Nitrokey FIDO2 funktioniert nicht mit Firefox und Chromium unter Ubuntu 20.04

Hallo Zusammen,

ich versuche gerade den Nitrokey FIDO2 unter Ubuntu 20.04 zu nutzen. Leider nur mit mäßigem Erfolg.

Standardmäßig werden Firefox und Chromium bei Ubuntu 20.04 wohl als Snap installiert. In dieser Konfiguration erkennen beide den Stick nicht.

Erst wenn ich Firefox als normales (deb) Paket installiere und AppArmor ausschalte, wird der Nitrokey erkannt. Sicherheitstechnisch ist das natürlich nicht gewünscht.

Kann mir hier jemand bitte weiterhelfen?

Danke und beste Grüße
Markus

1 Like

Hallo Markus,

Ich will die setup einrichten, und mich bei Ihnen melden.

If I understand well: the browsers do not recognize the FIDO key, unless they are installed via the apt package manager, and AppArmor turned off.

I agree, das ist nicht optimal.

Best,

Hello nitr0z,

did you find something out? Can I provide some help? e.g. doing some tests …

Best regards
Markus

Hallo Markus,

I have the proper environment, i.e. ubuntu VMs, and I started reading about the NSS Tools for firefox here.

I hope is the authentication you were mentioning, otherwise let me know. I was thinking that you had issues connecting to a specific website.

Let me know bitte.

// the config below was re-tested and does not work

Hallo Markus,

I have some good news, and some bad news. Let’s start with the bad news first, as I faced the same issues as you did.

Chromium did not work as you specified, and I posted on an Ubuntu Forum to see if the issue is known. In any case this will require some further research. And I will get back to you in this regard.

For Firefox, at first it was possible to detect the key only if there was an exception in AppArmor for firefox, as you noted. However, there might be a workaround that worked for me:

  1. Insert your U2F Key.
  2. Run: mkdir ~/.config/Nitrokey
  3. Run: pamu2fcfg > ~/.config/Nitrokey/u2f_keys
  4. When your device begins flashing in white, touch the Nitrokey to confirm the association.

This will probably require a reboot, and unplug/replug of the Nitrokey. I have followed the instructions from a comparable website. Most importantly, please let me know if it works for you.

Now firefox detects the Nitrokey FIDO 2, and is not subject to an AppArmor exception.

Let me know if this helps in any manner, we would probably need to figure out what the hell is going-on with chromium. Sorry for this delayed reply.

Best,
nitr0z

Update: Correctly installed chromium from .deb packages, with the instructions in this link.

The key worked properly, but it’s an untrusted PPA.

I do not see, how pamu2fcfg setup is supposed to help here. Does it install with AppArmor specific rules? Worth to check probably.

Apologies, it was a mistake on my side.

I did another trial on a fresh VM, and it does not work. Once the apparmor profile for firefox enforced, it can not detect, nor read, the Nitrokey FIDO.

I will see if it can be solved.

I found a way to make the Nitrokey FIDO work on chromium (installed from snap).

I patched the /etc/udev/rules.d/70-snap.chromium.rules file and added the following at the bottom:

# u2f-devices
# Nitrokey FIDO 2
SUBSYSTEM=="hidraw", KERNEL=="hidraw*", ATTRS{idVendor}=="20a0", ATTRS{idProduct}=="42b1", TAG+="snap_chromium_chromium"
TAG=="snap_chromium_chromium", RUN+="/usr/lib/snapd/snap-device-helper $env{ACTION} snap_chromium_chromium $devpath $major:$minor"

After that I entered this:

$ sudo udevadm control --reload-rules && udevadm trigger

This is supposed to add an exception to the snap.chromium.chromium apparmor profile

Please let me know if you can reproduce the fix. Unplug/replug might be required, and the U2F permission granted.

If it works, we can also add the other devices to the rules file, and ship it by default.

Main reference here.

1 Like