Bug 1177014

Summary: F21 - Yubikey U2F (FIDO) Not Supported
Product: [Fedora] Fedora Reporter: Jeremy Fitzhardinge <jeremy>
Component: ykpersAssignee: Maxim Burgerhout <maxim>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 21CC: extras-qa, gbcox, jeremy, kevin, maxim, michele, wolfgang.rupprecht
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1157894 Environment:
Last Closed: 2014-12-26 17:54:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jeremy Fitzhardinge 2014-12-23 19:33:53 UTC 
+++ This bug was initially created as a clone of Bug #1157894 +++

Bug was closed as fixed without fixing the problem.

Description of problem:

Yubikey U2F functionality is not working on Fedora.  Discussion of issue can be found here:
http://forum.yubico.com/viewtopic.php?f=26&t=1535


Version-Release number of selected component (if applicable):
ykpers-1.16.1-1.fc21.x86_64

How reproducible:
Register and test key at this website using Google Chrome with Fido support extension enabled:
http://demo.yubico.com/u2f

Steps to Reproduce:
Follow instructions on website

Actual results:
Yubikey not recognized

Expected results:
Successful registration and authentication.

Additional info:

/usr/lib/udev/rules.d/69-yubikey.rules needs to be changed to allow
for U2F support.  

change line 7 so it reads as follows:

ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010|0110|0111|0113|0114|0115|0116|0120", \

--- Additional comment from Wolfgang Rupprecht on 2014-11-08 19:36:45 EST ---

While you are at it, you might want to add the Plugups version of the U2F key also.  (Love that product number.  Someone has a sense of humor.)

ATTRS{idVendor}=="2581", ATTRS{idProduct}=="f1d0", \
    ENV{ID_SECURITY_TOKEN}="1"

--- Additional comment from Fedora Update System on 2014-11-23 15:38:56 EST ---

ykpers-1.16.1-1.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/ykpers-1.16.1-1.fc21

--- Additional comment from Fedora Update System on 2014-11-23 15:39:23 EST ---

ykpers-1.16.1-1.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/ykpers-1.16.1-1.fc20

--- Additional comment from Fedora Update System on 2014-11-23 15:39:49 EST ---

ykpers-1.16.1-1.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/ykpers-1.16.1-1.fc19

--- Additional comment from Fedora Update System on 2014-11-23 15:40:13 EST ---

ykpers-1.16.1-1.el7 has been submitted as an update for Fedora EPEL 7.
https://admin.fedoraproject.org/updates/ykpers-1.16.1-1.el7

--- Additional comment from Fedora Update System on 2014-11-23 15:41:39 EST ---

ykpers-1.16.1-1.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/ykpers-1.16.1-1.el6

--- Additional comment from Fedora Update System on 2014-11-23 15:42:49 EST ---

ykpers-1.16.1-1.el5 has been submitted as an update for Fedora EPEL 5.
https://admin.fedoraproject.org/updates/ykpers-1.16.1-1.el5

--- Additional comment from Fedora Update System on 2014-11-24 16:00:09 EST ---

Package ykpers-1.16.1-1.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing ykpers-1.16.1-1.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-15677/ykpers-1.16.1-1.fc21
then log in and leave karma (feedback).

--- Additional comment from Fedora Update System on 2014-12-04 01:23:28 EST ---

ykpers-1.16.1-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

--- Additional comment from Fedora Update System on 2014-12-04 01:26:45 EST ---

ykpers-1.16.1-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

--- Additional comment from Fedora Update System on 2014-12-06 05:50:41 EST ---

ykpers-1.16.1-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

--- Additional comment from Fedora Update System on 2014-12-11 01:32:02 EST ---

ykpers-1.16.1-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

--- Additional comment from Fedora Update System on 2014-12-11 01:33:51 EST ---

ykpers-1.16.1-1.el7 has been pushed to the Fedora EPEL 7 stable repository.  If problems still persist, please make note of it in this bug report.

--- Additional comment from Fedora Update System on 2014-12-11 01:34:34 EST ---

ykpers-1.16.1-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

--- Additional comment from Jeremy Fitzhardinge on 2014-12-17 01:20:02 EST ---

ykpers.x86_64 0:1.16.1-1.fc21 does not contain the updated /usr/lib/udev/rules.d/69-yubikey.rules matching a device ID of "0120".

--- Additional comment from Michele Baldessari on 2014-12-22 05:03:04 EST ---

Hi Jeremy,

as this bug is closed and done. Can you open a new one so we can track this USB
id issue?

cheers,
Michele
Comment 1 Kevin Fenzi 2014-12-23 19:40:01 UTC 
We are using the upstream rules here... they don't have "0120" in them.

Is there some reason the upstream project hasn't added that?
Comment 2 Maxim Burgerhout 2014-12-23 22:01:31 UTC 
I do not own this type of Yubikey myself, so I'm 100% sure, but I doubt whether it makes sense to enable the 0120 device id for ykpers. I'm guessing the device w/ id 0120 is the blue security key, which does not have most functionality you would use ykpers or yubikey-personalization-gui for.

The forum post linked in the original bug is about permissions on the U2F device to make it usable for a non-root user. The link mentioned in there is to a udev rules file from a project called libu2f-host, which implements the host-side of the U2F protocol.

I don't think the ykpers tool is the place to put the udev rules for this. It doesn't make sense to ask people to install a customization tool to use a piece of hardware as-is. There is a RR open for libu2f-host: bug 1155826. In bug 1155826, comment 9 there is a reference to U2F working fine on Fedora with that package installed.

Imo that is the short-term way to fix this: get libu2f-host in Fedora. I'm sadly very short on time, but if I find some, I'll try and review that RR. If someone beats me to it: great :)
Comment 3 Kevin Fenzi 2014-12-26 17:54:10 UTC 
Yeah. The correct udev entry is in the libu2f-host (and submitted to be added to systemd/udev). 

I can also try and review that request in the coming weeks. ;) 

In the mean time there's nothing we can do here, so I will close this bug out.