The officially official Devuan Forum!

bimon

Member

Registered: 2019-09-09

Posts: 172  

[SOLVED] U2F and FIDO2 tokens in Devuan

Hello,

I have a few installations of Devuan including ASCII and Ceres, both are the latest dist-upgraded.

I have tried the same brave browser on both mentioned installations.

On ASCII it works fine most time, but in Ceres it does not work at all.

Please let me know, how can this be fixed?

Which services are responsible to allow a browser to use FIDO2 token?

What am I missing on Ceres?

lsusb indicates the token on both computers.
/etc/udev/rules.d configured
/dev/hidraw0 appears on both hosts.

bimon

Member

Registered: 2019-09-09

Posts: 172  

Re: [SOLVED] U2F and FIDO2 tokens in Devuan

root@ceres:/# fido2-token -L
/dev/hidraw0: vendor=0x096e, product=0x0858 (FT FIDO)

root@ceres:/# dpkg -al | grep u2f
ii  libauthen-u2f-perl                                      0.003-1                            all          pure Perl FIDO U2F server library
ii  libauthen-u2f-tester-perl                               0.03-1                             all          FIDO/U2F Authentication Test Client
ii  libcrypt-u2f-server-perl:amd64                          0.45-1+b1                          amd64        Perl module to register and authenticate U2F compatible devices
ii  libpam-u2f                                              1.0.8-1                            amd64        universal 2nd factor (U2F) PAM module
ii  libu2f-host-dev                                         1.1.10-1+b1                        amd64        Development files for the U2F host C library libu2f-host
ii  libu2f-host-doc                                         1.1.10-1                           all          Documentation for the U2F host C library libu2f-host
ii  libu2f-host0:amd64                                      1.1.10-1+b1                        amd64        Universal 2nd Factor (U2F) host communication C Library
ii  libu2f-server-dev                                       1.1.0-3                            amd64        Development files for the U2F server C library libu2f-server
ii  libu2f-server0                                          1.1.0-3                            amd64        Universal 2nd Factor (U2F) server communication C Library
ii  libu2f-udev                                             1.1.10-1                           all          Universal 2nd Factor (U2F) common files
ii  pamu2fcfg                                               1.0.8-1                            amd64        universal 2nd factor (U2F) PAM module command-line helper tool
ii  python3-u2flib-server                                   5.0.0-1.1                          all          Universal 2nd Factor (U2F) server communication Python3 module
ii  u2f-host                                                1.1.10-1+b1                        amd64        Command line tool to do Universal 2nd Factor (U2F) operations
ii  u2f-server                                              1.1.0-3                            amd64        Command line tool to do Universal 2nd Factor (U2F) operations
root@ceres:/# dpkg -al | grep fido2
ii  fido2-tools                                             1.4.0-2                            amd64        command-line tools to configure and use a FIDO 2 token
ii  libfido2-1:amd64                                        1.4.0-2                            amd64        library for generating and verifying FIDO 2.0 objects
ii  libfido2-dev:amd64                                      1.4.0-2                            amd64        library for generating and verifying FIDO 2.0 objects -- headers
ii  libfido2-doc                                            1.4.0-2                            all          library for generating and verifying FIDO 2.0 objects -- documentation
ii  python3-fido2                                           0.8.1-1                            all          Python library for implementing FIDO 2.0

Last edited by bimon (2020-07-16 01:11:07)

bimon

Member

Registered: 2019-09-09

Posts: 172  

Re: [SOLVED] U2F and FIDO2 tokens in Devuan

Another problem on ASCII, though most time FIDO2  works fine on it.

Can you please explain how U2F and FIDO2 works on Linux in terms of how to restart its driver?

Does it use any kernel modules except hid?

If the browser works fine with FIDO2 token for a while and then starts to display an error in a protocol, then how can I reinitialize the token? Ejecting and reinserting it again does not help.

At the same time if running a virtual machine with a Debian Live CD 10.4 the token works again inside the VM guest, so I conclude it is not a problem related to the token, and even more it happens with each of two pieces of the tokens I have.

I guess a reboot will help, but I would like to avoid rebooting my workstation of course.

May be some kernel modules can be reloaded or some service restarted to fix the problem without reboot?

I used following page to test:
https://demo.yubico.com/webauthn-technical/

In Debian LiveCD 10.4 my FIDO2 token passes all tests fine and most time it works fine on ASCII too.

The problem is not related to the token itself for sure, at least it works fine on other computer and in another virtual machine, therefore I conclude the FIDO2 token piece is not an issue here.

Last edited by bimon (2020-07-16 01:09:40)

bimon

Member

Registered: 2019-09-09

Posts: 172  

Re: [SOLVED] U2F and FIDO2 tokens in Devuan

I have found an explanation to some of my questions:
https://wiki.gentoo.org/wiki/Pam_u2f

But still cannot fix issues I  have described above, any ideas please?

bimon

Member

Registered: 2019-09-09

Posts: 172  

Re: [SOLVED] U2F and FIDO2 tokens in Devuan

Well, on ASCII it seems were some problem with Brave browser, Chromium works with FIDO2 very stable on ASCII without X11 redirection.

But I get FIDO2 working neither in Beowulf, nor in Ceres virtual machines and can test only by Firefox and Brave 2019, because more recent Chromium does not display on a remote X11, it tells:

[4404:4453:0716/041633.073598:ERROR:bus.cc(393)] Failed to connect to the bus: Could not parse server address: Unknown address type (examples of valid types are "tcp" and on UNIX "unix")
[4404:4453:0716/041633.073744:ERROR:bus.cc(393)] Failed to connect to the bus: Could not parse server address: Unknown address type (examples of valid types are "tcp" and on UNIX "unix")
[4447:4447:0716/041634.091650:ERROR:sandbox_linux.cc(374)] InitializeSandbox() called with multiple threads in process gpu-process.
[4404:4453:0716/041639.708660:ERROR:bus.cc(393)] Failed to connect to the bus: Could not parse server address: Unknown address type (examples of valid types are "tcp" and on UNIX "unix")
[4404:4453:0716/041639.708782:ERROR:bus.cc(393)] Failed to connect to the bus: Could not parse server address: Unknown address type (examples of valid types are "tcp" and on UNIX "unix")

And then it displays a black X11 window without any controls, may be this can be fixed somehow?

Neither Firefox, nor Brave 2019 work with FIDO2 token in Beowulf or Ceres for me

Last edited by bimon (2020-07-16 04:20:51)

bimon

Member

Registered: 2019-09-09

Posts: 172  

Re: [SOLVED] U2F and FIDO2 tokens in Devuan

If starting chromium under root then U2F works fine in Beowulf too.

How can I enable U2F under a general non root user?

Shall I add the user to some group? Which one?

Last edited by bimon (2021-08-28 04:06:21)

bimon

Member

Registered: 2019-09-09

Posts: 172  

Re: [SOLVED] U2F and FIDO2 tokens in Devuan

Solution:  just add current user to the plugdev group