Nitrokey FIDO U2F not working in Arch Linux/KDE Plasma


#1

Hello,

I have two systems running Arch Linux with KDE Plasma–both are fully updated and have this udev rule. On one of my systems, the U2F key doesn’t work. It lights up when I plug it in, but it doesn’t work with any U2F service in either chrome or firefox. Here are the only relevant journalctl entries I could find, which occur after plugging the device in:

r 03 17:57:31 arch kernel: usb 1-1.2: new full-speed USB device number 3 using ehci-pci
Mar 03 17:57:31 arch kernel: usb 1-1.2: New USB device found, idVendor=20a0, idProduct=4287, bcdDevice= 1.00
Mar 03 17:57:31 arch kernel: usb 1-1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=3
Mar 03 17:57:31 arch kernel: usb 1-1.2: Product: Nitrokey FIDO U2F
Mar 03 17:57:31 arch kernel: usb 1-1.2: Manufacturer: Nitrokey
Mar 03 17:57:31 arch kernel: usb 1-1.2: SerialNumber: 0000000000000000
Mar 03 17:57:31 arch kernel: hid-generic 0003:20A0:4287.0006: hiddev0,hidraw5: USB HID v1.11 Device [Nitrokey Nitrokey FIDO U2F] on usb-0000:00:1a.0-1.2/input0
Mar 03 17:57:31 arch mtp-probe[4014]: checking bus 1, device 3: "/sys/devices/pci0000:00/0000:00:1a.0/usb1/1-1/1-1.2"
Mar 03 17:57:31 arch mtp-probe[4014]: bus: 1, device: 3 was not an MTP device
Mar 03 17:57:31 arch plasmashell[1421]: UdevQt: unhandled device action "bind"
Mar 03 17:57:31 arch org_kde_powerdevil[1482]: UdevQt: unhandled device action "bind"
Mar 03 17:57:31 arch mtp-probe[4030]: checking bus 1, device 3: "/sys/devices/pci0000:00/0000:00:1a.0/usb1/1-1/1-1.2"
Mar 03 17:57:31 arch mtp-probe[4030]: bus: 1, device: 3 was not an MTP device
Mar 03 17:57:31 arch org_kde_powerdevil[1482]: UdevQt: unhandled device action "bind"
Mar 03 17:57:31 arch plasmashell[1421]: UdevQt: unhandled device action "bind"

Note that the journalctl entries look pretty much identical on the system where the FIDO u2f key works. The only real difference I can think of between the two machines is the one that works is running the LTS Kernel, while the machine that doesn’t work is running the latest 4.20 Kernel.

Do you have any idea how I could begin troubleshooting? Is there another log I should look at for issues like this besides the syslog?

Thanks!


#2

I just tried with kernel 4.19 LTS and the Fido U2f didn’t work, so I have no idea what else to try


#3

Hi,

the FIDO is generally working on Arch Linux, so we just need to debug here :smile:

You did test the test page I guess? It does not work there? Did you activate u2f in Firefox?

Where did you put the UDEV rule? It should lay in /etc/udev/rules.d/ You may try our newest version though it should not make any difference to yours.

You should restart udev afterwards
sudo udevadm control --reload

Kind regards
Alex


#4

Thanks @nitroalex. It does not work on the test page and I’ve activated it in Firefox. The udev rule is in /etc/udev/rules.d/ I -think- the udev rule is working since the device lights up once when plugging it in and I see the entries about the nitrokey in syslog. It also shows up in lsusb.

I’ll try the new rule and get back to you shortly.

Update: Just tried with the new udev rules you posted and there was no change in behavior. Here is a screenshot from GitHub that confirms that u2f is enabled in FireFox:

However the device never blinks, doesn’t respond to taps and after a little while the page shows an error. On my other machine it works just fine and I’ve tested a number of sites.

Output from lsusb:

$ lsusb
[...]
Bus 001 Device 010: ID 20a0:4287 Clay Logic
[...]

#5

I figured out the issue :frowning: I suspected that linux-hardened might have been the culprit, so during troubleshooting I tried the stock non-hardened kernels with no results, but I forgot that I’m running FireFox in firejail as well. The FIDO U2F key works just fine when FireFox isn’t being ran in firejail.


#6

Hey,

thanks for letting us know! Looks like I couldn’t help you anyway :smile:

Kind regards
Alex