| 2018-03-21 12:25:31 |
Dimitri John Ledkov |
description |
[Foreword]
U2F - "universal two factor" is a recent standard to provide two factor authentication using elliptic curve cryptography; with physical confirmation; and authentication of both server and client identities. This is therefore stronger than the usual 6-digit codes, and more user friendly - just touch a button. The devices that commonly support this are Yubikeys among other implementations. These rely on access to /dev/hidraw device by the user account, which is typically otherwise accessible by root only. The udev rules shipped, open up, and assign these devices to the user seats - effectively making them "USB memory stick" permissions wise (a local user/seat can access it, when plugging it in). Previously these udev rules were shipped in src:systemd, but now they have been removed upstream in favor of maintaining them in the src:libu2f-host. On the user systems, Firefox / Chrome / Chromium have support to use u2f devices to authenticate with Google Apps, Github, Salesforce, Etc.
This MIR is specifically about shipping the udev rules only. It is not about shipping the libu2f shared library that facilitates developing of u2f enabled apps and daemons.
[Availability]
Available in universe.
[Rationale]
All Ubuntu Desktop Flavours should be able to perform U2F authentication in a web-browser.
[Security]
udev rules only, as described in foreword, limited by vendor IDs and model numbers.
[Quality assurance]
The package is in good shape, and there is a binary package specifically to ship udev rules only.
[Dependencies]
none
[Standards compliance]
ok
[Maintenance]
At times, as more devices become available on the market, udev rules may need an update, and SRUs.
[Background information]
See foreword. |
[Foreword]
U2F - "universal two factor" is a recent standard to provide two factor authentication using elliptic curve cryptography; with physical confirmation; and authentication of both server and client identities. This is therefore stronger than the usual 6-digit codes, and more user friendly - just touch a button. The devices that commonly support this are Yubikeys among other implementations. These rely on access to /dev/hidraw device by the user account, which is typically otherwise accessible by root only. The udev rules shipped, open up, and assign these devices to the user seats - effectively making them "USB memory stick" permissions wise (a local user/seat can access it, when plugging it in). Previously these udev rules were shipped in src:systemd, but now they have been removed upstream in favor of maintaining them in the src:libu2f-host. On the user systems, Firefox / Chrome / Chromium have support to use u2f devices to authenticate with Google Apps, Github, Salesforce, Etc.
This MIR is specifically about shipping the udev rules only. It is not about shipping the libu2f shared library that facilitates developing of u2f enabled apps and daemons.
[Availability]
Available in universe.
[Rationale]
All Ubuntu Desktop Flavours should be able to perform U2F authentication in a web-browser.
[Security]
udev rules only, as described in foreword, limited by vendor IDs and model numbers.
[Quality assurance]
The package is in good shape, and there is a binary package specifically to ship udev rules only.
[Dependencies]
none
[Standards compliance]
ok
[Maintenance]
At times, as more devices become available on the market, udev rules may need an update, and SRUs.
foundations bugs is subscribed.
seeded into desktop-common.
[Background information]
See foreword. |
|
