Chromium-Browser not recognizing yubikey u2f anymore?

Bug #1796746 reported by Hadmut Danisch on 2018-10-08
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
chromium-browser (Ubuntu)
Undecided
Unassigned

Bug Description

I'm just having a strange problem, seeing it on two different 18.04 machines. I had been using several u2f tokens, some are just plain u2f tokens (yubikey blue ones and other brands), and Yubikey Neo and Yubikey 4 as well with the chromium browser.

Then I haven't been using the Neo/4 keys for u2f for a while, just the plain ones (different brand), definitely not since 18.04.

Today I wanted to use them and chromium just doesn't recognize them anymore. They are not blinking. Tested with e.g. https://demo.yubico.com/u2f or Google account.

Observations:

- tokens are not damaged: All work with u2f-host

- All work when used with Chromium (maybe not the latest) on Mac OS

- But with Chromium currently distributed with Ubuntu 18.04 it works only with those keys that have u2f only, such as the blue yubikeys and the other brands. Chromium ignores the Yubikey 4 and Neo.

Any idea or hint?

regards

ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: chromium-browser 69.0.3497.81-0ubuntu0.18.04.1
ProcVersionSignature: Ubuntu 4.15.0-36.39-generic 4.15.18
Uname: Linux 4.15.0-36-generic x86_64
NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
ApportVersion: 2.20.9-0ubuntu7.4
Architecture: amd64
CurrentDesktop: XFCE
DRM.card0-DP-1:
 enabled: disabled
 dpms: Off
 status: disconnected
 edid-base64:
 modes:
DRM.card0-DP-2:
 enabled: disabled
 dpms: Off
 status: disconnected
 edid-base64:
 modes:
DRM.card0-HDMI-A-1:
 enabled: disabled
 dpms: Off
 status: disconnected
 edid-base64:
 modes:
DRM.card0-HDMI-A-2:
 enabled: enabled
 dpms: On
 status: connected
 edid-base64: AP///////wAMoQBAAQEBAQEWAQOAMx147iVlo1RPoCerUFSlSwDRwIHAAQEBAQEBAQEBAQEBAjqAGHE4LUBYLEUA4A4RAAAeAAAA/ABBSU8gUEMgICAgICAAAAAA/QA7PR5EDwAKICAgICAgAAAA/wAwMDAwMDEKICAgICAgAF4=
 modes: 1920x1080 1280x1024 1280x720 1024x768 1024x768 800x600 800x600 640x480 640x480 720x400
DRM.card0-VGA-1:
 enabled: disabled
 dpms: Off
 status: disconnected
 edid-base64:
 modes:
Date: Mon Oct 8 20:47:15 2018
Desktop-Session:
 'xubuntu'
 '/etc/xdg/xdg-xubuntu:/etc/xdg:/etc/xdg'
 '/usr/share/xubuntu:/usr/share/xfce4:/usr/local/share:/usr/share:/var/lib/snapd/desktop:/usr/share'
DetectedPlugins:

Env:
 'None'
 'None'
InstallationDate: Installed on 2018-06-09 (121 days ago)
InstallationMedia: Lubuntu 18.04 LTS "Bionic Beaver" - Release amd64 (20180426)
InstalledPlugins:

Load-Avg-1min: 0.34
Load-Processes-Running-Percent: 0.3%
MachineType: Medion G24
ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-4.15.0-36-generic root=UUID=a3f06afa-8405-4064-8044-0a9e1b4c19c8 ro quiet splash vt.handoff=1
SourcePackage: chromium-browser
UpgradeStatus: No upgrade log present (probably fresh install)
dmi.bios.date: 10/12/2012
dmi.bios.vendor: American Megatrends Inc.
dmi.bios.version: H61TIW08.111
dmi.board.asset.tag: To be filled by O.E.M.
dmi.board.name: H61H2-TI2
dmi.board.vendor: Medion
dmi.board.version: 1.0
dmi.chassis.asset.tag: To Be Filled By O.E.M.
dmi.chassis.type: 3
dmi.chassis.vendor: Medion
dmi.chassis.version: 1.0
dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvrH61TIW08.111:bd10/12/2012:svnMedion:pnG24:pvr1.0:rvnMedion:rnH61H2-TI2:rvr1.0:cvnMedion:ct3:cvr1.0:
dmi.product.family: To be filled by O.E.M.
dmi.product.name: G24
dmi.product.version: 1.0
dmi.sys.vendor: Medion
modified.conffile..etc.default.chromium-browser: [deleted]

Hadmut Danisch (hadmut) wrote :
Olivier Tilloy (osomon) wrote :

Could it be that you're using the chromium snap, and not the deb package? If so that would be bug #1738164. If unsure, you can browse to chrome://version and share the output here.

Hadmut Danisch (hadmut) wrote :

Definitely not snap:

Chromium 69.0.3497.81 (Offizieller Build) Built on Ubuntu , running on Ubuntu 18.04 (64-Bit)
Überarbeitung 032b3ca19e9af20182f9bd03deefc0faf4695558-refs/branch-heads/3497@{#869}
Betriebssystem Linux
JavaScript V8 6.9.427.19
Flash (Deaktiviert)
User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/69.0.3497.81 Chrome/69.0.3497.81 Safari/537.36
Befehlszeile /usr/lib/chromium-browser/chromium-browser --enable-pinch --flag-switches-begin --flag-switches-end
Ausführbarer Pfad /usr/lib/chromium-browser/chromium-browser
Profilpfad /home/hadmut/.config/chromium/Default

Hadmut Danisch (hadmut) wrote :

The point is: It works with plain u2f tokens such as yubikey (blue), hypersecu, plugup. So it's not a general usb problem.

Olivier Tilloy (osomon) wrote :

Thanks for the confirmation. I have ordered a Yubikey 4 so I can test and investigate the issue.

Olivier Tilloy (osomon) wrote :

Just tested with a brand new yubikey 4 in chromium-browser 70.0.3538.67-0ubuntu0.18.10.1 (Ubuntu 18.10), and U2F works as expected (tested with https://demo.yubico.com/u2f).

I don't readily have access to a physical machine running 18.04, would you mind testing whether the 70.0.3538.67 update resolved the issue for you?

Hadmut Danisch (hadmut) wrote :

I'm currently travelling, and my resources (time, things) are limited, but it still does not work (my yubikey 4 sticks not new, around 1 year old)

Is there any debugging strategy?

regards

Olivier Tilloy (osomon) wrote :

Sorry for the lack of feedback. It looks like this could possibly be a 18.04-specific issue (given that I was not able to observe it on 18.10).

Any chance you could test on 18.10 ? If upgrading is not an option (sticking to the LTS is understandable), maybe you could try a 18.10 ISO on a USB stick and running it live (as opposed to installing) ?

Hadmut Danisch (hadmut) wrote :

Since the problem still exists and I need to use the device, I've done some further debugging.

It seems to be related to the apparmor profile for chrome coming with package apparmor-profiles. After

aa-disable usr.bin.chromium-browser

things work as normal.

Hadmut Danisch (hadmut) wrote :

Strangely, the apparmor state for chromium was in complain mode, not enable mode.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers