.js
Profile2Themes: extensions.sqlite corrupt or missing
Profile3Extensions: extensions.sqlite corrupt or missing
Profile3IncompatibleExtensions: Unavailable (corrupt or non-existant compatibility.ini or extensions.sqlite)
Profile3Locales: extensions.sqlite corrupt or missing
Profile3PrefSources: prefs.js
Profile3Themes: extensions.sqlite corrupt or missing
Profile4Extensions: extensions.sqlite corrupt or missing
Profile4IncompatibleExtensions: Unavailable (corrupt or non-existant compatibility.ini or extensions.sqlite)
Profile4Locales: extensions.sqlite corrupt or missing
Profile4PrefSources: prefs.js
Profile4Themes: extensions.sqlite corrupt or missing
Profiles:
 Profile0 (Default) - LastVersion=57.0.4/20180104112904 (In use)
 Profile1 - LastVersion=57.0.4/20180104112904
 Profile2 - LastVersion=57.0.4/20180104112904
 Profile3 - LastVersion=57.0.3/20171227151400 (Out of date)
 Profile4 - LastVersion=57.0.4/20180104112904 (In use)
RfKill:

RunningIncompatibleAddons: True
SourcePackage: firefox
UpgradeStatus: Upgraded to xenial on 2015-07-27 (894 days ago)
dmi.bios.date: 06/22/2011
dmi.bios.vendor: American Megatrends Inc.
dmi.bios.version: 1801
dmi.board.asset.tag: To be filled by O.E.M.
dmi.board.name: P8H67-M EVO
dmi.board.vendor: ASUSTeK Computer INC.
dmi.board.version: Rev 1.xx
dmi.chassis.asset.tag: Asset-1234567890
dmi.chassis.type: 3
dmi.chassis.vendor: Chassis Manufacture
dmi.chassis.version: Chassis Version
dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvr1801:bd06/22/2011:svnSystemmanufacturer:pnSystemProductName:pvrSystemVersion:rvnASUSTeKComputerINC.:rnP8H67-MEVO:rvrRev1.xx:cvnChassisManufacture:ct3:cvrChassisVersion:
dmi.product.family: To be filled by O.E.M.
dmi.product.name: System Product Name
dmi.product.version: System Version
dmi.sys.vendor: System manufacturer
modified.conffile..etc.apparmor.d.usr.bin.firefox: [modified]
mtime.conffile..etc.apparmor.d.usr.bin.firefox: 2018-01-06T20:07:26.977391

Revision history for this message
Antoine Pitrou (pitrou) wrote :
Revision history for this message
J.C. Jones (jc-moz) wrote :

Hi, I'm one of the Firefox developers working on our FIDO U2F device support.

Since this works with the Mozilla-built Firefox but not the Canonical one, I think it's an AppArmor (or similar) setting prohibiting firefox from reaching libudev or the udev device paths on disk.

Revision history for this message
Antoine Pitrou (pitrou) wrote :

Hi jc-moz,

I initially thought so, but switched AppArmor to complain mode (rather than enforce) and got the same results (also the Mozilla-built Chromium works fine). Current AppArmor status:

$ sudo apparmor_status
[...]
17 processes have profiles defined.
9 processes are in enforce mode.
   /sbin/dhclient (2869)
   /usr/sbin/cups-browsed (7130)
   /usr/sbin/cupsd (7125)
   /usr/sbin/dnsmasq (3073)
   /usr/sbin/dnsmasq (3074)
   /usr/sbin/dnsmasq (3089)
   /usr/sbin/dnsmasq (3393)
   /usr/sbin/libvirtd (2495)
   /usr/sbin/ntpd (4833)
8 processes are in complain mode.
   /usr/lib/firefox/firefox{,*[^s][^h]} (7492)
   /usr/lib/firefox/firefox{,*[^s][^h]} (7544)
   /usr/lib/firefox/firefox{,*[^s][^h]} (7702)
   /usr/lib/firefox/firefox{,*[^s][^h]} (19925)
   /usr/lib/firefox/firefox{,*[^s][^h]} (19963)
   /usr/sbin/avahi-daemon (2145)
   /usr/sbin/avahi-daemon (2199)
   /usr/sbin/nmbd (3616)

There may be something else than AppArmor going on, but I don't know what. Do you have any idea?

Revision history for this message
Antoine Pitrou (pitrou) wrote :

Still fails with 58.0+build6-0ubuntu0.16.04.1.

Revision history for this message
Antoine Pitrou (pitrou) wrote :

Still fails with 59.0.2+build1-0ubuntu0.16.04.1. Does anyone care about their users' security at Canonical?

Revision history for this message
Antoine Pitrou (pitrou) wrote :

Still fails on Ubuntu 18.04.1 with 61.0.1+build1-0ubuntu0.18.04.1, while it works under chromium-browser 68.0.3440.106-0ubuntu0.18.04.1.

tags: added: bionic
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in firefox (Ubuntu):
status: New → Confirmed
Revision history for this message
Wouter van Bommel (woutervb) wrote :

Tested this today, via the github site, and both authentication and the registration of a new key fails. Logging I can find related to this in /var/log/syslog is:

Jan 31 09:53:13 hyperion kernel: [605631.650563] audit: type=1400 audit(1580428393.744:1863): apparmor="DENIED" operation="open" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/sys/devices/virtual/misc/uhid/0005:046D:B01D.0013/hidraw/hidraw6/uevent" pid=25081 comm=4950444C204261636B67726F756E64 requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

Revision history for this message
J.C. Jones (jc-moz) wrote :

That does imply AppArmor is the issue with that denial; `authenticator-rs` requires hidraw access to the relevant devices. https://github.com/amluto/u2f-hidraw-policy is the package used by other linuxes, I don't know the equivalent for Debian.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.