Nitrokey FIDO2 and FIDO U2F don't work on Ubuntu

I’ve got a Nitrokey FIDO2 and a FIDO U2F stick. They both work fine under Windows 10 and I’ve already configured a few online accounts with them. However, neither of them work on my Zorin laptop – regardless of the browser. Copying the 41-nitrokey.rules to /etc/udev/rules.d/ didn’t help. However, https://update.nitrokey.com says that the FIDO2 firmware is up-to-date.

I’m using Zorin OS 16 (based on Ubuntu 20.04 LTS) with Linux Kernel 5.13.0-35-generic. Both Firefox and Ungoogled Chromium are from the Zorin store. Firefox’ about page says it’s a Flatpak.

What can I do to fix this?

Thank you!

Hi!
I suspect udev has not reloaded its rules. After copying udev rules file either a reboot is required, or executing these commands:

sudo udevadm control --reload-rules && sudo udevadm trigger

See more at:

Unfortunately, that didn’t help :confused:

We can try running nitropy’s connection test. If that would work, then perhaps the installed browsers are not allowed to connect to any devices. Generally FIDO2 access should work out of the box, without the Udev rules.

Please follow the installation instructions at:

And after that run the following:

$ nitropy fido2 verify

On test failure please send the logs.

You can look into the dmesg log as well, checking related output e.g.:

$ dmesg | grep Nitrokey -C4

I installed pynitrokey but when executing, it immediately produces an error. Like, it doesn’t even wait for me to press the button.

$ nitropy fido2 verify
Nitrokey tool for Nitrokey FIDO2, Nitrokey Start, Nitrokey 3 & NetHSM
please press the button on your Nitrokey key
Touch your authenticator to generate a credential...
Critical error:
unexpected Fido2Client (CTAP) error
	Exception encountered: Client error: 2 - BAD_REQUEST (cause: Pin required but not provided)

Here’s the grep result:

[ 7197.244811] usb 4-1: USB disconnect, device number 7
[ 7245.900397] usb 3-1: new full-speed USB device number 51 using xhci_hcd
[ 7246.050607] usb 3-1: New USB device found, idVendor=20a0, idProduct=42b1, bcdDevice= 1.00
[ 7246.050615] usb 3-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 7246.050619] usb 3-1: Product: Nitrokey FIDO2 2.4.0
[ 7246.050621] usb 3-1: Manufacturer: Nitrokey
[ 7246.050623] usb 3-1: SerialNumber: 207E3394344B
[ 7246.053977] hid-generic 0003:20A0:42B1.002E: hiddev1,hidraw3: USB HID v1.11 Device [Nitrokey Nitrokey FIDO2 2.4.0] on usb-0000:00:14.0-1/input0
[ 7261.849947] [UFW BLOCK] IN=wlp0s20f3 OUT= MAC=01:00:5e:00:00:01:50:c7:bf:79:1f:da:08:00 SRC=192.168.0.1 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2 
[ 7300.758200] usb 3-1: USB disconnect, device number 51
[ 7364.027838] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[ 7365.114736] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7

Alright, so the communication surely can be established. Then the cause must lie in the browsers’ device access rights. I remember there might be some problems with Snap and Flatpak based distributions, due to their confinement implementation.
Can you try any other browser, e.g. running from an AppImage or system repository?
Alternatively perhaps its possible to remove the Snap confinement by installing browsers in --classic mode.

I just tried it with LibreWolf as an AppImage and it worked. Does that mean that Flatpaks and Snaps are generally not supported? That’d be very unfortunate.

For snaps this was fixed already some time ago:

You can try the suggested solution of adding the additional helper line to udev rules to make them like these:

# Nitrokey FIDO2
SUBSYSTEM=="hidraw", KERNEL=="hidraw*", ATTRS{idVendor}=="20a0", ATTRS{idProduct}=="42b1", TAG+="snap_chromium_chromium"
TAG=="snap_chromium_chromium", RUN+="/usr/lib/snapd/snap-device-helper $env{ACTION} snap_chromium_chromium $devpath $major:$minor"

And I can see the rule for Nitrokey FIDO2 in snap config too:

@simon Can you check that further?

A Nitrokey 3 works on my Ubuntu 21.10 for Github logins. But! I had it plugged in for some days, and had to re-plug it to log in. IIRC the green LED did not dim to signal. Did you leave your key plugged in?

Could also be something with 20.04.

1 Like