Firefox prompts repeatedly for smartcard password
Categories
(Core :: Security: PSM, defect, P1)
Tracking
()
People
(Reporter: jhaiduce, Assigned: keeler)
References
Details
(Whiteboard: [psm-assigned])
Attachments
(3 files, 1 obsolete file)
69.54 KB,
image/png
|
Details | |
172.79 KB,
image/png
|
Details | |
48 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-esr91+
|
Details | Review |
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:88.0) Gecko/20100101 Firefox/88.0
Steps to reproduce:
- Install Firefox
- Install OpenSC
- Visit a site that requires smartcard authentication
- Change network (e.g. disconnect and reconnect VPN)
Actual results:
Firefox repeatedly prompts for the smartcard password whenever the network changes. The user has to dismiss a dozen or so password prompts before the browser can be used again. Then at least one of the open browser windows becomes unresponsive to mouse clicks, requiring a restart of the browser.
Expected results:
Firefox should only prompt for the smartcard password once, until the smartcard is removed. After the smartcard password is entered or the password dialog dismissed, the browser should continue to operate normally.
Comment 1•3 years ago
|
||
The Bugbug bot thinks this bug should belong to the 'Toolkit::Password Manager' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.
Comment 3•3 years ago
|
||
Hi John, thanks for filing this. Are you able to provide screenshots of the prompt (or prompts) that appear? That will help us narrow down what is going on here. Additionally, are there any test sites that utilize OpenSC that we can check out in order to reproduce?
Reporter | ||
Comment 4•3 years ago
|
||
Password prompt that appears inside the browser window. Typically this prompt appears after a change of network environment (connect/disconnect). After pressing Enter or Cancel the prompt closes and reappears immediately. This cycle repeats several times before the password prompt stops appearing and the browser can be used again.
Reporter | ||
Comment 5•3 years ago
|
||
Password prompt outside the browser window. Typically, several of these windows appear upon change of network environment. Sometimes they are responsive to keyboard/mouse input, sometimes not. When the password dialog does not respond to user input, it is often because another password dialog (below the first) has focus. In that case the user has to drag the overlying password prompts aside to find the password dialog underneath that can be dismissed by pressing Cancel. After that the remaining password dialogs can be dismissed.
Reporter | ||
Comment 6•3 years ago
|
||
Hi Tim, thanks for your quick response.
(In reply to Tim Giles [:tgiles] from comment #3)
Are you able to provide screenshots of the prompt (or prompts) that appear?
I've uploaded a couple of screenshots. One shows a couple of password prompts that appear outside the browser window; the other shows a password prompt inside the browser window. Normal behavior for smartcard usage in Firefox is that the browser displays a password prompt in the browser like the one in comment #4, but only does so once (assuming the user enters the correct password).
So what happens in my setup is that whenever the network environment changes (e.g. VPN or wifi disconnects or reconnects) I get a bunch of password prompts outside the browser window like the ones shown in comment #5. The number varies, but it's typically somewhere between two and twelve. Once I've dismissed all of those, a prompt like the one in comment #4 appears in the browser. That one reappears when I click Cancel, and does so repeatedly several times before finally staying away.
are there any test sites that utilize OpenSC that we can check out in order to reproduce?
I'm not aware of any specifically for OpenSC. You could try https://check.dmdc.mil/, though I'm not certain whether that site will provide helpful information without a US Government issued smartcard.
Comment 7•3 years ago
|
||
Dana/pbz, I'm not sure if the problem here is all the the number of prompts that should have been queued or somehow coalesced, or the number of cert / auth invalidations that should have been throttled. It looks like MattN was the last person in this code and I don't have that context. Do either of you have any insights here?
Assignee | ||
Comment 8•3 years ago
|
||
The UX can certainly be improved here, but I have a couple of questions for John:
- Is macOS the only platform you need? If you don't need linux, it would be good to try out osclientcerts by setting
security.osclientcerts.autoload
totrue
inabout:config
and unloading OpenSC (osclientcerts will soon to be enabled by default). - Otherwise, if you authenticate to your token when the dialog comes up, does it work as expected?
Reporter | ||
Comment 9•3 years ago
|
||
(In reply to Dana Keeler (she/her) (use needinfo) (:keeler for reviews) from comment #8)
- Is macOS the only platform you need?
I use Linux also, but I haven't encountered this problem there. There are several possible contributing factors for that:
- My Linux machines are using CACKey rather than OpenSC to interface with the smartcard
- I've been using smartcard authentication less frequently on Linux
- The Linux machines where I use smartcard authentication are desktops with wired network connections so they don't change networks as often.
If you don't need linux, it would be good to try out osclientcerts by setting
security.osclientcerts.autoload
totrue
inabout:config
and unloading OpenSC (osclientcerts will soon to be enabled by default).
I tried that, and it seems to work so far (caveat is that I haven't made many network config changes yet). I remember trying that setting a while back (over a year ago when I first noticed it mentioned in the release notes), and it didn't work then which was why I switched to OpenSC in the first place. But osclientcerts seems to be working much better now than it did then.
- Otherwise, if you authenticate to your token when the dialog comes up, does it work as expected?
Yes, when I visit a smartcard-enabled website and authenticate, it works as expected.
Reporter | ||
Comment 10•3 years ago
|
||
(In reply to Dana Keeler (she/her) (use needinfo) (:keeler for reviews) from comment #8)
If you don't need linux, it would be good to try out osclientcerts by setting
security.osclientcerts.autoload
totrue
inabout:config
and unloading OpenSC (osclientcerts will soon to be enabled by default).
Did a little more checking. I've visited four smartcard-enabled sites with OpenSC uninstalled and security.osclientcerts.autoload set to true. Two of them work fine, and two prompt for my smartcard password but then give errors.
https://usajobs.gov and https://check.dmdc.mil both give the following error:
An error occurred during a connection to 0f55.pivcac.prod.login.gov. A PKCS #11 module returned CKR_GENERAL_ERROR, indicating that an unrecoverable error has occurred.
Error code: SEC_ERROR_PKCS11_GENERAL_ERROR
Reporter | ||
Comment 11•3 years ago
|
||
(In reply to John Haiducek from comment #10)
(In reply to Dana Keeler (she/her) (use needinfo) (:keeler for reviews) from comment #8)
If you don't need linux, it would be good to try out osclientcerts by setting
security.osclientcerts.autoload
totrue
inabout:config
and unloading OpenSC (osclientcerts will soon to be enabled by default).Did a little more checking. I've visited four smartcard-enabled sites with OpenSC uninstalled and security.osclientcerts.autoload set to true. Two of them work fine, and two prompt for my smartcard password but then give errors.
After restarting Firefox the certificate errors went away. https://check.dmdc.mil loads fine, but https://usajobs.gov doesn't accept my smartcard for authentication. It's been a while since I authenticated to that site with a smartcard though, so I'm not certain the authentication failure is related to Firefox. In the meantime I've temporarily locked my account at usajobs.gov so I have to wait a few minutes before I can try again to confirm whether I can authenticate to usajobs.gov with a different configuration.
Reporter | ||
Comment 12•3 years ago
|
||
(In reply to John Haiducek from comment #11)
https://usajobs.gov doesn't accept my smartcard for authentication. It's been a while since I authenticated to that site with a smartcard though, so I'm not certain the authentication failure is related to Firefox. In the meantime I've temporarily locked my account at usajobs.gov so I have to wait a few minutes before I can try again to confirm whether I can authenticate to usajobs.gov with a different configuration.
The most recent failure on usajobs.gov was due to a problem with my account settings on that site, unrelated to Firefox.
Comment 13•3 years ago
|
||
Looks like these prompts are shown via nsIPrompt#promptPassword
which is implemented in LoginManagerAuthPrompter.jsm
:
https://searchfox.org/mozilla-central/rev/0e8b28fb355afd2fcc69d34e8ed66bbabf59a59a/toolkit/components/passwordmgr/LoginManagerAuthPrompter.jsm#512
It doesn't look like the prompt implementation merges these. That means the consumer (NSS) needs to ensure there are no duplicates.
Comment 14•3 years ago
|
||
I agree with Paul, NSS looks like the right component to handle this issue.
I'll move the component, but also feel free to move it back if this can/should be fixed in the prompt implementation.
Assignee | ||
Updated•3 years ago
|
Assignee | ||
Updated•3 years ago
|
Assignee | ||
Updated•3 years ago
|
Assignee | ||
Comment 16•3 years ago
|
||
Assignee | ||
Comment 17•3 years ago
|
||
John, can you do me a favor and see if this build behaves more like you'd expect? https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/aECUfCw2RpyzKP1pDqhQYg/runs/0/artifacts/public/build/target.dmg
Reporter | ||
Comment 18•3 years ago
|
||
(In reply to Dana Keeler (she/her) (use needinfo) (:keeler for reviews) from comment #17)
John, can you do me a favor and see if this build behaves more like you'd expect? https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/aECUfCw2RpyzKP1pDqhQYg/runs/0/artifacts/public/build/target.dmg
I think that build improves things. I did find that I got a lot of password prompts in my initial test (which had OpenSC loaded and security.osclientcerts.autoload set to True). But the problem doesn't appear in other configurations.
More details:
- I initially tried loading OpenSC using the file 'opensc-pk11.so'. I'm pretty sure that's what I was using before, but when googling to check the path to it I found instructions that said to use 'onepin-opensc-pk11.so'. I tried both.
- In my first attempt I used 'opensc-pk11.so' with security.osclientcerts.autoload set to True. That configuration did produce a lot of password prompts similar to I reported initially. Most were the style that Firefox produces when using OpenSC, but once per website I got a prompt of the style that I normally get from the OS. As before, a change of network configuration produced a bunch of password prompts.
- If I 'onepin-opensc-pk11.so' instead of 'opensc-pk11.so', the excessive password prompts go away. Similarly, if I used 'opensc-pk11.so' with security.osclientcerts.autoload set to False, the excessive password prompts also go away.
Assignee | ||
Comment 19•3 years ago
|
||
In general, if you can just use osclientcerts instead of the opensc modules, I would recommend that, since that will never cause Firefox to open a password dialog like attachment 9221885 [details].
That aside, how many different slots do each of onepin-opensc-pk11.so
and opensc-pk11.so
have, when you load them? You might be getting one prompt per slot, and attachment 9231463 [details] wouldn't change that. Another question is maybe the browser is behaving a bit differently from how I'm assuming it is. Would you be able to get stack traces of the browser when it opens these prompts? You could use the "sample" functionality of the macOS system monitor. Another thing that might work would be to capture a profile with https://profiler.firefox.com/.
Reporter | ||
Comment 20•3 years ago
|
||
(In reply to Dana Keeler (she/her) (use needinfo) (:keeler for reviews) from comment #19)
In general, if you can just use osclientcerts instead of the opensc modules, I would recommend that, since that will never cause Firefox to open a password dialog like attachment 9221885 [details].
That's what I've been doing on my main session, since you recommended it earlier.
That aside, how many different slots do each of
onepin-opensc-pk11.so
andopensc-pk11.so
have, when you load them?
I only have one slot at a time; I delete one before adding the other.
Another question is maybe the browser is behaving a bit differently from how I'm assuming it is. Would you be able to get stack traces of the browser when it opens these prompts? You could use the "sample" functionality of the macOS system monitor. Another thing that might work would be to capture a profile with https://profiler.firefox.com/.
I'll get back with you on that; I'm not familiar with those tools so it may take me a little while to get a trace with them.
Assignee | ||
Comment 21•3 years ago
|
||
Actually, you might try this build instead: https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/cHff-eBkRyqd-ERKU_yjXA/runs/0/artifacts/public/build/target.dmg
Reporter | ||
Comment 22•3 years ago
|
||
(In reply to Dana Keeler (she/her) (use needinfo) (:keeler for reviews) from comment #21)
Actually, you might try this build instead: https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/cHff-eBkRyqd-ERKU_yjXA/runs/0/artifacts/public/build/target.dmg
I'm able to reproduce the problem with this build as well, when I have both the OpenSC module loaded and security.osclientcerts.autoload set to True. It no longer seems to matter whether I use onepin-opensc-pk11.so
or opensc-pk11.so
. I also get prompted for my smartcard password upon opening Firefox in this configuration, even though no smartcard-enabled sites are open.
Reporter | ||
Comment 23•3 years ago
|
||
(In reply to Dana Keeler (she/her) (use needinfo) (:keeler for reviews) from comment #19)
Another question is maybe the browser is behaving a bit differently from how I'm assuming it is. Would you be able to get stack traces of the browser when it opens these prompts? You could use the "sample" functionality of the macOS system monitor. Another thing that might work would be to capture a profile with https://profiler.firefox.com/.
I was able to generate a profile with profiler.firefox.com, but unfortunately I'm not comfortable uploading it since it contains sensitive information and I'm not sure how to strip that out (hopefully my actual login credentials aren't in there, but the profile also contains information such as file URLs from non-public websites).
Assignee | ||
Comment 24•3 years ago
|
||
Apparently by default any personal information is removed when you upload a profile. If you prefer, you could export it and send it to me (my email address is my bugzilla account). Alternatively, sampling the process in the system monitor shouldn't include any personal information either.
Reporter | ||
Comment 25•3 years ago
|
||
I saved the profile with resource URLs and screenshots stripped out; I'll send it to you shortly.
Comment 26•3 years ago
|
||
There's a r+ patch which didn't land and no activity in this bug for 2 weeks.
:keeler, could you have a look please?
For more information, please visit auto_nag documentation.
Comment 27•3 years ago
|
||
Hi, John. Can you double-check that you sent that profile yet?
Assignee | ||
Comment 28•3 years ago
|
||
John sent it. The issue is not necessarily repeated prompts to authenticate to the same slot, so the approach in attachment 9231463 [details] won't work.
Updated•3 years ago
|
Assignee | ||
Comment 29•3 years ago
|
||
Comment 30•3 years ago
|
||
Pushed by dkeeler@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/2501aeee00c5 avoid unnecessary PKCS#11 module PIN prompts when looking for client certificates r=rmf
Comment 31•3 years ago
|
||
bugherder |
Assignee | ||
Comment 33•3 years ago
|
||
[Tracking Requested - why for this release]: ESR users are more likely to be negatively impacted by this bug
Assignee | ||
Comment 34•3 years ago
|
||
Comment on attachment 9235881 [details]
Bug 1710731 - avoid unnecessary PKCS#11 module PIN prompts when looking for client certificates r?rmf
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration: ESR users are more likely to need third-party PKCS#11 modules with client certificates. This bug makes Firefox much less usable in setups like that.
- User impact if declined: Potentially spamming users with PKCS#11 module PIN prompts.
- Fix Landed on Version: 93
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): This patch essentially reverts Firefox back to previous behavior in some situations, so it shouldn't be that risky. Also, the patch is relatively small.
- String or UUID changes made by this patch: none
Updated•3 years ago
|
Comment 35•3 years ago
|
||
Comment on attachment 9235881 [details]
Bug 1710731 - avoid unnecessary PKCS#11 module PIN prompts when looking for client certificates r?rmf
Approved for 91.3esr.
Comment 36•3 years ago
|
||
bugherder uplift |
Updated•3 years ago
|
Comment 37•3 years ago
|
||
John, could you please verify if this is fixed using Firefox 91.3 ESR build? Thank you!
Updated•3 years ago
|
Reporter | ||
Comment 38•3 years ago
|
||
(In reply to Petruta Horea [:phorea] from comment #37)
John, could you please verify if this is fixed using Firefox 91.3 ESR build? Thank you!
Maybe? When I test with that build the behavior is different from what I reported, but it isn't the expected behavior either. If I attempt to sign in to a smartcard-enabled site after removing and re-inserting the smartcard, I get prompted for my PIN 3-4 times and then get a login failure (either SEC_ERROR_TOKEN_NOT_LOGGED_IN or a site-specific error screen, depending on the site). A subsequent attempt to log in to the same site succeeds without presenting any additional prompts for the PIN.
Comment 39•3 years ago
|
||
(In reply to John Haiducek from comment #38)
Maybe? When I test with that build the behavior is different from what I reported, but it isn't the expected behavior either. If I attempt to sign in to a smartcard-enabled site after removing and re-inserting the smartcard, I get prompted for my PIN 3-4 times and then get a login failure (either SEC_ERROR_TOKEN_NOT_LOGGED_IN or a site-specific error screen, depending on the site). A subsequent attempt to log in to the same site succeeds without presenting any additional prompts for the PIN.
Thank you for testing, we don't own working smartcards.
Dana, considering John's answer above, is it possible for this uplift to require something extra for ESR?
Assignee | ||
Comment 40•3 years ago
|
||
That sounds like a different bug. John, can you open a new bug with steps to reproduce the issue? Thanks.
Reporter | ||
Comment 42•3 years ago
|
||
Opened Bug #1740149 describing the new issue found in Firefox 91.3 ESR.
Comment 43•3 years ago
|
||
Thanks everyone for your help!
Considering the above comments and reporter's answer from duplicate bug 1734810 about the issue being fixed in Fx 91.3esr, I'm closing this as verified fixed.
Description
•