[solved] Nitrokey 2FA - RHEL / CentOS 7

Django · November 8, 2018, 10:31pm

On my Fedora 28 host Nitrokey FIDO 2FA is working - on my CentOS 7 the stick won’t work. After connecting the device the led is flashing one and syslog shows:

Nov  8 23:24:59 T410 kernel: usb 1-1.2: new full-speed USB device number 12 using ehci-pci
Nov  8 23:24:59 T410 kernel: usb 1-1.2: New USB device found, idVendor=20a0, idProduct=4287
Nov  8 23:24:59 T410 kernel: usb 1-1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=3
Nov  8 23:24:59 T410 kernel: usb 1-1.2: Product: Nitrokey FIDO U2F
Nov  8 23:24:59 T410 kernel: usb 1-1.2: Manufacturer: Nitrokey
Nov  8 23:24:59 T410 kernel: usb 1-1.2: SerialNumber: 0000000000000000
Nov  8 23:24:59 T410 kernel: hid-generic 0003:20A0:4287.0009: hiddev0,hidraw0: USB HID v1.11 Device [Nitrokey Nitrokey FIDO U2F] on usb-0000:00:1a.0-1.2/input0
Nov  8 23:24:59 T410 mtp-probe: checking bus 1, device 12: "/sys/devices/pci0000:00/0000:00:1a.0/usb1/1-1/1-1.2"
Nov  8 23:24:59 T410 mtp-probe: bus: 1, device: 12 was not an MTP device

Firefox tells my that I should “push the button” but nothing works as expected.

Andy ideas or hints?

jan · November 8, 2018, 10:51pm

Did you install the required UDEV rule? See instructions.

Django · November 9, 2018, 6:08pm

Of course, of course I tried that too!

On my Fedora 28 host it works as expected, If i connect the device to an usb-port, the led is flashin once and syslog said:

Nov 09 18:42:50 lenovo-r60 kernel: usb 2-2: new full-speed USB device number 2 using uhci_hcd
Nov 09 18:42:50 lenovo-r60 kernel: usb 2-2: New USB device found, idVendor=20a0, idProduct=4287, bcdDevice= 1.00
Nov 09 18:42:50 lenovo-r60 kernel: usb 2-2: New USB device strings: Mfr=1, Product=2, SerialNumber=3
Nov 09 18:42:50 lenovo-r60 kernel: usb 2-2: Product: Nitrokey FIDO U2F
Nov 09 18:42:50 lenovo-r60 kernel: usb 2-2: Manufacturer: Nitrokey
Nov 09 18:42:50 lenovo-r60 kernel: usb 2-2: SerialNumber: 0000000000000000
Nov 09 18:42:50 lenovo-r60 kernel: hid-generic 0003:20A0:4287.0001: hiddev96,hidraw0: USB HID v1.11 Device [Nitrokey Nitrokey FIDO U2F] on usb-0000:00:1d.0-2/input0
Nov 09 18:42:50 lenovo-r60 mtp-probe[2613]: checking bus 2, device 2: "/sys/devices/pci0000:00/0000:00:1d.0/usb2/2-2"
Nov 09 18:42:50 lenovo-r60 mtp-probe[2613]: bus: 2, device: 2 was not an MTP device
Nov 09 18:42:50 lenovo-r60 upowerd[1327]: unhandled action 'bind' on /sys/devices/pci0000:00/0000:00:1d.0/usb2/2-2/2-2:1.0/0003:20A0:4287.0001
Nov 09 18:42:50 lenovo-r60 upowerd[1327]: unhandled action 'bind' on /sys/devices/pci0000:00/0000:00:1d.0/usb2/2-2/2-2:1.0
Nov 09 18:42:50 lenovo-r60 upowerd[1327]: unhandled action 'bind' on /sys/devices/pci0000:00/0000:00:1d.0/usb2/2-2

I found there a new device: /dev/hidraw0

O.K. If I login into my nexcloud the device is flashing twice an after touching the “button” I’m logged in.

On my CentOS 7, with required udev-rules and reboot (!), the led is flashing once too and syslog said:

Nov 09 18:49:21 T410 kernel: usb 2-1.1: new full-speed USB device number 4 using ehci-pci
Nov 09 18:49:21 T410 kernel: usb 2-1.1: New USB device found, idVendor=20a0, idProduct=4287
Nov 09 18:49:21 T410 kernel: usb 2-1.1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
Nov 09 18:49:21 T410 kernel: usb 2-1.1: Product: Nitrokey FIDO U2F
Nov 09 18:49:21 T410 kernel: usb 2-1.1: Manufacturer: Nitrokey
Nov 09 18:49:21 T410 kernel: usb 2-1.1: SerialNumber: 0000000000000000
Nov 09 18:49:21 T410 kernel: hid-generic 0003:20A0:4287.0004: hiddev0,hidraw0: USB HID v1.11 Device [Nitrokey Nitrokey FIDO U2F] on usb-0000:00:1d.0-1.1/input0
Nov 09 18:49:21 T410 mtp-probe[3747]: checking bus 2, device 4: "/sys/devices/pci0000:00/0000:00:1d.0/usb2/2-1/2-1.1"
Nov 09 18:49:21 T410 mtp-probe[3747]: bus: 2, device: 4 was not an MTP device

I found there a new device: /dev/hidraw0. I I try to login into my nextcloud NO led is flashing and nothing happens if I touch the button.

I’ve no idea why the stick won’t work on CentOS 7. (SELinux is running in permissive mode.)

Django · November 10, 2018, 1:11pm

Here I’m again.

Now it works on my CentOS 7 workstations, too. O.K. waht I have done?

Either I change the device-permissions from 664 to 666 or I changed the owner to my user django it works as expected.

So I decided to change the udev-rules to:

# Nitrokey U2F
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", MODE="0664", OWNER="django", GROUP="plugdev", ATTRS{idVendor}=="2581", ATTRS{idProduct}=="f1d0"
# Nitrokey FIDO U2F
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", MODE="0664", OWNER="django", GROUP="plugdev", ATTRS{idVendor}=="20a0", ATTRS{idProduct}=="4287"

SUBSYSTEM!="usb", GOTO="gnupg_rules_end"
ACTION!="add", GOTO="gnupg_rules_end"

# USB SmartCard Readers
## Crypto Stick 1.2
ATTR{idVendor}=="20a0", ATTR{idProduct}=="4107", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", GROUP+="plugdev", TAG+="uaccess"
## Nitrokey Pro
ATTR{idVendor}=="20a0", ATTR{idProduct}=="4108", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", GROUP+="plugdev", TAG+="uaccess"
## Nitrokey Storage
ATTR{idVendor}=="20a0", ATTR{idProduct}=="4109", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", GROUP+="plugdev", TAG+="uaccess"
## Nitrokey Start
ATTR{idVendor}=="20a0", ATTR{idProduct}=="4211", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", GROUP+="plugdev", TAG+="uaccess"
## Nitrokey HSM
ATTR{idVendor}=="20a0", ATTR{idProduct}=="4230", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", GROUP+="plugdev", TAG+="uaccess"

LABEL="gnupg_rules_end"

django is the user-account on my testing-machine. Now it works.

BTW, on the Fedora 29 Host, the user and file permissions of the device looks like:

crw-rw----+ 1 root root 245, 0 Nov 10 13:32 /dev/hidraw0

I’ve no idea, why it works on Fedora 29 with that permissionsm, but won’t work with the old permissions

crw-rw-r--. 1 root root 246, 0 10. Nov 13:12 /dev/hidraw0

on CentOS 7. No matter how, now it works with the custom udev rules.

nitroalex · November 12, 2018, 9:05am

It may would have been sufficient to add your user to the group “plugdev” instead. If adding your own user name did the trick, then this should help, too. Still, this whole story sounds funny and I am happy that you let us know what happened and how you fixed the situation!

I will have a look to change the need to add the udev at all today. May this helps other users to not need to fiddle around.

Django · November 12, 2018, 1:49pm

You won’t believe this, but that’s exactly what I tried to do first. But under CentOS/RHEL 7 it’s not enough to just put the user into the plugdev group.

The Nitrokey FIDO U2F can only be used under CentOS 7 if one of the following ways is taken:

either set the file permissions to 666 or
give the device file to the used user

I decided to use option 2 to give the device file the right user “django”.

Django · November 17, 2018, 11:01am

Hab mal meine Erfahrungen zu dem Thema hier zusammengefasst:
https://wiki.mailserver.guru/doku.php/centos:nitrokey:fidou2f