Feature #17153
Make Tails work with U2F Security Keys
100%
Description
Hi,
Torbrowser 9 can use U2F Security Keys as a second factor.
I think it would be great if it was possible to use U2F Security Keys (like a Yubikey) on Tails. I have managed to use a Yubikey as a second factor on Tails to login to Gitlab, but there was some manual work involved:
- first one has to install
libu2f-udev
, it would be great if that package could be installed by default. Its 24.6 kB on disk. When using the additional software feature to install it, one would have to reload the udev rules as root to make the devices work. - the torbrowser apparmor rules deny access to the devices. I had to add the following permissions to make the yubikey work:
<code class="text"> #u2f /sys/class/ r, /sys/class/hidraw/ r, /sys/devices/** r, /run/udev/data/* r, /sys/bus/ r, /dev/hidraw* rw, </code>
But thats the first time I touched apparmor, so I’m sure there is potential for refinement (especially the write to /dev/hidraw makes me nervous).
(I can also create a bug against thetorbrowser-launcher
package or create a merge request on salsa if the discussion regarding the apparmor rules should be moved there).
Files
Subtasks
Related issues
Related to Tails - Feature #12402: Research what two-factor-authentication (2FA) solution (if any) is worth installing by default in Tails | Confirmed | 2017-03-25 | |
Related to Tails - Bug #17612: devel branch FTBFS: patch against torbrowser.Browser.firefox is fuzzy | Needs Validation | ||
Has duplicate Tails - |
Resolved |
History
#1 Updated by bisco 2019-10-14 16:30:08
Related Feature #12402
#2 Updated by intrigeri 2019-10-20 17:09:58
- Status changed from New to Confirmed
- Assignee set to bisco
Hi,
> Torbrowser 9 can use U2F Security Keys as a second factor.
> I think it would be great if it was possible to use U2F Security Keys (like a Yubikey) on Tails. I have managed to use a Yubikey as a second factor on Tails
Amazing!
> * first one has to install libu2f-udev
, it would be great if that package could be installed by default. Its 24.6 kB on disk. When using the additional software feature to install it, one would have to reload the udev rules as root to make the devices work.
Sounds entirely reasonable to me.
> * the torbrowser apparmor rules deny access to the devices. I had to add the following permissions to make the yubikey work:
> […]
> But thats the first time I touched apparmor, so I’m sure there is potential for refinement (especially the write to /dev/hidraw makes me nervous).
Yeah, I would assume that some of these rules could be a little bit narrower.
> (I can also create a bug against the torbrowser-launcher
package or create a merge request on salsa if the discussion regarding the apparmor rules should be moved there).
Thanks for your offer. The AppArmor profile we ship in Tails merely contains Tails-specific delta on top of the one I’ve been maintaining “upstream” so far, so the best place to propose such an update would be https://github.com/micahflee/torbrowser-launcher/
#3 Updated by intrigeri 2019-11-01 11:36:23
- Status changed from Confirmed to In Progress
#4 Updated by bisco 2020-04-12 09:40:38
intrigeri wrote:
> Thanks for your offer. The AppArmor profile we ship in Tails merely contains Tails-specific delta on top of the one I’ve been maintaining “upstream” so far, so the best place to propose such an update would be https://github.com/micahflee/torbrowser-launcher/
The u2f related changes in the AppArmor profile have not been released yet, but they have been backported to the Debian torbrowser-launcher package [0]. If I read config/chroot_local-hooks/19-install-tor-browser-AppArmor-profile
correctly, that would mean they are included into Tails automatically?
Attached is a patch to add the libu2f-udev package to the packagelist (I simply added the package at the end of the file, not sure if there is a better place).
[0] https://tracker.debian.org/news/1117857/accepted-torbrowser-launcher-032-8-source-into-unstable/
#5 Updated by intrigeri 2020-04-12 12:02:05
- Status changed from In Progress to Needs Validation
- Assignee changed from bisco to intrigeri
Thanks!
#6 Updated by intrigeri 2020-04-12 12:50:49
- related to Feature #12402: Research what two-factor-authentication (2FA) solution (if any) is worth installing by default in Tails added
#7 Updated by intrigeri 2020-04-12 13:02:47
- Target version set to Tails_4.6
- Feature Branch set to feature/17153-u2f
Hi @bisco,
> The u2f related changes in the AppArmor profile have not been released yet, but they have been backported to the Debian torbrowser-launcher package [0]. If I read config/chroot_local-hooks/19-install-tor-browser-AppArmor-profile
correctly, that would mean they are included into Tails automatically?
Yes, they’ll be included automatically once torbrowser-launcher/sid points to the new version of torbrowser-launcher. Now, there are 2 different cases:
- stable branch: we use a frozen snapshot of the Debian archive (details so we won’t get this update until we bump said snapshot;
- devel branch: we use the newest of our snapshots of the Debian archive; we take 4 snapshots a day.
My plan is to merge your patch into stable and devel, and then:
- On devel, this should be enough to give U2F support by the end of the day. But devel probably won’t be released before September.
- On stable, it won’t be enough until we bump the ‘debian’ APT snapshot (which will surely happen in the next couple months, e.g. for Bug #17610). We could speed this up by doing some extra work, which I’m not sure is worth it considering we’ll probably get the same outcome for free soonish.
> Attached is a patch to add the libu2f-udev package to the packagelist (I simply added the package at the end of the file, not sure if there is a better place).
LGTM!
I’ve pushed this to a branch and will merge if our CI is happy.
#8 Updated by intrigeri 2020-04-13 07:42:15
- related to Bug #17612: devel branch FTBFS: patch against torbrowser.Browser.firefox is fuzzy added
#9 Updated by intrigeri 2020-04-13 07:48:27
- Status changed from Needs Validation to Resolved
- % Done changed from 0 to 100
Applied in changeset commit:tails|577c2de3c81d4d5990d8fb603a50fd0f2774dfb6.
#10 Updated by intrigeri 2020-05-12 13:15:46
- has duplicate
Bug #16671: U2F support in Tor added