Yubico Forum https://forum.yubico.com/ |
|
[SOLVED] Cannot register on test site from Linux https://forum.yubico.com/viewtopic.php?f=33&t=1545 |
Page 1 of 1 |
Author: | pushcx [ Fri Oct 24, 2014 5:36 pm ] |
Post subject: | [SOLVED] Cannot register on test site from Linux |
I have two Yubico FIDO U2F security keys. Neither works with the demo page at: http://demo.yubico.com/u2f I visited the page with Chrome (Version 38.0.2125.104 (64-bit)) and filled in a username and password, then clicked 'Next'. I was prompted to install a browser plugin and did so, then restarted the browser, returned, renetered username and password, and clicked 'Next' again. The next page provided a modal popup with the title "Performing U2F action" and text "Please touch the flashing U2F device now." My key was not flashing. Whether or not I touch the key, the page eventually times out and displays "Exception: FIDO Client error: 5 (TIMEOUT)". When I plug in the key its light flickers a little (I think 4 flashes, but it's so fast it's hard to tell). If I touch the key, it lights up for ten seconds and then turns out. I get this timeout whether the key was connected before I click 'Next' or when the modal appears, and also whether I have touched it to turn the light on for 10s before I click 'Next' or when the modal appears. The extension is installed, enabled, and has all permissions, and I'm not in incognito mode. If I run 'lsusb', I do see it listed: Quote: Bus 003 Device 013: ID 1050:0120 Yubico.com Happy to do any other debugging to help figure out what's wrong here. |
Author: | pushcx [ Fri Oct 24, 2014 5:50 pm ] |
Post subject: | Re: [BUG] Cannot register on test site |
Aha, I'm solving my own problem, I think. I'm going to explain in detail both so Yubico can correct/help me and so anyone Googling these errors finds an explanation. I was thinking about that lsusb and tried to run it as 'lsusb -vv' for more details. It said "Couldn't open device, some information will be missing". That made me wonder if it was a permissions issue. I closed Chrome and started it again from the command line to watch for output. As soon as as the registration modal pops up, Chrome emits: Code: [15535:15567:1024/113843:ERROR:hid_service_linux.cc(166)] Cannot open '/dev/hidraw2': FILE_ERROR_ACCESS_DENIED [15535:15567:1024/113843:ERROR:hid_service_linux.cc(166)] Cannot open '/dev/hidraw0': FILE_ERROR_ACCESS_DENIED [15535:15567:1024/113843:ERROR:hid_service_linux.cc(166)] Cannot open '/dev/hidraw1': FILE_ERROR_ACCESS_DENIED [15535:15571:1024/113850:ERROR:channel.cc(316)] RawChannel read error (connection broken) [15535:15567:1024/113949:ERROR:hid_service_linux.cc(166)] Cannot open '/dev/hidraw2': FILE_ERROR_ACCESS_DENIED [15535:15571:1024/114030:ERROR:channel.cc(316)] RawChannel read error (connection broken) Looking in /dev, /dev/hidraw2 appears and disappears as I plug in or remove the key. So I ran 'sudo chmod go+rw /dev/hidraw2' to give all users permission to the device. The error persisted. Thinking maybe Chrome was remembering it did not have access to the device, I closed it, removed the key, inserted the key, added the permissions, restarted Chrome. It worked! Quote: You have now completed registration and U2F device enrollment! I also tried varying the order. Closed Chrome, removed the key. Inserted the key, started Chrome, added permissions, registered successfully. So it doesn't matter when Chrome starts, it only matters that the user has permissions to the device before Chrome first attempts to use it. So now the question is a more general one of how to get Ubuntu to give users permission to the device automatically. I'm asking some Ubuntu people for help, but if Yubico knows (you must have tested on Linux?), please help! When that question is answered, this can be marked [SOLVED]. |
Author: | ZeroCool [ Fri Oct 24, 2014 6:22 pm ] |
Post subject: | Re: [BUG] Cannot register on test site |
I have exactly the same problem I am a little disappointed it's not plug and play like my other keys, what version of linux are you using? I really want to get my key working. |
Author: | pushcx [ Fri Oct 24, 2014 6:32 pm ] |
Post subject: | Re: [SOLVED] Cannot register on test site |
I'm using Ubuntu 13.10, but any version of Linux would have this. The new U2F keys do not pretend to be keyboards (which udev ships settings for). When udev doesn't know what the device is, it can't automatically allow users access to it. I fixed it with this command: Code: sudo echo 'KERNEL=="hidraw*", SUBSYSTEM=="hidraw", MODE="0664", GROUP="plugdev", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0113|0114|0115|0116|0120"' > /etc/udev/rules.d/70-u2f.rules This tells udev to give everyone in the group 'plugdev' (which includes login users on Ubuntu, it seems) read+write access to it. I was puzzling through the udev rules when I found this similar thread: http://li561-156.members.linode.com/vie ... 5967#p5961 As posteres there said, it doesn't work. I had to edit the file he links to. Where it said "|120" I changed it to "|0120" to exactly match what the device says. Maybe leaving off leading 0s is an option in newer versions of udev, I dunno, but it didn't work for me. |
Author: | binky [ Mon Oct 27, 2014 11:54 pm ] |
Post subject: | Re: [SOLVED] Cannot register on test site from Linux |
pushcx wrote: I visited the page with Chrome (Version 38.0.2125.104 (64-bit)) You need Chrome 39 or later.... I had to change to the Beta release to get U2F to work. Binky |
Page 1 of 1 | All times are UTC + 1 hour |
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |