[udev] FIDO u2f security keys should be supported out of the box

Also see http://lists.freedesktop.org/archives/systemd-devel/2014-October/024605.html

I agree that we shouldn't hardcode vendor/product IDs then; this would be ok for a minimally intrusive SRU, though (where we probably don't want to introduce new helpers). So how can these be identified in a generic way?

Status changed to 'Confirmed' because the bug affects multiple users.

For Plug-Up Security Key (http://www.plug-up.com/), to make it work I added the following to '/etc/udev/rules.d/45-u2f.rules':

SUBSYSTEM=="hidraw", MODE="0666", ATTRS{idVendor}=="2581", ATTRS{idProduct}=="f1d0"

I just created a small package for installing udev rules: https://launchpad.net/~guilhem-fr/+archive/ubuntu/u2f-udev

Sources are here: https://github.com/guilhem/u2f-udev

> KERNEL=="hidraw*", SUBSYSTEM=="hidraw", MODE="0664", GROUP="plugdev",
> ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0113|0114|0115|0116|0120"

I needed a slightly different variation of this for a Yubikey Neo-N on Trusty:

SUBSYSTEM=="usb", MODE="0664", GROUP="plugdev", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0113|0114|0115|0116|0120|0211"

Merely adding the :0211 ID didn't help, so I changed SUBSYSTEM to "usb" (basically copying and pasting from my Android udev rules file).

This still affects Wily.

Please fix this bug. It's very annoying to do this on every computer you want to login.

Here is a complete list, including "Yubico YubiKey", "Plug-Up Security Key", "Neowave Keydo" and "HyperSecu HyperFIDO":

https://github.com/Yubico/libu2f-host/blob/master/70-u2f.rules

Hi,

On ubuntu we ship libu2f-host as a package. Thus:

$ apt install libu2f-host0

"Solves" the problem. However, I do think it's not as user friendly as it could be. And I'll attempt to get it included in ubuntu by default.

Fix committed to Debian master: http://anonscm.debian.org/cgit/pkg-systemd/systemd.git/commit/?id=09b5bcb064

Hello Dimitri, or anyone else affected,

Accepted systemd into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/systemd/229-4ubuntu5 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

systemd-229-4ubuntu5 / udev-229-4ubuntu5 fixed this for me. Tested using https://demo.yubico.com, a Yubikey Edge and Chromium 49.0.2623.108 on x86_64.

This bug was fixed in the package systemd - 229-4ubuntu5

---------------
systemd (229-4ubuntu5) xenial-proposed; urgency=medium

  * debian/udev.postinst: Don't fail if /var/log/udev is a directory.
    (LP: #1574004)
  * Set MAC based name for USB network interfaces only for universally
    administered (i. e. stable) MACs, not for locally administered (i. e.
    randomly generated) ones. Drop /lib/systemd/network/90-mac-for-usb.link
    (as link files don't currently support globs for MACAddress=) and replace
    with an udev rule in /lib/udev/rules.d/73-special-net-names.rules.
    (Closes: #812575, LP: #1574483)
  * debian/extra/init-functions.d/40-systemd: Invoke status command with
    --no-pager, to avoid blocking scripts that call an init.d script with
    "status" with an unexpected pager process. (Closes: #765175, LP: #1576409)
  * Add debian/extra/rules/70-debian-uaccess.rules: Make FIDO U2F dongles
    accessible to the user session. This avoids having to install libu2f-host0
    (which isn't discoverable at all) to make those devices work.
    (LP: #1387908)
  * On shutdown, unmount /tmp before disabling swap. (Closes: #788303)

 -- Martin Pitt <email address hidden> Mon, 02 May 2016 15:04:42 -0500

The verification of the Stable Release Update for systemd has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package systemd - 229-6ubuntu1

---------------
systemd (229-6ubuntu1) yakkety; urgency=medium

  * Merge with Debian unstable. Remaining Ubuntu changes:
    - Hack to support system-image read-only /etc, and modify files in
      /etc/writable/ instead.

systemd (229-6) unstable; urgency=medium

  * systemd-container: Prefer renamed "btrfs-progs" package name over
    "btrfs-tools". (Closes: #822629)
  * systemd-container: Recommend libnss-mymachines. (Closes: #822615)
  * Drop systemd-dbg, in favor of debhelpers' automatic -dbgsym packages.
  * Drop Add-targets-for-compatibility-with-Debian-insserv-sy.patch; we don't
    need $x-display-manager any more as most/all DMs ship native services, and
    $mail-transport-agent is not widely used (not even by our default MTA
    exim4).
  * Unify our two patches for Debian specific configuration files.
  * Drop udev-re-enable-mount-propagation-for-udevd.patch, i. e. run udevd in
    its own slave mount name space again. laptop-mode-tools 1.68 fixed the
    original bug (#762018), thus add a Breaks: to earlier versions.
  * Ship fbdev-blacklist.conf in /lib/modprobe.d/ instead of /etc/modprobe.d/;
    remove the conffile on upgrades.
  * Replace util-Add-hidden-suffixes-for-ucf.patch with patch that got
    committed upstream.
  * Replace Stop-syslog.socket-when-entering-emergency-mode.patch with patch
    that got committed upstream.
  * debian/udev.README.Debian: Adjust documentation of MAC based naming for
    USB network cards to the udev rule, where this was moved to in 229-5.
  * debian/extra/init-functions.d/40-systemd: Invoke status command with
    --no-pager, to avoid blocking scripts that call an init.d script with
    "status" with an unexpected pager process. (Closes: #765175, LP: #1576409)
  * Add debian/extra/rules/70-debian-uaccess.rules: Make FIDO U2F dongles
    accessible to the user session. This avoids having to install libu2f-host0
    (which isn't discoverable at all) to make those devices work.
    (LP: #1387908)
  * libnss-resolve: Enable systemd-resolved.service on package installation,
    as this package makes little sense without resolved.
  * Add a DHCP exit hook for pushing received NTP servers into timesyncd.
    (LP: #1578663)
  * debian/udev.postinst: Fix migration check from the old persistent-net
    generator to not apply to chroots. (Closes: #813141)
  * Revert "enable TasksMax= for all services by default, and set it to 512".
    Introducing a default limit on number of threads broke a lot of software
    which regularly needs more, such as MySQL and RabbitMQ, or services that
    spawn off an indefinite number of subtasks that are not in a scope, like
    LXC or cron. 512 is way too much for most "simple" services, and it's way
    too little for the ones mentioned above. Effective (and much stricter)
    limits should instead be put into units individually.
    (Closes: #823530, LP: #1578080)
  * Split out udev rule to name USB network interfaces by MAC address into
    73-usb-net-by-mac.rules, so that it's easier to disable. (Closes: #824025)
  * 73-usb-net-by-mac.rules: Disable when net.ifnames=0 is specified on the
    kernel comm...

Fix provided as is only covers Yubikey devices (vendor 1050), but Yubico is not only one vendor for U2F dongles.

Another cases is :
# Happlink (formaly Plug-Up) Security KEY
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="2581", ATTRS{idProduct}=="f1d0", TAG+="uaccess"

# Neowave Keydo
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1e0d", ATTRS{idProduct}=="f1d0", TAG+="uaccess"

# HyperSecu HyperFIDO
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="096e", ATTRS{idProduct}=="0880", TAG+="uaccess"

@Atoyama: Added in http://anonscm.debian.org/cgit/pkg-systemd/systemd.git/commit/?id=b9824a6c . Thanks!

@pitti When this patch will come to Ubuntu?

The fix in comment #18 is missing Feitian ePass FIDO and JaCarta U2F.

See https://github.com/Yubico/libu2f-host/blob/master/70-u2f.rules.

Hi,

Yubico maintains the relevant udev rules (for u2f tokens in general, not only Yubico-branded ones) in libu2f-host, and I recently started shipping those in Debian as a separate binary package (libu2f-udev) rather than having u2f udev rules in our systemd package.

You might want to consider making this package installed by default, as it seems more up-to-date than the current solution in Ubuntu, and would let us cooperate (between Debian and Ubuntu, but also with upstream) and avoid fixing the same problems in many places.

Best,

  nicoo

@nicoo

thanks. I wonder if udev should recommend libu2f-udev (such that most systems have it), or if it should be seeded into desktop common (such that all destkop-like systems have it).

It would also need MIR, which should be simple enough.

Regard,

Dimitri.