Problems with Nitrokey FIDO U2F

Hi,

I can’t get my Nitrokey FIDO U2F key to work. I’m running Xubuntu 18.04.1.

I’ve followed the instructions on https://www.nitrokey.com/documentation/installation#p:nitrokey-fido-u2f&os:linux including /documentation/enabling-u2f-firefox and /sites/default/files/41-nitrokey.rules.

Neither Firefox or Chrome is working on sites like Google and Twitter.

Any advice?

BR,
Pontus

1 Like

Hi Pontus!

Apparently wrong Udev rules are provided on the site, sorry for that. Please download and use file from firmware home site: 70-u2f.rules. After the download you could use this simple installation script: install_rules.sh. Example run using terminal:

wget https://raw.githubusercontent.com/Nitrokey/nitrokey-fido-u2f-firmware/master/70-u2f.rules
wget https://raw.githubusercontent.com/Nitrokey/nitrokey-fido-u2f-firmware/master/install_rules.sh
bash install_rules.sh
# please input your password when asked

If it will not work immediately after running that, please reboot your OS and try again accessing the device in a browser. Here is a simple test site: https://u2f.bin.coffee/.
Guide regarding setting the Firefox looks fine.

If that fails, here are simple hardware checks:

  1. Could you tell, is the device showing up? E.g. via the terminal command:
$ lsusb -d 20a0:4287 
Bus 003 Device 015: ID 20a0:4287 Clay Logic 
  1. Device should blink once, just after the insertion. Could you confirm the same behaviour on your hardware?

If it will still not work, I will provide further instructions, which would involve execution of a Python tool. I am almost sure though the wrong Udev rules are the cause in this case.

@nitroalex Could you correct the documentation please, specifically the Udev rules file? Perhaps you could reuse my reply regarding automatic rules installation on Ubuntu-like OSes.

BR,
Szczepan

Hi Szczepan,

I’ve now deleted the 41-nitrokey.rules and restarted the udev service. Then I downloaded 70-u2f.rules and ran the install_rules.sh script.

Then I restarted my laptop.

The “lsusb -d 20a0:4287” command returns “Bus 001 Device 010: ID 20a0:4287 Clay Logic”.

The led is flashing once when I insert the key.

Neither Firefox 64.0 nor Chrome 71.0.3578.98 works on the test site https://u2f.bin.coffee/

I’ve also tested on Google, but I don’t get it to work.

Looking forward to your reply.

BR,
Pontus

Also, to rub it in even more, my Yubikey 4 works perfekt on the test site (https://u2f.bin.coffee/) as well as on other sites.

I see. Device seems to boot properly (blinks once), and is not blinking constantly (which would mean key initialization issue). It also shows up in the OS as an USB device (so its MCU work). And your other U2F device works.
Just to clear my assumptions:

  1. Could you describe how browser behaves, when you are issuing the U2F request on the test site? Is it returning instantly with failure message, or after 30 seconds?
  2. Does the device blink, when the U2F request was sent?
  3. Could you insert the device just after issuing the U2F request on the test site (during the 30 seconds period, counting from the U2F request sending)?

By the U2F request I mean either U2F registration or U2F authentication / signature.
I plan to provide the diagnostic tool tomorrow.

For behaviour, see videos. I insert the Nitrokey FIDO U2F right after clicking the buttons on the web page.

The only blink I get is when I insert the key. If I insert the key and the blick the buttons I don’t get the blink.

2 Likes

I am experiencing the same issue with PureBrowser 60.1.0 (~= Firefox 60.1.0). I have the same diagnostic results as @sm0rux when running without udev rules, and with the new udev rules provided by @szszszsz

  1. The u2f.bin.coffee website suggests setting security.webauth.u2f_enable_softtoken to true. This setting doesn’t exist, but security.webauth.webauthn_enable_softtoken does. I assume this should not be set to true (despite the instructions) because we’re testing a USB token, not a soft token.

  2. If I do enable security.webauth.webauthn_enable_softtoken should u2f.bin.coffee work? In my case it doesn’t.

Looking forward to the Python script!

I’ve tried both with security.webauth.webauthn_enable_softtoken as true and as false - same same, in other words it doesn’t work.

If the udev rules was wrong the biggest question is if ANYONE using Ubuntu (or derivates) 18.04 got Nitrokey FIDO U2F key to work? Do you guys at Nitrokey get your keys to work? Or should I move to Yubikey?

Is it any money back guarantee?

Of course we do use our devices successfully with Linux and Firefox. If you are not satisfied you can return it anytime. But I believe it’s just a matter of configuring your UDEV rules. More on this later.

For completeness: security.webauth.u2f must be true. For me security.webauth.webauthn_enable_softtoken is false but I’m not sure if it’s relevant. Please check that you don’t have a FIDO/U2F related add-on installed in your browser.

I prefer to stay with Nitrokey :slight_smile:

However I find it quite fascinating that this matter hasn’t come up earlier. I mean, Xubuntu 18.04 could not be a very rare setup :smile:

Yes, security.webauth.u2f is true in my Firefox about:config settings.

Forgot to mention - same thing/problem with all add-ons disabled.

Hi,

please try this udev rules file instead. I tested this on my system and it just works fine. I don’t know why nobody else complained yet :thinking:

Please delete the other udev file, move the linked one to /etc/udev/rules.d/ and just restart the system (to make it plain and simple).

You could get the same udev rule by the package ¨libu2f-udev", but unfortunately it is not recent enough on 18.04.

Please let us know, if it worked.

Kind regards
Alex

1 Like

Hi @nitroalex,

The new rules works! Thanks a zillion!

Yes, I agree with you - very strange that no one else had these problems. I mean that Ubuntu 18.04 and derivates are not that rare to use :slight_smile:

I noticed on Twitter that I can’t activate the Nitrokey FIDO U2F when using Firefox. However, activating using Chrome allows me to login using Firefox. I think I’ve read the same when it comes to Google.

One annoying thing thing when it comes to use of the key is that Twitter also activates 2FA via Twitter when using the USB key. If I deactivate U2F via SMS also U2F using the stick is deactivated. This is of course totally out of your control and the same happens when using a Yubikey.

Again - thanks for all your support. @jan, now I’m happy again :slight_smile:

Btw - I saw two guys with Nitrokey jackets at #35c3. Was it anyone of you? Will we meet at Fosdem?

Hey,

I am glad that it worked! We try to fix the instructions and rules asap.

Jan and me indeed have been there. Too bad that you didn’t talked to us :smile:

We are probably not at FOSDEM, but let’s see…

Kind regards
Alex

1 Like

Hi,

I also confirm that the 41-nitrokey.rulse that @nitroalex mentioned, works for me on my Ubuntu 18.04 instead of the 41-nitrokey.rules from the nitrokey-com main site!

Please give a hint on your main site nitrokey-com for Ubuntu 18.04 users.

It takes me some time to check in the forum if somebody has the same issue :wink:

1 Like

Thanks everyone! I can now authenticate against u2f.bin.coffee with PureBrowser (on PureOS) after installing the libu2f-udev package. I’ve documented the process here: https://tracker.pureos.net/w/pureos/tips/purebrowser_fido_u2f/

Note that older releases on other distros may not have an up-to-date libu2f-udev package.

1 Like

Hi @d3vid!
Nice guide! Could you mention please what OS and version you are using there? I guess that is PureOS, right? It might confuse other Debian-based distro users. E.g. this will not work for Ubuntu 18.04 LTS due to the old package version - 1.1.4 [1], but will in U18.10 [2] (1.1.6).

[1] https://packages.ubuntu.com/bionic/libu2f-udev
[2] https://packages.ubuntu.com/cosmic/libu2f-udev

@szszszsz Thanks for the feedback. I’ve updated my comment to make it clear I’m talking about PureOS, and the info has been moved to the PureOS wiki (so the context should be clear there too).

1 Like

This thread popped up as “unread”, for unknown reasons. It seems resolved to as far as I can tell.

However, there might be a solution to make Nitrokey FIDO 2 work on Ubuntu and Chromium (installed with snap).

You can find more details here