Closed Bug 1434277 Opened 6 years ago Closed 6 years ago

Web Authentication, U2F - Document Dependencies for Common Linux Distributions

Categories

(Core :: DOM: Device Interfaces, enhancement, P3)

Product:
Core
Component:
DOM: Device Interfaces
Version:
60 Branch
Platform:
All
Linux
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
relnote-firefox --- -
firefox60 --- wontfix

People

(Reporter: jcj, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [webauthn] [u2f]) 

Web Authentication (and U2F) on Linux depend on libudev, but also require access to the /dev/hidraw devices to function.

* In Fedora, this means Firefox has a dependency on u2f-hidraw-policy [1]. 
* For Arch, there might be manual configuration needed [2].
* It appears that for Debian, there is likely a dependency on libhidapi-hidraw0 [3] but I haven't tested it.
* Suse also appears to have a dependency on libhidapi-hidraw0, but that's also unconfirmed.


I have also not collected this information for any other Linux distributions.

We should consider including the final information in the release notes for Firefox 60. Marking this relnote-firefox.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1513968
[2] https://wiki.archlinux.org/index.php/yubikey#Yubikey_not_acting_as_HID_device
[3] https://groups.google.com/d/msg/mozilla.dev.platform/UW6WMmoDzEU/sfIjwEIDBgAJ
It's my understanding that on Debian it _should_ just work, and if not I think this is something we should fix in Debian and Mozilla shouldn't care about it. In Debian stable I do get the right permission. The permissions are set correctly be default by the udev package, which gives permission to the plugdev group.

In Debian testing something seems to have changed. My current understanding is that logind would set up an ACL, but I'm testing this on a system without systemd/logind which is probably why it broke for me, but should work for most other users. I didn't have time to file a bug in Debian yet about it.
I tried removing libhidapi-hidraw0 on Debian, and it still works. It's really just a library used by the u2f-host tool/library.
The debian changelog for udev 229-6 says:
  * Add debian/extra/rules/70-debian-uaccess.rules: Make FIDO U2F dongles
    accessible to the user session. This avoids having to install libu2f-host0
    (which isn't discoverable at all) to make those devices work.
    (LP: #1387908)

libu2f-host0 depends on libhidapi-hidraw0.

It's at least my understanding that firefox doesn't need this (on Debian), that the udev rules should just make it work.
At least my problem on Debian was that I still had consolekit installed instead of libpam-systemd. This will probably be fixed so that others don't run into this.

But things might change in the future. The udev files to set up the permissions are now in udev, but they don't want to ship it anymore and it's also part of the libu2f-udev package. So in the future it might be that you need to install that. It might also be that instead of this list of devices we might want to go with the fedora approach and use the u2f-hidraw-policy software you've mentioned before.
Kurt, the udev rules were dropped from the udev Debian package in 237-2 (https://bugs.debian.org/889665) so as of buster the libu2f-udev package is necessary.  I guess we need to figure out on the Debian side how to make sure that gets installed when needed.
We're about to ship 60 next week, do we have some consolidated documentation on dependencies here?

We can then update the Linux section of https://www.mozilla.org/en-US/firefox/60.0/system-requirements/
To my knowledge, we've collected only what's here in-bug.
Assignee: ttaubert → nobody
Status: ASSIGNED → NEW
Unassigned, P1, is this a critical bug or is it okay to bounce down to P2?
Flags: needinfo?(kyle)
Moving to P3 for now, as WebAuthn is on maintenance until jcj gets back (unfortunately can't ni until then), and I'll let him triage it again when he is.
Flags: needinfo?(kyle)
Priority: P1 → P3
WONTFIX per jcjones on IRC.
Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox60: affectedwontfix
relnote-firefox: ?-
Resolution: --- → FIXED
Target Milestone: mozilla60 → ---
It's been a while since this shipped. There's guidance out there already, probably just let this go.
You need to log in before you can comment on or make changes to this bug.