Issue description
U2F 2-factor authentication fails when using the Nix firefox build. A similar issue has been reported for ubuntu, so it's probably not just us. Chromium authenticates successfully on the same system; udev rules are set correctly.
Steps to reproduce
- Navigate to https://demo.yubico.com/u2f?tab=register
- Enter made-up credentials and press "Next"
- See
Exception: FIDO Client error: 1 (OTHER ERROR)
Technical details
- system:
"x86_64-linux" - host os:
Linux 4.9.72, NixOS, 17.09.2961.3d985c45905 (Hummingbird) - multi-user?:
yes - sandbox:
no - version:
nix-env (Nix) 1.11.16 - channels(root):
"nixos-17.09.2961.3d985c45905" - channels(ralith):
"" - nixpkgs:
/nix/var/nix/profiles/per-user/root/channels/nixos/nixpkgs
Ralith
All 15 comments
Edit: apologies, I haven't noticed that you wrote Chromium works on the same machine, meaning it's probably not the permissions. I'll keep the comment, just in case, though.
I believe this is caused by /dev/hidraw* permissions. I've just tried with Ledger Nano S, and got the same error 1. After sudo chmod 0777 /dev/hidraw* (which is NOT a proper solution but only a crude and insecure workaround) I got the page working (device prompted me to authorize, etc etc).
There is https://github.com/amluto/u2f-hidraw-policy which tries to detect U2F devices (Yubikey, Ledger, etc) and sets ID_U2F_TOKEN=1 and ID_SECURITY_TOKEN=1 on such, so udev can apply uaccess rule (haven't found where this is supposed to actually happen, could be a Fedora/RH-specific thingy, not sure)
drdaeman
on 9 Feb 2018
Yes, on NixOS proper permissions can be achieved by setting udev.packages = [ pkgs.libu2f-host ];. I think there's a more obvious but functionally equivalent setting in 18.03, but regardless, I have the proper rules in place.
Ralith
on 10 Feb 2018
I think there's a more obvious but functionally equivalent setting in 18.03 [...]
Correct: hardware.u2f.enable = true;.
bjornfor
on 10 Feb 2018
This is not working for me (18.03). I've tried both hardware.u2f.enable = true; and adding the udev packages as above. I've also confirmed that this _works_ with google chrome.
Does anyone know what's going on?
aaronlevin
on 19 Apr 2018
Still affecting me as well.
Ralith
on 19 Apr 2018
Is this still happening? I just tried on FF 60.b8 and the yubico demo is working without a hitch.
mmlb
on 10 May 2018
Still happening on nixos-18.03, which has firefox 59.0.2.
Ralith
on 10 May 2018
I can confirm that I had this issue on 59.0 and after a package update to 60.0, the issue went away.
penguin359
on 29 May 2018
Can't reproduce desired behavior with Firefox 60.0.1. It still errors out with the same error as before: FIDO Client error: 1 (OTHER ERROR).
Chromium continues to work. Updated through nixos-rebuild switch from current master at 56023ac0ba5d24708a3210db7ba087ebd86e3d6c.
ciil
on 31 May 2018
Have you enabled security.webauth.u2f in the about:config settings for Firefox? I had to do that before U2F keys worked.
penguin359
on 1 Jun 2018
Yes, of course. I've tried various settings and permission changes in the package over time, always with a fresh install (aka move the .mozilla config dir), but I just can't get it to work. Was really hoping this package update would just magically fix the issue.
ciil
on 1 Jun 2018
should be fixed on master by #42547
xeji
on 25 Jun 2018
This seems to do the trick.
ciil
on 27 Jun 2018
Fixed in 18.03 in 411cc559c052feb6e20a01fc6d5fa63cba09ce9a
grahamc
on 12 Jul 2018
For those who stumbled on this trying to get a yubikey to work with firefox on nixOS adding:
hardware.u2f.enable = true;
to /etc/nixos/configuration.nix then running:
# nixos-rebuild switch
then logging out and logging in again should get it working.
I'm on 19.09.
rudolph9
on 7 Apr 2020
Related issues
copumpkin
路
3Comments
tomberek
路
3Comments
copumpkin
路
3Comments
grahamc
路
3Comments
matthiasbeyer
路
3Comments
Most helpful comment
For those who stumbled on this trying to get a yubikey to work with firefox on nixOS adding:
to
/etc/nixos/configuration.nixthen running:then logging out and logging in again should get it working.
I'm on 19.09.