[snap] U2F doesn't work with yubikey

Bug #1738164 reported by Olivier Tilloy on 2017-12-14
46
This bug affects 8 people
Affects Status Importance Assigned to Milestone
chromium-browser (Ubuntu)
High
Olivier Tilloy
gnome-software (Ubuntu)
Medium
Robert Ancell
Xenial
Medium
Robert Ancell
Bionic
Medium
Robert Ancell
Cosmic
Medium
Robert Ancell

Bug Description

(initially reported by Daniel at https://forum.snapcraft.io/t/call-for-testing-chromium-62-0-3202-62/2569/50)

  « U2F (Universal 2nd Factor) isn’t working when signing into my gmail account trying to use my yubikey. This is a USB device which IIRC chromium needs bidirectional communication with. »

This requires investigation, but the yubikey I have is too old and doesn't support U2F.

Chris Cowling (tatramaco) wrote :

It appears that apparmor is blocking u2f requests :

[ 5955.568022] audit: type=1400 audit(1526465659.599:92): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/sys/devices/pci0000:00/0000:00:14.0/usb3/3-3/3-3:1.0/0003:045E:07B2.0001/report_descriptor" pid=19386 comm="TaskSchedulerFo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 5955.568379] audit: type=1400 audit(1526465659.599:93): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/sys/devices/pci0000:00/0000:00:14.0/usb3/3-3/3-3:1.1/0003:045E:07B2.0002/report_descriptor" pid=19386 comm="TaskSchedulerFo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 5955.568667] audit: type=1400 audit(1526465659.599:94): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/sys/devices/pci0000:00/0000:00:14.0/usb3/3-3/3-3:1.2/0003:045E:07B2.0003/report_descriptor" pid=19386 comm="TaskSchedulerFo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 5955.569840] audit: type=1400 audit(1526465659.599:95): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/sys/devices/pci0000:00/0000:00:1a.0/usb1/1-1/1-1.2/1-1.2:1.0/0003:1050:0407.002D/report_descriptor" pid=19386 comm="TaskSchedulerFo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 5955.570337] audit: type=1400 audit(1526465659.603:96): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/sys/devices/pci0000:00/0000:00:1a.0/usb1/1-1/1-1.2/1-1.2:1.1/0003:1050:0407.002E/report_descriptor" pid=19386 comm="TaskSchedulerFo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

Olivier Tilloy (osomon) wrote :

It looks like the raw-usb interface might help here. I'll rebuild the snap with it and will post instructions on how to test.

Olivier Tilloy (osomon) wrote :

@Chris: can you try the following, and report whether this addresses the issue:

    snap refresh chromium --channel=candidate/raw-usb-test
    snap connect chromium:raw-usb

Thanks!

Changed in chromium-browser (Ubuntu):
status: New → Confirmed
importance: Undecided → Medium
Chris Cowling (tatramaco) wrote :

It no longer throws an apparmor denied message but it doesn't work.....

Bot gmail and github throw a 'Something went wrong' error.

Olivier Tilloy (osomon) wrote :

Do you get more useful debug information if you run the snap with the "--enable-logging=stderr" parameter?

karl (karl-hiramoto) wrote :

with chromium --enable-logging=stderr

You just see that chromium can not find the device in the log it says:

[14261:14261:0718/202809.157292:INFO:CONSOLE(173)] "0718 20:28:09.156000: []", source: chrome-extension://kmendfapggjehodndflmmgagdbamhnfd/gnubbies.js (173)
[14261:14261:0718/202809.358137:INFO:CONSOLE(172)] "0718 20:28:09.358000: Enumerated 0 gnubbies", source: chrome-extension://kmendfapggjehodndflmmgagdbamhnfd/gnubbies.js (172)
[14261:14261:0718/202809.358350:INFO:CONSOLE(173)] "0718 20:28:09.358000: []", source: chrome-extension://kmendfapggjehodndflmmgagdbamhnfd/gnubbies.js (173)
[14261:14261:0718/202809.358616:INFO:CONSOLE(172)] "0718 20:28:09.359000: Enumerated 0 gnubbies", source: chrome-extension://kmendfapggjehodndflmmgagdbamhnfd/gnubbies.js (172)
[14261:14261:0718/202809.358858:INFO:CONSOLE(173)] "0718 20:28:09.359000: []", source: chrome-extension://kmendfapggjehodndflmmgagdbamhnfd/gnubbies.js (173)

karl (karl-hiramoto) wrote :

the proprietary google chrome does find the yubikey / gnubbie

Sami Ben Hatit (sambh) wrote :

I can confirm the bug is still present, tested with 67.0.3396.99 (367) and 68.0.3440.75 (383). I couldn't test with raw-usb as it seems this channel doesn't exist anymore.

Anything I could do to help testing or debugging this?

Olivier Tilloy (osomon) wrote :

@Sami: I have re-opened the candidate/raw-usb-test channel and updated it to the latest stable release. Please test with the instructions in comment #3, run chromium with --enable-logging=stderr, and in another terminal window please run "journalctl -f" and share any relevant denials. Thanks!

Download full text (26.0 KiB)

I have the same issue, my Yubikey is the yibikey neo 4 model, it does support U2F. after installing Ubuntu 18.04.01 I followed yubico's instructions: https://support.yubico.com/support/solutions/articles/15000006449-using-your-u2f-yubikey-with-linux

which means I have a udev rule for the device, but dmesg was still mapping to snap.chromium. At this point the U2F seemed to wait for input until timeout, whereas the key's LED would flash like if it were in process of system recognition indefinitelly (as seen from dmesg, it seems chromium it continously attempting to read the device, but there are permission restrictions).

dmesg:
[18519.805380] usb 1-9: new full-speed USB device number 9 using xhci_hcd
[18519.954776] usb 1-9: New USB device found, idVendor=1050, idProduct=0116
[18519.954782] usb 1-9: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[18519.954785] usb 1-9: Product: Yubikey NEO OTP+U2F+CCID
[18519.954789] usb 1-9: Manufacturer: Yubico
[18519.956412] input: Yubico Yubikey NEO OTP+U2F+CCID as /devices/pci0000:00/0000:00:14.0/usb1/1-9/1-9:1.0/0003:1050:0116.0006/input/input20
[18520.014104] hid-generic 0003:1050:0116.0006: input,hidraw1: USB HID v1.10 Keyboard [Yubico Yubikey NEO OTP+U2F+CCID] on usb-0000:00:14.0-9/input0
[18520.015266] hid-generic 0003:1050:0116.0007: hiddev0,hidraw2: USB HID v1.10 Device [Yubico Yubikey NEO OTP+U2F+CCID] on usb-0000:00:14.0-9/input1
[18551.143579] audit: type=1107 audit(1534439526.751:164): pid=989 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/" interface="org.freedesktop.DBus.ObjectManager" member="GetManagedObjects" mask="send" name="org.bluez" pid=25155 label="snap.chromium.chromium" peer_pid=985 peer_label="unconfined"
                exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'
[18553.624016] audit: type=1400 audit(1534439529.231:165): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/run/udev/data/c238:0" pid=25155 comm="TaskSchedulerFo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[18553.638835] audit: type=1400 audit(1534439529.247:166): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/run/udev/data/c239:0" pid=25155 comm="TaskSchedulerFo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[18553.639389] audit: type=1400 audit(1534439529.247:167): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/run/udev/data/c240:1" pid=25155 comm="TaskSchedulerFo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[18553.639450] audit: type=1400 audit(1534439529.247:168): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/run/udev/data/c240:2" pid=25155 comm="TaskSchedulerFo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[18553.639491] audit: type=1400 audit(1534439529.247:169): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/run/udev/data/c240:0" pid=25155 comm="TaskSchedulerFo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[18863.195707] audit: type=1400 audit(1534439838.807:170): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/ru...

Download full text (9.4 KiB)

Sorry forgot

journalctl -f:
-- Logs begin at Sun 2018-08-12 21:54:04 CEST. --
ago 16 19:20:29 Alex thunderbird.desktop[25941]: [Parent 26418, Gecko_IOThread] WARNING: pipe error (113): Conexión reinicializada por la máquina remota: file /build/firefox-oscv9o/firefox-61.0.1+build1/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 353
ago 16 19:37:40 Alex dbus-daemon[18014]: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/freedesktop/secrets" interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send" name="org.freedesktop.secrets" pid=27271 label="snap.chromium.chromium" peer_pid=18002 peer_label="unconfined"
ago 16 19:37:40 Alex audit[989]: USER_AVC pid=989 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/" interface="org.freedesktop.DBus.ObjectManager" member="GetManagedObjects" mask="send" name="org.bluez" pid=26979 label="snap.chromium.chromium" peer_pid=985 peer_label="unconfined"
                                  exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'
ago 16 19:37:40 Alex kernel: audit: type=1107 audit(1534441060.543:176): pid=989 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/" interface="org.freedesktop.DBus.ObjectManager" member="GetManagedObjects" mask="send" name="org.bluez" pid=26979 label="snap.chromium.chromium" peer_pid=985 peer_label="unconfined"
                              exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'
ago 16 19:37:47 Alex audit[26979]: AVC apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/run/udev/data/c238:0" pid=26979 comm="TaskSchedulerFo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
ago 16 19:37:47 Alex kernel: audit: type=1400 audit(1534441067.899:177): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/run/udev/data/c238:0" pid=26979 comm="TaskSchedulerFo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
ago 16 19:37:47 Alex audit[26979]: AVC apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/run/udev/data/c239:0" pid=26979 comm="TaskSchedulerFo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
ago 16 19:37:47 Alex audit[26979]: AVC apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/run/udev/data/c240:0" pid=26979 comm="TaskSchedulerFo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
ago 16 19:37:47 Alex kernel: audit: type=1400 audit(1534441067.927:178): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/run/udev/data/c239:0" pid=26979 comm="TaskSchedulerFo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
ago 16 19:37:47 Alex kernel: audit: type=1400 audit(1534441067.927:179): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/run/udev/data/c240:0" pid=26979 comm="TaskSchedulerFo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
ago 16 19:38:12 Alex audit[26979]: AVC apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/run/udev/data/c238:0" pid=26979 comm="TaskSchedulerFo" requested_mask=...

Read more...

Olivier Tilloy (osomon) wrote :

Thanks for the feedback Alejandro. So it looks like the raw-usb interface doesn't help indeed, what chromium needs read access to to access your key is the following:

    /run/udev/data/c238:0
    /run/udev/data/c239:0
    /run/udev/data/c240:0
    /run/udev/data/c240:1
    /run/udev/data/c240:2

And there doesn't seem to be any existing interfaces for those.

To switch back to the stable channel, you can just do:

    sudo snap refresh chromium --stable

Charl le Roux (charl-leroux) wrote :

I am experiencing the same thing with both firefox and chromium snap packages. Google Chrome install works perfectly. Really annoying to have to revert to .deb if there is a snap package available.

Olivier Tilloy (osomon) on 2018-09-19
Changed in chromium-browser (Ubuntu):
importance: Medium → High
Jamie Strandboge (jdstrand) wrote :

We can add this to browser-support:

# for U2F yubikey
/run/udev/data/c238:[0-9]* r,
/run/udev/data/c239:[0-9]* r,
/run/udev/data/c240:[0-9]* r,
/run/udev/data/c240:[0-9]* r,
/run/udev/data/c240:[0-9]* r,

Can someone experiencing this issue adjust /var/lib/snapd/apparmor/profiles/snap.chromium.chromium to have the above, and then run: sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap.chromium.chromium and report back if the issue is resolved? If not, please paste any other apparmor denials.

Jamie Strandboge (jdstrand) wrote :

The actual rules would be:

# for U2F yubikey
/run/udev/data/c238:[0-9]* r,
/run/udev/data/c239:[0-9]* r,
/run/udev/data/c240:[0-9]* r,

but using the redundant rules from the previous comment is fine too.

Olivier Tilloy (osomon) on 2018-09-19
Changed in chromium-browser (Ubuntu):
assignee: nobody → Olivier Tilloy (osomon)
Kyle Fazzari (kyrofa) wrote :

jdstrand, I've added those rules, and the denials go away, but I'm afraid it still doesn't work. There doesn't seem to be any denials, but it's like chrome just doesn't see it.

Olivier Tilloy (osomon) wrote :

I'm testing with a brand new Yubikey 4, and after adding the rules in comment #16, I was seeing more denials which prompted me to add the following two rules:

    /run/udev/data/c14:[0-9]* r,
    /sys/devices/pci**/usb*/**/report_descriptor r,

With those the denials went away, but U2F registration still fails. I'm using https://demo.yubico.com/u2f?tab=register to test, and seeing the following error:

Registration failed!
Make sure you have a U2F device connected, and try again.

 Traceback (most recent call last):
  File "/root/python-u2flib-server-demo/examples/yubiauth_server.py", line 161, in __call__
    raise Exception("FIDO Client error: %s" % error)
Exception: FIDO Client error: 1 (OTHER ERROR)

Olivier Tilloy (osomon) wrote :

Could the hidraw interface (https://github.com/snapcore/snapd/blob/master/interfaces/builtin/hidraw.go) be of any help here?

Daniel Aleksandersen (da2x) wrote :

This isn’t mentioned in the bug so thought I’d just document it here:

* U2F must be enabled in about:config (security.webauth.u2f;true) before it will work in Firefox.

Olivier Tilloy (osomon) wrote :

Jamie added a u2f-devices interface to snapd, and I successfully tested it with chromium and a YubiKey 4 (using https://demo.yubico.com/webauthn/registration).

Changed in chromium-browser (Ubuntu):
status: Confirmed → In Progress
Olivier Tilloy (osomon) wrote :

I've published revision 579 to the candidate channel with the u2f-devices plug.
To test this you will need to do the following:

    snap refresh core --edge
    snap refresh chromium --candidate
    snap connect chromium:u2f-devices

Then restart chromium and verify that your U2F device is seen and works.

To everyone affected, please test and let me know if that works for you (details about your U2F device would be interesting).

Jeremy Bicha (jbicha) wrote :

I used your instructions to successfully authenticate with https://salsa.debian.org/ using the Chromium snap. Thanks! I believe my device is also a Yubikey 4.

Jeremy Bicha (jbicha) wrote :

This works now with core and chromium on the stable branches.

Olivier, I don't see u2f in GNOME Software's Permissions dialog for Chromium.

Also, are you intending to ask Security if u2f can be auto-connected for Chromium?

Olivier Tilloy (osomon) wrote :

I'm not sure whether u2f being auto-connected is acceptable from a security standpoint, I'll ask Jamie and if it is, I'll request the auto-connection.

Changed in chromium-browser (Ubuntu Xenial):
status: New → Invalid
Changed in chromium-browser (Ubuntu Bionic):
status: New → Invalid
Changed in chromium-browser (Ubuntu Cosmic):
status: New → Invalid
Changed in gnome-software (Ubuntu Xenial):
status: New → Confirmed
Changed in gnome-software (Ubuntu Bionic):
status: New → Confirmed
Changed in gnome-software (Ubuntu Cosmic):
status: New → Confirmed
Changed in gnome-software (Ubuntu Xenial):
importance: Undecided → Medium
Changed in gnome-software (Ubuntu Bionic):
importance: Undecided → Medium
Changed in gnome-software (Ubuntu Cosmic):
importance: Undecided → Medium
Changed in gnome-software (Ubuntu Xenial):
assignee: nobody → Robert Ancell (robert-ancell)
Changed in gnome-software (Ubuntu Bionic):
assignee: nobody → Robert Ancell (robert-ancell)
Changed in gnome-software (Ubuntu Cosmic):
assignee: nobody → Robert Ancell (robert-ancell)
Changed in gnome-software (Ubuntu):
assignee: nobody → Robert Ancell (robert-ancell)
status: New → Confirmed
importance: Undecided → Medium
Ken VanDine (ken-vandine) wrote :

@robert-ancell, I addition of this interface to the ubuntu-master, ubuntu-3-30, and ubuntu-3-28 branches as well as snap-store. Can you please include this in your next round of SRUs for cosmic, bionic and xenial? I wasn't sure which branch to use for xenial.

Changed in gnome-software (Ubuntu Bionic):
status: Confirmed → Fix Committed
Changed in gnome-software (Ubuntu):
status: Confirmed → Fix Committed
Olivier Tilloy (osomon) on 2019-03-07
Changed in chromium-browser (Ubuntu):
status: Fix Committed → Fix Released
no longer affects: chromium-browser (Ubuntu Xenial)
no longer affects: chromium-browser (Ubuntu Bionic)
no longer affects: chromium-browser (Ubuntu Cosmic)
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers