Bug #11565

Add support for Yubikey PGP and U2F features

Added by sonicsnail 2016-07-14 19:05:08 . Updated 2017-06-07 12:06:33 .

Status:
Resolved
Priority:
Normal
Assignee:
muri
Category:
Hardware support
Target version:
Start date:
2016-07-14
Due date:
% Done:

0%

Feature Branch:
Type of work:
Code
Blueprint:

Starter:
Affected tool:
Deliverable for:

Description

The OpenPGP smartcard and FIDO U2F features of Yubikey hardware security keys don’t work in Linux unless you add special udev rules. Even if you add the rules, they aren’t persistent in Tails. This means it’s currently not practical to use Yubikeys’ OpenPGP smartcard and FIDO U2F features in Tails.

Yubico has already done the work of creating the udev rules and instructions for installing them:
https://github.com/Yubico/libu2f-host/blob/master/70-u2f.rules
https://www.yubico.com/faq/enable-u2f-linux/

2. Go to https://github.com/Yubico/libu2f-host/blob/master/70-u2f.rules  and download or create a copy of the file named 70-u2f.rules into the Linux directory:
/etc/udev/rules.d/
3. Save your file, and then reboot your system.

The problem is that in Tails, the rules currently aren’t persistent. You can’t reboot or you’ll lose the changes. You can run sudo udevadm control --reload-rules after adding the rules file to make the changes take effect, but it’s still a pain to have to do this every session. And adding the rules requires setting an admin password, which users shouldn’t always be doing. But if we can build the rules file into Tails, Yubikeys should work automatically by default.

More info about this and a tutorial on putting PGP keys on a Yubikey with Tails: https://gist.github.com/ageis/5b095b50b9ae6b0aa9bf

Subtasks

Related issues

Has duplicate Tails - Feature #12168: yubikey 4 not working with icedove Duplicate 2017-01-24

History

#1 Updated by intrigeri 2016-07-15 03:41:29

Sounds like these udev rules should go into Debian, and then we can install the corresponding package.

#2 Updated by muri 2016-07-21 12:31:58

hi,

the package that holds this file is libykpers-1-1, which is 1.16.0-1 in jessie. according to packages.d.o installed size is 155kB (it depends on libyubikey0, which is 18kB)
i’m in favor of including these two packages and i can provide a patch.

unfortunatly, that version does not yet recognize the new yubikey 4. to use the yubikey 4, either a change in the udev rule or the updated libykpers-1-1 from stretch is needed. additionaly, the updated version of libccid from stretch is needed for pcscd to be able to recognize the yubikey 4 as a smartcard.

#3 Updated by muri 2016-07-21 12:35:43

muri wrote:
> unfortunatly, that version does not yet recognize the new yubikey 4. to use the yubikey 4, either a change in the udev rule or the updated libykpers-1-1 from stretch is needed. additionaly, the updated version of libccid from stretch is needed for pcscd to be able to recognize the yubikey 4 as a smartcard.

one addition: the yubikey 4 also works when adding these packages to the additional-software (withouth an extra intervention using sudo)

#4 Updated by muri 2016-07-21 13:31:31

  • Status changed from New to Confirmed

#5 Updated by sonicsnail 2016-07-22 00:40:52

muri wrote:
> unfortunatly, that version does not yet recognize the new yubikey 4. to use the yubikey 4, either a change in the udev rule or the updated libykpers-1-1 from stretch is needed.
The package libu2f-host0 is in jessie-backports and it adds the file /lib/udev/rules.d/70-u2f.rules with configs for Yubikeys, including the Yubikey 4.

#6 Updated by muri 2016-07-22 12:50:38

sonicsnail wrote:
> muri wrote:
> > unfortunatly, that version does not yet recognize the new yubikey 4. to use the yubikey 4, either a change in the udev rule or the updated libykpers-1-1 from stretch is needed.
> The package libu2f-host0 is in jessie-backports and it adds the file /lib/udev/rules.d/70-u2f.rules with configs for Yubikeys, including the Yubikey 4.

ah, you’re right, yes, but unfortunatly only for u2f (hidraw device) apparently (meaning: it doesn’t setup the permissions for accessing the openpgp-smartcard portion of the yubikey)
(for the record, libu2f-host0 from backports would be 63.0 kB)

#7 Updated by intrigeri 2016-07-30 08:49:34

  • Assignee set to muri
  • QA Check set to Info Needed

muri, you marked this ticket as confirmed. From there I see several options:

  • Is there anything specific to discuss? In this case, please clarify what that is.
  • Do you plan to work on it yourself, and do whatever Debian work is blocking it? If so => type of work = Debian, assignee = muri. (And if we’re going this way, I wonder if it’s worth doing the extra work to have it in Tails 2.x, if it’s super easy to have it in Tails 3.x. We just spend too much time maintaining backports, that we could spend on releasing 3.x earlier :)
  • Do you think it would be nice if someone did the work, but you don’t want to do it yourself? => type of work = Code, priority = low

#8 Updated by muri 2016-08-31 06:03:16

  • Type of work changed from Discuss to Code

#9 Updated by orionsune 2016-11-21 16:30:00

sonicsnail wrote:
> muri wrote:
> > unfortunatly, that version does not yet recognize the new yubikey 4. to use the yubikey 4, either a change in the udev rule or the updated libykpers-1-1 from stretch is needed.
> The package libu2f-host0 is in jessie-backports and it adds the file /lib/udev/rules.d/70-u2f.rules with configs for Yubikeys, including the Yubikey 4.

This did not add 70-u2f.rules for me. I installed the package sucessfully but no rules file was added.

Is there any progress on getting this fixed on Tails? I noticed a recent version was released last week and this problem is still existing.

#10 Updated by sonicsnail 2016-12-11 07:50:13

In Tails 3.0~alpha1, the PGP feature of the Yubikey 4 now works out of the box without installling additional packages. It works with Enigmail in Thunderbird too.

#11 Updated by intrigeri 2016-12-11 08:54:09

sonicsnail wrote:
> In Tails 3.0~alpha1, the PGP feature of the Yubikey 4 now works out of the box without installling additional packages. It works with Enigmail in Thunderbird too.

Cool! What about the U2F features?

#12 Updated by sonicsnail 2016-12-14 19:23:18

intrigeri wrote:
> Cool! What about the U2F features?

I haven’t been able to get U2F working again in either Tails 2.7.1 or 3.0~alpha1 and I think we should forget about it for now. Firefox and Tor Browser don’t support U2F, Mozilla has been lagging on implementing it for a long time. The only way to make U2F work in Firefox currently is with the third party U2F Support Add-on (https://addons.mozilla.org/en-US/firefox/addon/u2f-support-add-on/). I got it working on Tails several months ago, but maybe something has changed since then in the add-on, in Tails, or in Tor Browser that’s causing it to break now.

I’d been hoping we could include the libu2f-host0 package (from jessie-backports) in Tails for 2 reasons:

  • So users who want to use U2F in Tor Browser now would be able to do so after installing the U2F Support Add-on manually (at their own risk).
  • So U2F will work in Tails without further changes needed when Mozilla eventually implements U2F officially and it lands in Tor Browser.

Below are approximately the steps I took to make U2F work in Tor Browser on stable Tails several months ago. But note that because I can’t reproduce it anymore on current Tails (2.7.1 and 3.0~alpha1), this is likely incomplete info.

  • Start Tails with an administrator password
  • Install udev rules by doing one of the following:
  • Run sudo udevadm control --reload-rules to reload the udev rules
  • Install the U2F Support Add-on in Tor Browser: https://addons.mozilla.org/en-US/firefox/addon/u2f-support-add-on/
  • Spoof Tor Browser’s useragent to identify as Chrome. Some sites will only serve U2F javascript to Chrome because Chrome is the only browser that officially supports U2F right now. In about:config, change general.useragent.override to this: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36
  • I can’t remember, but you may need to un-check one of the boxes in Tor Browser’s privacy and security settings window. I don’t remember which box or if this is even necessary. I tried them all today, but none of them caused U2F to work.
  • Go to https://demo.yubico.com/u2f to test U2F with your Yubikey.

Regardless of whether I can make it work or not, those are unsafe things for users to be doing. Using sudo, installing an unaudited addon, spoofing the useragent, and disabling security features are all bad ideas. So I think we shouldn’t waste effort on U2F until Mozilla implements it officially and it lands in Tor Browser, which probably won’t happen soon.

#13 Updated by intrigeri 2016-12-29 13:28:44

hi!

> I’d been hoping we could include the libu2f-host0 package (from jessie-backports) in Tails for 2 reasons:
> * So users who want to use U2F in Tor Browser now would be able to do so after installing the U2F Support Add-on manually (at their own risk).
> * So U2F will work in Tails without further changes needed when Mozilla eventually implements U2F officially and it lands in Tor Browser.

These reasons don’t seem enough to me even if what follows worked (wrt. the 1st one: if users have to install something manually anyway, they can as well install a package as well, and we already provide facilities to get this done automatically on startup; wrt. the 2nd one: I’m no fan of making Tails bigger in case it might be useful later).

But anyway, what follows doesn’t work, so:

> So I think we shouldn’t waste effort on U2F until Mozilla implements it officially and it lands in Tor Browser, which probably won’t happen soon.

Agreed.

#14 Updated by intrigeri 2017-03-20 10:37:19

  • has duplicate Feature #12168: yubikey 4 not working with icedove added

#15 Updated by muri 2017-06-07 12:06:33

  • Status changed from Confirmed to Resolved

marking as resolved, as one part is resolved in 3.x (yubikey openpgp) and the other part is out of our hands (u2f in tb)