Bug 24157 - Backport Candidate: u2f-hidraw-policy
Summary: Backport Candidate: u2f-hidraw-policy
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Backports (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal enhancement
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL: https://github.com/amluto/u2f-hidraw-...
Whiteboard:
Keywords: Backport
Depends on:
Blocks:
 
Reported: 2019-01-08 21:15 CET by Buchan Milne
Modified: 2019-01-11 14:25 CET (History)
1 user (show)

See Also:
Source RPM: u2f-hidraw-policy-1.0.2-1.mga6.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Buchan Milne 2019-01-08 21:15:18 CET 
Description of problem:

Mageia 6 now has a quantum-based version of Firefox, which ships with native U2F support (but disabled, set security.webauth.u2f to true in about:config to use it), however when trying to test a U2F dongle in Firefox (with U2F enabled) at https://demo.yubico.com/u2f I got an error.

I had previously seen bug reports about u2f on other distros, e.g. https://bugzilla.redhat.com/show_bug.cgi?id=1513968 , which recommended installing u2f-hidraw-policy, which was not available in Mageia cauldron. I have  adapted the Fedora spec file (by the author of the software) to Mageia and submitted to cauldron, and backports_testing for 6.

I think it would be useful to have this package available to all users of Mageia 6.

Version-Release number of selected component (if applicable):


How reproducible: Always


Steps to Reproduce:
1. Source a U2F dongle and plug it in. I bought the cheapest one I could find that would ship to my address (Key-ID: https://www.amazon.com/dp/B01N6XNC01 , but u2fzero may be more appropriate if it ships to you: https://www.amazon.com/dp/B01L9DUPK6 or https://solokeys.com/ after they ship the kickstarter orders, though Yubikeys seem quite popular)
2. Ensure you are running Firefox 60 or higher, visit about:config, and toggle security.webauth.u2f to true
3. Go to https://demo.yubico.com/u2f and try and register. Firefox should show a finger-print-like notification near the URL bar, and the site will tell you to push the button on the U2F dongle whose light should be flashing. However, your U2F dongle's light won't be flashing, and the website will show the following error:

"Authentication failed!

Make sure your U2F device has been correctly registered and is plugged in!"

4. Now install u2f-hidraw-policy from backports_testing
5. Unplug the u2f dongle, and plug it in again (the package has some udev rules that may need to be re-triggered.
6. Return to the firefox window+tab where you had visited https://demo.yubico.com/u2f and try the same actions again. This time, when prompted to push the button on the u2f dongle, it will be flashing as indicated, and pushing it allows the enrolment (and or authentication test) to succeed.


(The behaviour with Chrome is very similar, the only real difference is that U2F is enabled with Chrome by default, but the dongle doesn't work unless u2f-hidraw-policy is installed. I haven't tested with Chromium, but I expect it to behave the same as Chrome, and other browsers such as Konqueror and Qupzilla etc. do not yet seem to support U2F).

If necessary, I would also be able to test on i586 (with a bit more effort).

Packages:
SRPMS:
u2f-hidraw-policy-1.0.2-1.mga6.src.rpm

RPMS (x86_64):
u2f-hidraw-policy-1.0.2-1.mga6.x86_64.rpm
u2f-hidraw-policy-debuginfo-1.0.2-1.mga6.x86_64.rpm
Buchan Milne 2019-01-08 21:16:54 CET

Keywords: (none) => Backport

Comment 1 Herman Viaene 2019-01-11 14:25:36 CET 
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues
I don't have such device, I just checked that this package does not have any adverse effect on internet browsing and plugging in and out USB memory sticks.

CC: (none) => herman.viaene
Note You need to log in before you can comment on or make changes to this bug.