[udev] FIDO u2f security keys should be supported out of the box

Bug #1387908 reported by Dimitri John Ledkov on 2014-10-31
68
This bug affects 13 people
Affects Status Importance Assigned to Milestone
systemd (Ubuntu)
Undecided
Martin Pitt
Trusty
Undecided
Unassigned
Xenial
Undecided
Unassigned

Bug Description

[Impact]

 * Users plugin U2F key and it does not work in Google Chrome

[Test Case]

 * Have stock ubuntu install, without custom U2F rules or libu2f-host0 installed

 * Use U2F factor authentication website e.g. google apps, github, yubico, etc.

 * Pluging in the key, should just work and complete U2F authentication instead of timing out

[Regression Potential]

 * Should not conflict with libu2f-host0 udev rules which is where these are currently shipped

FIDO u2f is an emerging standard for public-private cryptography based 2nd factor authentication, which improves on OTP by mitigating phishing, man-in-the-middle attacks and reply attacks.

Google Chrome supports u2f devices which are now widely available from Yubico (new premium neo Yubikeys and Security keys).

However, udev rules are required to setup permissions to allow the web-browsers which are running as regular users to access the devices in question.

E.g.:

KERNEL=="hidraw*", SUBSYSTEM=="hidraw", MODE="0664", GROUP="plugdev", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0113|0114|0115|0116|0120"

Something like that should be enabled by default, however probably not encode on the vendor/productid as other vendors will also make u2f devices.

Martin Pitt (pitti) wrote :

I agree that we shouldn't hardcode vendor/product IDs then; this would be ok for a minimally intrusive SRU, though (where we probably don't want to introduce new helpers). So how can these be identified in a generic way?

Changed in systemd (Ubuntu Vivid):
status: New → Incomplete
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in systemd (Ubuntu Trusty):
status: New → Confirmed
Changed in systemd (Ubuntu Utopic):
status: New → Confirmed
Martin Pitt (pitti) on 2014-11-01
summary: - FIDO u2f security keys should be supported out of the box
+ [udev] FIDO u2f security keys should be supported out of the box
Botond Szász (boteeka) wrote :

For Plug-Up Security Key (http://www.plug-up.com/), to make it work I added the following to '/etc/udev/rules.d/45-u2f.rules':

SUBSYSTEM=="hidraw", MODE="0666", ATTRS{idVendor}=="2581", ATTRS{idProduct}=="f1d0"

Guilhem Lettron (guilhem-fr) wrote :

I just created a small package for installing udev rules: https://launchpad.net/~guilhem-fr/+archive/ubuntu/u2f-udev

Sources are here: https://github.com/guilhem/u2f-udev

Kevin Cernekee (cernekee) wrote :

> KERNEL=="hidraw*", SUBSYSTEM=="hidraw", MODE="0664", GROUP="plugdev",
> ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0113|0114|0115|0116|0120"

I needed a slightly different variation of this for a Yubikey Neo-N on Trusty:

SUBSYSTEM=="usb", MODE="0664", GROUP="plugdev", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0113|0114|0115|0116|0120|0211"

Merely adding the :0211 ID didn't help, so I changed SUBSYSTEM to "usb" (basically copying and pasting from my Android udev rules file).

Changed in systemd (Ubuntu Vivid):
status: Incomplete → Confirmed
Dario Bertini (berdario) wrote :

This still affects Wily.

Michael Kliewe (0-vnfo-a) wrote :

Please fix this bug. It's very annoying to do this on every computer you want to login.

Here is a complete list, including "Yubico YubiKey", "Plug-Up Security Key", "Neowave Keydo" and "HyperSecu HyperFIDO":

https://github.com/Yubico/libu2f-host/blob/master/70-u2f.rules

Dimitri John Ledkov (xnox) wrote :

Hi,

On ubuntu we ship libu2f-host as a package. Thus:

$ apt install libu2f-host0

"Solves" the problem. However, I do think it's not as user friendly as it could be. And I'll attempt to get it included in ubuntu by default.

Changed in systemd (Ubuntu):
status: Incomplete → Triaged
assignee: nobody → Dimitri John Ledkov (xnox)
Martin Pitt (pitti) on 2016-05-02
no longer affects: systemd (Ubuntu Utopic)
no longer affects: systemd (Ubuntu Vivid)
Martin Pitt (pitti) wrote :
Changed in systemd (Ubuntu):
assignee: Dimitri John Ledkov (xnox) → Martin Pitt (pitti)
status: Triaged → Fix Committed
Martin Pitt (pitti) on 2016-05-02
Changed in systemd (Ubuntu Xenial):
status: New → In Progress
description: updated

Hello Dimitri, or anyone else affected,

Accepted systemd into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/systemd/229-4ubuntu5 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in systemd (Ubuntu Xenial):
status: In Progress → Fix Committed
tags: added: verification-needed
Alex Willmer (alex-moreati) wrote :

systemd-229-4ubuntu5 / udev-229-4ubuntu5 fixed this for me. Tested using https://demo.yubico.com, a Yubikey Edge and Chromium 49.0.2623.108 on x86_64.

tags: added: verification-done
removed: verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package systemd - 229-4ubuntu5

---------------
systemd (229-4ubuntu5) xenial-proposed; urgency=medium

  * debian/udev.postinst: Don't fail if /var/log/udev is a directory.
    (LP: #1574004)
  * Set MAC based name for USB network interfaces only for universally
    administered (i. e. stable) MACs, not for locally administered (i. e.
    randomly generated) ones. Drop /lib/systemd/network/90-mac-for-usb.link
    (as link files don't currently support globs for MACAddress=) and replace
    with an udev rule in /lib/udev/rules.d/73-special-net-names.rules.
    (Closes: #812575, LP: #1574483)
  * debian/extra/init-functions.d/40-systemd: Invoke status command with
    --no-pager, to avoid blocking scripts that call an init.d script with
    "status" with an unexpected pager process. (Closes: #765175, LP: #1576409)
  * Add debian/extra/rules/70-debian-uaccess.rules: Make FIDO U2F dongles
    accessible to the user session. This avoids having to install libu2f-host0
    (which isn't discoverable at all) to make those devices work.
    (LP: #1387908)
  * On shutdown, unmount /tmp before disabling swap. (Closes: #788303)

 -- Martin Pitt <email address hidden> Mon, 02 May 2016 15:04:42 -0500

Changed in systemd (Ubuntu Xenial):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for systemd has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Launchpad Janitor (janitor) wrote :
Download full text (3.4 KiB)

This bug was fixed in the package systemd - 229-6ubuntu1

---------------
systemd (229-6ubuntu1) yakkety; urgency=medium

  * Merge with Debian unstable. Remaining Ubuntu changes:
    - Hack to support system-image read-only /etc, and modify files in
      /etc/writable/ instead.

systemd (229-6) unstable; urgency=medium

  * systemd-container: Prefer renamed "btrfs-progs" package name over
    "btrfs-tools". (Closes: #822629)
  * systemd-container: Recommend libnss-mymachines. (Closes: #822615)
  * Drop systemd-dbg, in favor of debhelpers' automatic -dbgsym packages.
  * Drop Add-targets-for-compatibility-with-Debian-insserv-sy.patch; we don't
    need $x-display-manager any more as most/all DMs ship native services, and
    $mail-transport-agent is not widely used (not even by our default MTA
    exim4).
  * Unify our two patches for Debian specific configuration files.
  * Drop udev-re-enable-mount-propagation-for-udevd.patch, i. e. run udevd in
    its own slave mount name space again. laptop-mode-tools 1.68 fixed the
    original bug (#762018), thus add a Breaks: to earlier versions.
  * Ship fbdev-blacklist.conf in /lib/modprobe.d/ instead of /etc/modprobe.d/;
    remove the conffile on upgrades.
  * Replace util-Add-hidden-suffixes-for-ucf.patch with patch that got
    committed upstream.
  * Replace Stop-syslog.socket-when-entering-emergency-mode.patch with patch
    that got committed upstream.
  * debian/udev.README.Debian: Adjust documentation of MAC based naming for
    USB network cards to the udev rule, where this was moved to in 229-5.
  * debian/extra/init-functions.d/40-systemd: Invoke status command with
    --no-pager, to avoid blocking scripts that call an init.d script with
    "status" with an unexpected pager process. (Closes: #765175, LP: #1576409)
  * Add debian/extra/rules/70-debian-uaccess.rules: Make FIDO U2F dongles
    accessible to the user session. This avoids having to install libu2f-host0
    (which isn't discoverable at all) to make those devices work.
    (LP: #1387908)
  * libnss-resolve: Enable systemd-resolved.service on package installation,
    as this package makes little sense without resolved.
  * Add a DHCP exit hook for pushing received NTP servers into timesyncd.
    (LP: #1578663)
  * debian/udev.postinst: Fix migration check from the old persistent-net
    generator to not apply to chroots. (Closes: #813141)
  * Revert "enable TasksMax= for all services by default, and set it to 512".
    Introducing a default limit on number of threads broke a lot of software
    which regularly needs more, such as MySQL and RabbitMQ, or services that
    spawn off an indefinite number of subtasks that are not in a scope, like
    LXC or cron. 512 is way too much for most "simple" services, and it's way
    too little for the ones mentioned above. Effective (and much stricter)
    limits should instead be put into units individually.
    (Closes: #823530, LP: #1578080)
  * Split out udev rule to name USB network interfaces by MAC address into
    73-usb-net-by-mac.rules, so that it's easier to disable. (Closes: #824025)
  * 73-usb-net-by-mac.rules: Disable when net.ifnames=0 is specified on the
    kernel comm...

Read more...

Changed in systemd (Ubuntu):
status: Fix Committed → Fix Released
Atoyama Tokanawa (phazon) wrote :

Fix provided as is only covers Yubikey devices (vendor 1050), but Yubico is not only one vendor for U2F dongles.

Another cases is :
# Happlink (formaly Plug-Up) Security KEY
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="2581", ATTRS{idProduct}=="f1d0", TAG+="uaccess"

# Neowave Keydo
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1e0d", ATTRS{idProduct}=="f1d0", TAG+="uaccess"

# HyperSecu HyperFIDO
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="096e", ATTRS{idProduct}=="0880", TAG+="uaccess"

Marcos Alano (mhalano) wrote :

@pitti When this patch will come to Ubuntu?

Graeme Hewson (ghewson) wrote :

The fix in comment #18 is missing Feitian ePass FIDO and JaCarta U2F.

See https://github.com/Yubico/libu2f-host/blob/master/70-u2f.rules.

nicoo (nicolas+ubuntu1) wrote :

Hi,

Yubico maintains the relevant udev rules (for u2f tokens in general, not only Yubico-branded ones) in libu2f-host, and I recently started shipping those in Debian as a separate binary package (libu2f-udev) rather than having u2f udev rules in our systemd package.

You might want to consider making this package installed by default, as it seems more up-to-date than the current solution in Ubuntu, and would let us cooperate (between Debian and Ubuntu, but also with upstream) and avoid fixing the same problems in many places.

Best,

  nicoo

Dimitri John Ledkov (xnox) wrote :

@nicoo

thanks. I wonder if udev should recommend libu2f-udev (such that most systems have it), or if it should be seeded into desktop common (such that all destkop-like systems have it).

It would also need MIR, which should be simple enough.

Regard,

Dimitri.

tags: added: id-5a096cad0b33afe7dc38a9c1
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers