Feature #17153: Make Tails work with U2F Security Keys

Feature #17153

Make Tails work with U2F Security Keys

Added by bisco 2019-10-14 16:28:33 . Updated 2020-04-13 07:48:27 .

Status:

Resolved

Priority:

Normal

Assignee:

intrigeri

Category:

Hardware support

Target version:

Tails_4.6

Start date:

Due date:

% Done:

100%

Feature Branch:

feature/17153-u2f

Type of work:

Code

Blueprint:

Starter:

Affected tool:

Browser

Deliverable for:

Description

Hi,

Torbrowser 9 can use U2F Security Keys as a second factor.
I think it would be great if it was possible to use U2F Security Keys (like a Yubikey) on Tails. I have managed to use a Yubikey as a second factor on Tails to login to Gitlab, but there was some manual work involved:

first one has to install libu2f-udev, it would be great if that package could be installed by default. Its 24.6 kB on disk. When using the additional software feature to install it, one would have to reload the udev rules as root to make the devices work.
the torbrowser apparmor rules deny access to the devices. I had to add the following permissions to make the yubikey work:
```
<code class="text">
  #u2f
  /sys/class/ r,
  /sys/class/hidraw/ r,
  /sys/devices/** r,
  /run/udev/data/* r,
  /sys/bus/ r,
  /dev/hidraw* rw,
</code>
```
But thats the first time I touched apparmor, so I’m sure there is potential for refinement (especially the write to /dev/hidraw makes me nervous).
(I can also create a bug against the torbrowser-launcher package or create a merge request on salsa if the discussion regarding the apparmor rules should be moved there).

Files

0001-Add-the-libu2f-udev-package-for-u2f-device-support.patch (725 B)

bisco, 2020-04-12 09:36:52

Subtasks

Related issues

Related to Tails - Feature #12402: Research what two-factor-authentication (2FA) solution (if any) is worth installing by default in Tails	Confirmed	2017-03-25
Related to Tails - Bug #17612: devel branch FTBFS: patch against torbrowser.Browser.firefox is fuzzy	Needs Validation
Has duplicate Tails - ~~Bug #16671~~: U2F support in Tor	Resolved

History

#1 Updated by bisco 2019-10-14 16:30:08

Related Feature #12402

#2 Updated by intrigeri 2019-10-20 17:09:58

Status changed from New to Confirmed
Assignee set to bisco

Hi,

> Torbrowser 9 can use U2F Security Keys as a second factor.
> I think it would be great if it was possible to use U2F Security Keys (like a Yubikey) on Tails. I have managed to use a Yubikey as a second factor on Tails

Amazing!

> * first one has to install libu2f-udev, it would be great if that package could be installed by default. Its 24.6 kB on disk. When using the additional software feature to install it, one would have to reload the udev rules as root to make the devices work.

Sounds entirely reasonable to me.

> * the torbrowser apparmor rules deny access to the devices. I had to add the following permissions to make the yubikey work:
> […]

> But thats the first time I touched apparmor, so I’m sure there is potential for refinement (especially the write to /dev/hidraw makes me nervous).

Yeah, I would assume that some of these rules could be a little bit narrower.

> (I can also create a bug against the torbrowser-launcher package or create a merge request on salsa if the discussion regarding the apparmor rules should be moved there).

Thanks for your offer. The AppArmor profile we ship in Tails merely contains Tails-specific delta on top of the one I’ve been maintaining “upstream” so far, so the best place to propose such an update would be https://github.com/micahflee/torbrowser-launcher/

#3 Updated by intrigeri 2019-11-01 11:36:23

Status changed from Confirmed to In Progress

#4 Updated by bisco 2020-04-12 09:40:38

File 0001-Add-the-libu2f-udev-package-for-u2f-device-support.patch added

intrigeri wrote:

> Thanks for your offer. The AppArmor profile we ship in Tails merely contains Tails-specific delta on top of the one I’ve been maintaining “upstream” so far, so the best place to propose such an update would be https://github.com/micahflee/torbrowser-launcher/

The u2f related changes in the AppArmor profile have not been released yet, but they have been backported to the Debian torbrowser-launcher package [0]. If I read config/chroot_local-hooks/19-install-tor-browser-AppArmor-profile correctly, that would mean they are included into Tails automatically?

Attached is a patch to add the libu2f-udev package to the packagelist (I simply added the package at the end of the file, not sure if there is a better place).

[0] https://tracker.debian.org/news/1117857/accepted-torbrowser-launcher-032-8-source-into-unstable/

#5 Updated by intrigeri 2020-04-12 12:02:05

Status changed from In Progress to Needs Validation
Assignee changed from bisco to intrigeri

Thanks!

#6 Updated by intrigeri 2020-04-12 12:50:49

related to Feature #12402: Research what two-factor-authentication (2FA) solution (if any) is worth installing by default in Tails added

#7 Updated by intrigeri 2020-04-12 13:02:47

Target version set to Tails_4.6
Feature Branch set to feature/17153-u2f

Hi @bisco,

> The u2f related changes in the AppArmor profile have not been released yet, but they have been backported to the Debian torbrowser-launcher package [0]. If I read config/chroot_local-hooks/19-install-tor-browser-AppArmor-profile correctly, that would mean they are included into Tails automatically?

Yes, they’ll be included automatically once torbrowser-launcher/sid points to the new version of torbrowser-launcher. Now, there are 2 different cases:

stable branch: we use a frozen snapshot of the Debian archive (details so we won’t get this update until we bump said snapshot;
devel branch: we use the newest of our snapshots of the Debian archive; we take 4 snapshots a day.

My plan is to merge your patch into stable and devel, and then:

On devel, this should be enough to give U2F support by the end of the day. But devel probably won’t be released before September.
On stable, it won’t be enough until we bump the ‘debian’ APT snapshot (which will surely happen in the next couple months, e.g. for Bug #17610). We could speed this up by doing some extra work, which I’m not sure is worth it considering we’ll probably get the same outcome for free soonish.

> Attached is a patch to add the libu2f-udev package to the packagelist (I simply added the package at the end of the file, not sure if there is a better place).

LGTM!

I’ve pushed this to a branch and will merge if our CI is happy.

#8 Updated by intrigeri 2020-04-13 07:42:15

related to Bug #17612: devel branch FTBFS: patch against torbrowser.Browser.firefox is fuzzy added

#9 Updated by intrigeri 2020-04-13 07:48:27

Status changed from Needs Validation to Resolved
% Done changed from 0 to 100

Applied in changeset commit:tails|577c2de3c81d4d5990d8fb603a50fd0f2774dfb6.

#10 Updated by intrigeri 2020-05-12 13:15:46

has duplicate ~~Bug #16671~~: U2F support in Tor added