Created attachment 1724667 [details] screenshot showing security devices Description of problem: Since installing a fresh Fedora 33 system (on two machines with yubikey 5c nano and a yubikey 5 nano used for totp and mfa) I continually get prompted by firefox to "Please enter the password for the PKCS#11 token PIV_II." The device is loaded by the p11-kit-proxy. I have no password for the yubikey and have no idea what password this is asking for and it makes firefox pretty much unusable.
A similar issue was reported against Red Hat Satellite but it appears to not be Satellite specific. See Bug 1742881.
If you do not use smartcard capabilities of your yubikey, the easiest solution is just to remove opensc package. Otherwise, this is an issue of NSS which tries to login to all tokens (if the server asks for certificate authentication?). This should be solved with PKCS#11 3.0, where OpenSC will be able to tell nss that it does not have to login to the token, because it has all the certificates publicly readable. I have the needed changes ready in the following PR [1] so if you can reliably reproduce the issue, I can build you a new opensc to check if it solves your issue. [1] https://github.com/OpenSC/OpenSC/pull/2096
Jakub - I tried to get that PR to apply against 0.20.0 and didn't work right. If you can easily build an rpm I'd be wiling to try it, otherwise, I'll try to find some time to give it a shot most likely next weekend.
Hi, I did a build of latest OpenSC 0.21.0-rc1 + the PKCS#11 3.0 patch from above in the following copr repo: https://copr.fedorainfracloud.org/coprs/jjelen/opensc-latest/ Please, let me know if it addresses the issue for you.
Jakub - I didn't see an fc33 build in your copr repo and the rawhide one didn't work (glibc symbol problem) so i rebuilt the src rpm on my system and installed it. I'm not seeing any change in behavior. Is updating the package all that should have been necessary?
Oh, my bad. Forgot to add the Fedora 33. It is building there now. You might need to restart Firefox to see the effect. But I just realized, that this will not work because p11-kit proxy does not have the required PKCS #11 3.0 features [1] to proxy this functionality so it still uses the old interface. So the simplest fro you would be removing the opensc package now. [1] https://github.com/p11-glue/p11-kit/issues/214
I have updated the opensc package from the copr repo on my Fedora 33, however it still appears in newly opened firefox. Do I need to restart some service or reboot? rpm -q opensc opensc-0.21.0-0.1.fc33.x86_64
I can confirm that removing the opensc package won't trigger the password prompt anymore. What makes the password prompt really ugly is that it completely blocks Firefox and thus your are for example disconnected from an ongoing conference call until you click cancel on the password prompt.
> I have updated the opensc package from the copr repo on my Fedora 33, however it still appears in newly opened firefox. I see the same behavior, even after a complete reboot. The patched package doesn't appear to resolve this issue. > I can confirm that removing the opensc package won't trigger the password prompt anymore. I see the same behavior after removing the package entirely. Unlike disabling pcscd, which also squelches the prompt, I can still use yubioath-desktop after removing opensc.
same behaviour. did not happen with same yubikey on previous laptop with fedora 32.
Also hitting this w/ opensc-0.21.0-1.fc33.x86_64
(In reply to Martin Hoyer from comment #11) > Also hitting this w/ opensc-0.21.0-1.fc33.x86_64 No surprise. We still need the last bits in p11-kit: https://github.com/p11-glue/p11-kit/issues/214
I continuously see popup triggered by firefox to "Please enter the password for the PKCS#11 token OpenDNSSEC." in RHEL84
Just a quick note since I do not see it mentioned here yet: installing firefox as a snap package seems to resolve the issue, as a temporary workaround.
Seeing this on Fedora 33 rpm -q opensc package opensc is not installed rpm -qa|grep firefox firefox-88.0-5.fc33.x86_64
That sounds weird. What do you get from the p11-kit if you list enabled modules? $ p11-kit list-modules
(In reply to Jakub Jelen from comment #16) > That sounds weird. What do you get from the p11-kit if you list enabled > modules? > > $ p11-kit list-modules p11-kit list-modules p11-kit-trust: p11-kit-trust.so library-description: PKCS#11 Kit Trust Module library-manufacturer: PKCS#11 Kit library-version: 0.23 token: System Trust manufacturer: PKCS#11 Kit model: p11-kit-trust serial-number: 1 hardware-version: 0.23 flags: token-initialized token: Default Trust manufacturer: PKCS#11 Kit model: p11-kit-trust serial-number: 1 hardware-version: 0.23 flags: write-protected token-initialized softhsm2: /usr/lib64/pkcs11/libsofthsm2.so library-description: Implementation of PKCS11 library-manufacturer: SoftHSM library-version: 2.6 token: OpenDNSSEC manufacturer: SoftHSM project model: SoftHSM v2 serial-number: 3cd425b382827b40 hardware-version: 2.6 firmware-version: 2.6 flags: rng login-required user-pin-initialized restore-key-not-needed token-initialized user-pin-count-low token: manufacturer: SoftHSM project model: SoftHSM v2 serial-number: hardware-version: 2.6 firmware-version: 2.6 flags: rng login-required restore-key-not-needed so-pin-locked so-pin-to-be-changed [root@oldstorm autograder-full-stack]#
So this is probably asking you for a pin for your softhsm, not for the PIV/yubikey.
This is also happening on a clean install of Fedora34.
I am also seeing this on Fedora 34 with a brand new yubikey 5 nano.
Same issue after I upgraded my laptop to fedora 34. Is there a fix or workaround?
We're seeing this with RHEL8. However, we do make use of the SC feature of our YKs, just not with Firefox or Thunderbird. Is there a way to disable loading p11-kit though some mozilla config file?
(In reply to Orion Poplawski from comment #22) > We're seeing this with RHEL8. However, we do make use of the SC feature of > our YKs, just not with Firefox or Thunderbird. Is there a way to disable > loading p11-kit though some mozilla config file? As already mentioned in https://access.redhat.com/articles/4253861 you can add disable-in: firefox thunderbird into the /usr/share/p11-kit/modules/opensc.module as a temporary workaround.
(In reply to Vasu Kulkarni from comment #21) > Same issue after I upgraded my laptop to fedora 34. Is there a fix or > workaround? I'm in a simular situation as @Vasu. My situation: I've upgraded to Fedora 34. Didn't have this issue before in Fedora 33 with the same YubiKey. What is the fix, if there is one?
This is also happening for me with a Yubikey 5 in Fedora 34 in Firefox, and it's quite annoying. Has any progress been made?
I disabled the opensc module (OpenSC smartcard framework) for Firefox and Vivaldi (another browser [0]) on Fedora 34 silverblue: $ sudo p11-kit list-modules p11-kit-trust: p11-kit-trust.so library-description: PKCS#11 Kit Trust Module library-manufacturer: PKCS#11 Kit library-version: 0.23 token: System Trust manufacturer: PKCS#11 Kit model: p11-kit-trust serial-number: 1 hardware-version: 0.23 flags: token-initialized token: Default Trust manufacturer: PKCS#11 Kit model: p11-kit-trust serial-number: 1 hardware-version: 0.23 flags: write-protected token-initialized opensc: opensc-pkcs11.so library-description: OpenSC smartcard framework library-manufacturer: OpenSC Project library-version: 0.22 token: PIV_II manufacturer: piv_II model: PKCS#15 emulated serial-number: 00000000 flags: rng login-required user-pin-initialized token-initialized user-pin-locked $ mkdir -p ~/.config/pkcs11/module $ cp /usr/share/p11-kit/modules/opensc.module ~/.config/pkcs11/modules/ $ echo "disable-in: firefox vivaldi-bin" >> ~/.config/pkcs11/modules/opensc.module $ cat ~/.config/pkcs11/modules/opensc.module # This file describes how to load the opensc module # See: https://p11-glue.github.io/p11-glue/p11-kit/manual/pkcs11-conf.html # or man pkcs11.conf # This is a relative path, which means it will be loaded from # the p11-kit default path which is usually $(libdir)/pkcs11. # Doing it this way allows for packagers to package opensc for # 32-bit and 64-bit and make them parallel installable module: opensc-pkcs11.so disable-in: firefox vivaldi-bin This solved the problem for me. Here is a gist with some Screenshots: https://gist.github.com/rbo/9121b2f4adbd928db8a87d2aa14c756d [0] https://vivaldi.com
Does disabling OpenSC make it so you can't use your yubikey for 2fa on websites that support it? If so, that's not really a solution.
Disabling OpenSC disables only the smartcard feature [0] of your yubikey for your browser. 2FA is not affected, because it acts as a keyboard. $ swaymsg -t get_inputs -r | jq '.[] | select(.name=="Yubico Yubikey 4 OTP+U2F+CCID") ' { "identifier": "4176:1031:Yubico_Yubikey_4_OTP+U2F+CCID", "name": "Yubico Yubikey 4 OTP+U2F+CCID", "vendor": 4176, "product": 1031, "type": "keyboard", "xkb_layout_names": [ "English (intl., with AltGr dead keys)" ], "xkb_active_layout_index": 0, "xkb_active_layout_name": "English (intl., with AltGr dead keys)", "libinput": { "send_events": "enabled" } } [0] https://www.yubico.com/authentication-standards/smart-card/
I see, thanks. I actually tried following these steps, and it did not stop the prompts.
Same for me. I executed those steps and I am still getting the prompts.
Please, provide exact error messages. If you removed OpenSC (and restarted Firefox), you can not get prompts to enter PIN for PIV_II.
It's fixed. I followed the wrong instructions. Removing opensc fixed the issue.
(In reply to Jakub Jelen from comment #31) > Please, provide exact error messages. If you removed OpenSC (and restarted > Firefox), you can not get prompts to enter PIN for PIV_II. What error messages? There are no errors, just prompts. Do I have to uninstall OpenSC? That's a lot different than the instructions in previous comments that say to make a config file that disables it in Firefox: https://bugzilla.redhat.com/show_bug.cgi?id=1892137#c26 Also the problem is clearly Firefox, not OpenSC. Why is it giving these prompts at all, let alone repeatedly?
If the steps in comment #26 do not work, its a bug in p11-kit. Another step is removing opensc if you do not use it. The Firefox should not ask for the PIN if the p11-kit would support PKCS#11 3.0 [1]. [1] https://github.com/p11-glue/p11-kit/pull/374
It happens on rawhide too ... never had this issue before. I did open https://bugzilla.redhat.com/show_bug.cgi?id=2016724 for this too. Since it's on rawhide too, maybe we should make either BZ child of each others. Btw, I also have a ubikey so this is a great catch.
This message is a reminder that Fedora 33 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora 33 on 2021-11-30. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '33'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 33 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Fedora 33 changed to end-of-life (EOL) status on 2021-11-30. Fedora 33 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.
Fix is not there yet. Let's keep this one open.
FEDORA 35 Fresh Install: This issue is still occuring in Fedora 35 fresh install on HP DragonFly Elite. Used Yubikey to authenticate 2FA, sync is turned on within Mozilla Firefox. Browser is stock version that comes with Fedora 35. The prompt happens each time I open the Firefox browser and periodically pops-up during browsing. It's a very intrusive bug as it continues to interupt work. Adding to make sure everyone is aware this is still occuring in 35. Thanks! Step to recreate: - Fresh install Fedora 35 - Turn on Firefox Sync - Yubikey plugged into system for 2FA
Same happens to me with Fedora 35: with a Yubikey 5 NFC plugged in, Firefox displayed the password-querying dialog, when opening a URL, where the server asked for a client certificate. This was reproducible. Comment #23 solved this annoying behaviour for me. opensc version 0.22.0-1.fc35, Firefox 95.0.2.
Yes, comment #23 (I used the second option, the one that disables yubikey sc feature) worked for me as well. I never got any prompts from Brave but I did from FF upon Yubikey installation. I used https://webauth.io/ for testing of my Yubikey with 2FA/OTP, which always worked with Brave but had its issues with FF (browser would hang on either registration or login with Yubikey). This seems to fix that issue as well. I can log on using FF and Yubikey
F35 user, Firefox 95.0.2 (from RPMs, not Flatpak), Yubikey 4 Nano. Same issue appeared after installing the Yubikey. The file change from comment #23 did not solve the problem for me, but using the 'larger hammer' approach of disabling the CCID interface using the Yubikey Manager did :-)
Comment #23 worked for me. Thanks!
https://bugzilla.redhat.com/show_bug.cgi?id=1892137#c23 worked for me as well. Though I opted to apply it according to the suggestion in https://bugzilla.redhat.com/show_bug.cgi?id=1892137#c26 $ mkdir -p ~/.config/pkcs11/modules $ cp /usr/share/p11-kit/modules/opensc.module ~/.config/pkcs11/modules/ $ echo "disable-in: firefox thunderbird" >> ~/.config/pkcs11/modules/opensc.module $ cat ~/.config/pkcs11/modules/opensc.module # This file describes how to load the opensc module # See: https://p11-glue.github.io/p11-glue/p11-kit/manual/pkcs11-conf.html # or man pkcs11.conf # This is a relative path, which means it will be loaded from # the p11-kit default path which is usually $(libdir)/pkcs11. # Doing it this way allows for packagers to package opensc for # 32-bit and 64-bit and make them parallel installable module: opensc-pkcs11.so disable-in: firefox thunderbird $ cat /etc/redhat-release Fedora release 35 (Thirty Five) $ rpm -q firefox opensc firefox-95.0.2-2.fc35.x86_64 opensc-0.22.0-1.fc35.x86_64 $ ykman info Device type: YubiKey 5C Nano Serial number: XXXXXXXX Firmware version: 5.4.3 Form factor: Nano (USB-C) Enabled USB interfaces: OTP, FIDO, CCID Applications FIDO2 Enabled OTP Enabled FIDO U2F Enabled OATH Enabled YubiHSM Auth Disabled OpenPGP Enabled PIV Enabled
This bug appears to have been reported against 'rawhide' during the Fedora 36 development cycle. Changing version to 36.
Still happens in RHEL8.6
Less frequent in RHEL 9.0, only seems to happen when something touches the network stack (e.g. VM with bridged network starts, vpn connect/disconnect, etc).
(In reply to Andy Wang from comment #0) > > I have no password for the yubikey and have no idea what password this is > asking for and it makes firefox pretty much unusable. Whoever issued the yubikey for you should have provided initial PIN. Entering a valid PIN, once per Firefox/Thunderbird session, seems sufficient.
I'm on Fedora 37 with firefox-107.0-4.fc37.x86_64 For me the message is this ... Please enter the password for the PKCS#11 token GemSAFE V1 (Auth PIN). For normal user this is a crypt message, and it's impossible to close the popup windows if I close one another gets popup in the end firefox is not responding and I have several windows requesting the same with the message above. The only wayto stop this madness is to kill firefox.
I still see it with F37 and firefox-107.0-4.fc37.x86_64 and opensc-0.22.0-7.fc37 The error is: Please enter the password for the PKCS#11 token PIV_II. I have a yubikey installed to authenticate into the openVPN network only.
Vladimir or anyone, do you have specific website, where you are getting the prompts for reproducer? Bob, can you let the guys here know what debug information you need to be able to debug this further? Would some pkcs11 trace (through log-calls in p11-kit) be enough or do you need some debug log from NSS to see why the NSS is still asking? I start feeling that the p11-kit is not here to blame as from some of my previous testing, the profile information was passed through also with the old API, but I would have to double-check.
There is an environment variable you can set to see PKCS #11 calls from NSS, but it requires starting firefox from the command line (and may be a bit confused by the firefox threading... The environment variable is: NSS_DEBUG_PKCS11_MODULE Instructions to enable them is available here: https://www-archive.mozilla.org/projects/security/pki/nss/tech-notes/tn2 The name you use for NSS_DEBUG_PKCS11_MODULE is the module name (not the slot name), You can find all the loaded modules in Firefox by looking at Settings->Privacy & Security->Security Devices (Security devices button is toward the bottom of the page.) The module names are on the left of the page. Also, including the list of modules in the bug would be useful as well. You should see whatever slot you see in the password prompt in under the module list.
(In reply to Jakub Jelen from comment #53) > Vladimir or anyone, do you have specific website, where you are getting the > prompts for reproducer? > > Bob, can you let the guys here know what debug information you need to be > able to debug this further? Would some pkcs11 trace (through log-calls in > p11-kit) be enough or do you need some debug log from NSS to see why the NSS > is still asking? > > I start feeling that the p11-kit is not here to blame as from some of my > previous testing, the profile information was passed through also with the > old API, but I would have to double-check. https://finance.yahoo.com/quote/NQ%3DF?p=NQ%3DF removing the opensc package helped. I have a clean install of Fedora 37 now.
(In reply to Vladimir Benes from comment #55) > (In reply to Jakub Jelen from comment #53) > > Vladimir or anyone, do you have specific website, where you are getting the > > prompts for reproducer? > > > > Bob, can you let the guys here know what debug information you need to be > > able to debug this further? Would some pkcs11 trace (through log-calls in > > p11-kit) be enough or do you need some debug log from NSS to see why the NSS > > is still asking? > > > > I start feeling that the p11-kit is not here to blame as from some of my > > previous testing, the profile information was passed through also with the > > old API, but I would have to double-check. > > https://finance.yahoo.com/quote/NQ%3DF?p=NQ%3DF > > removing the opensc package helped. I have a clean install of Fedora 37 now. So you are not using yubikeys's piv applet, but just the otp or something? In that case you dont obviously need opensc. But as you can reproduce the problem, providing more information might be helpful as I never saw this issue myself with opensc installed.
yubikey comes from the factory with PIV password 123456. enter it once per session and no more problems.
The yubikey is just attached to the system all the time, as is relatively normal if you use 2FA. Every time you start a firefox profile it then prompts you and you have to get rid of the window every time. Having to close a useless dialog every time firefox starts is obviously an error or bug. There used to be some fix in some opensc config file, but it seems to have stopped working a year ago.
(In reply to jonathan.dundas from comment #58) > The yubikey is just attached to the system all the time, as is relatively > normal if you use 2FA. Every time you start a firefox profile it then > prompts you and you have to get rid of the window every time. Having to > close a useless dialog every time firefox starts is obviously an error or > bug. There used to be some fix in some opensc config file, but it seems to > have stopped working a year ago. Open Firefox preferences, type: security devices in the search field, click on Security Devices button, then on p11-kit-proxy and, finally, Unload. No more prompts for the duration of the session. If someone knows how to permanently disable p11-kit-proxy please respond.
(In reply to Eugene Kanter from comment #59) > Open Firefox preferences, type: security devices in the search field, click > on Security Devices button, then on p11-kit-proxy and, finally, Unload. No > more prompts for the duration of the session. > If someone knows how to permanently disable p11-kit-proxy please respond. The solution in Comment 26 worked as a permanent solution for me.
The workaround using disable-in works well for firefox. Has anyone managed to do the same with google-chome? Still prompts me.
This message is a reminder that Fedora Linux 36 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora Linux 36 on 2023-05-16. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a 'version' of '36'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, change the 'version' to a later Fedora Linux version. Note that the version field may be hidden. Click the "Show advanced fields" button if you do not see it. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora Linux 36 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora Linux, you are encouraged to change the 'version' to a later version prior to this bug being closed.
Can this get updated as still an issue on Fedora 38? It still happens, this is still an issue.
Still an issue in RHEL 9.2
This is still an issue in Fedora 38.
We should really document this...
In the end, this is indeed an issue in the OpenSC ... Should be fixed with with the following upstream PR: https://github.com/OpenSC/OpenSC/pull/2928 https://github.com/OpenSC/OpenSC/pull/2924 I can provide a test builds if somebody is interested in testing this out. This will likely get fixed with the next release due in coming weeks/month.
FEDORA-2023-c7e4c9af51 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-c7e4c9af51
FEDORA-2023-a854153d7a has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2023-a854153d7a
FEDORA-2023-a854153d7a has been pushed to the Fedora 39 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-a854153d7a` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-a854153d7a See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2023-c7e4c9af51 has been pushed to the Fedora 38 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-c7e4c9af51` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-c7e4c9af51 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2023-a854153d7a has been pushed to the Fedora 39 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2023-c7e4c9af51 has been pushed to the Fedora 38 stable repository. If problem still persists, please make note of it in this bug report.