Regression: YubiKey (U2F) not reliably recognized anymore with Snap builds
Categories
(Firefox Build System :: Third Party Packaging, defect, P2)
Tracking
(Not tracked)
People
(Reporter: dev+mozilla, Unassigned)
References
(Blocks 1 open bug)
Details
Attachments
(1 file)
356.30 KB,
image/png
|
Details |
This is with Firefox 125.0 installed via Snap on Kubuntu Linux 23.10 with Kernel 6.5.0.
I'm using my YubiKey Neo as second factor via U2F for my accounts at Heroku, Google, GitHub, TYPO3 and Bitwaren. This is the device description my system logs when I insert my YubiKey:
Yubico YubiKey OTP+FIDO+CCID
A few days ago (possibly after a Firefox update, but I'm not completely sure, as I do all updates in a timely manner), using the YubiKey U2F for 2FA stopped working reliably anymore in Firefox: Most of the times, the website does not register when I touch the pad on the YubiKey, and sometimes it still does.
My private GPG key on the key is still working fine, and U2F on Chrome also continues to work reliably.
We have the same problem on a different computer (also Kubuntu 23.10, also on Firefox) with a different YubiKey on different accounts.
Comment 1•6 months ago
|
||
Can you please try a regular (non-snap) Firefox build?
Updated•6 months ago
|
Reporter | ||
Comment 2•6 months ago
|
||
I've just tested with Firefox 125.0.1 downloaded as tgz: In this non-Snap version, the problem does indeed not occur (anymore).
Very strangely, now with the Snap version of Firefox, the problem doesn't occur anymore.
Reporter | ||
Comment 3•6 months ago
|
||
Are there any logs that would be helpful to send (syslog? Firefox console?) to help track this down?
Comment 4•6 months ago
|
||
I'm having the same issue with:
- Firefox 124.0.2, Snap on Ubuntu 22.04.4 LTS
- Yubikey 5C NFC
Using my yubikey worked reliable for months (mainly for GitHub login), but since somewhere last week it stopped working.
It still works in Chromium (124.0.6367.60, snap)
Updated•6 months ago
|
Comment 6•6 months ago
|
||
While not yet merged, it is possible to run mozregression
on Snap builds, https://github.com/lissyx/mozregression/tree/tc-snap-upstream
Comment 7•6 months ago
|
||
(and I just tested, my Firefox 125 on Snap works well with yubikey, tested on https://webauthn.io on 23.10)
Amin, is there something on 22.04 which might be regressed and not on newer versions?
Comment 8•6 months ago
|
||
$ snap info firefox
name: firefox
summary: Mozilla Firefox web browser
publisher: Mozilla✓
store-url: https://snapcraft.io/firefox
contact: https://support.mozilla.org/kb/file-bug-report-or-feature-request-mozilla
license: unset
description: |
Firefox is a powerful, extensible web browser with support for modern web application
technologies.
commands:
- firefox
- firefox.geckodriver
snap-id: 3wdHCAVyZEmYsCMFDE9qt92UV8rC8Wdk
tracking: latest/stable
refresh-date: Il y a 4 jours, à 13 h 21 HNR
channels:
latest/stable: 125.0.2-1 2024-04-22 (4173) 282MB -
latest/candidate: 125.0.2-1 2024-04-19 (4173) 282MB -
latest/beta: 126.0b3-1 2024-04-19 (4170) 285MB -
latest/edge: 127.0a1 2024-04-22 (4179) 303MB -
esr/stable: 115.10.0esr-1 2024-04-16 (4126) 256MB -
esr/candidate: 115.10.0esr-1 2024-04-11 (4126) 256MB -
esr/beta: ↑
esr/edge: ↑
installed: 125.0-1 (4136) 282MB -
$ snap connections firefox
Interface Connecteur Prise Notes
alsa firefox:alsa - -
audio-playback firefox:audio-playback :audio-playback -
audio-record firefox:audio-record :audio-record -
avahi-observe firefox:avahi-observe :avahi-observe -
browser-support firefox:browser-sandbox :browser-support -
camera firefox:camera :camera -
content[gnome-42-2204] firefox:gnome-42-2204 gnome-42-2204:gnome-42-2204 -
content[gtk-3-themes] firefox:gtk-3-themes gtk-common-themes:gtk-3-themes -
content[icon-themes] firefox:icon-themes gtk-common-themes:icon-themes -
content[sound-themes] firefox:sound-themes gtk-common-themes:sound-themes -
cups-control firefox:cups-control :cups-control -
dbus - firefox:dbus-daemon -
desktop firefox:desktop :desktop -
desktop-legacy firefox:desktop-legacy :desktop-legacy -
gsettings firefox:gsettings :gsettings -
hardware-observe firefox:hardware-observe :hardware-observe -
home firefox:home :home -
joystick firefox:joystick :joystick -
mount-control firefox:host-hunspell :mount-control -
mpris - firefox:mpris -
network firefox:network :network -
network-bind firefox:network-bind :network-bind -
network-observe firefox:network-observe - -
opengl firefox:opengl :opengl -
personal-files firefox:dot-mozilla-firefox :personal-files -
removable-media firefox:removable-media :removable-media -
screen-inhibit-control firefox:screen-inhibit-control :screen-inhibit-control -
system-files firefox:etc-firefox :system-files -
system-packages-doc firefox:system-packages-doc :system-packages-doc -
u2f-devices firefox:u2f-devices :u2f-devices -
unity7 firefox:unity7 :unity7 -
upower-observe firefox:upower-observe :upower-observe -
wayland firefox:wayland :wayland -
x11 firefox:x11 :x11 -
Comment 9•6 months ago
|
||
(In reply to stefaan.lippens from comment #4)
I'm having the same issue with:
- Firefox 124.0.2, Snap on Ubuntu 22.04.4 LTS
- Yubikey 5C NFC
Using my yubikey worked reliable for months (mainly for GitHub login), but since somewhere last week it stopped working.
It still works in Chromium (124.0.6367.60, snap)
Can you check snap connections firefox
and especially if you have:
u2f-devices firefox:u2f-devices :u2f-devices -
I think this is used for any of those keys
Comment 10•6 months ago
|
||
This is where I'm stuck on when I disconnect the u2f-device
plug of snap:
$ snap connections firefox
[...]
u2f-devices firefox:u2f-devices - -
[...]
Comment 11•6 months ago
|
||
Ok so now it is not working anymore for me as well, even after reconnecting
Comment 12•6 months ago
|
||
Unfortunately, I cannot use mozregression
because:
snap connect
frommozregression
hit https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/2043993- not doing
snap refresh
we have non working u2f interface at all - doing
snap refresh
updates us to latest version ...
Comment 13•6 months ago
|
||
Comment 14•6 months ago
|
||
So if I start snap run firefox
with the key plugged in, then it works
Comment 15•6 months ago
|
||
I'm not aware of any related regressions on 22.04. Sadly I can't do any testing for this at the moment because I don't have any U2F devices, but I will look into acquiring one and see if I can reproduce the issue and/or find out anything more.
I wonder if Firefox's Browser Console (Ctrl+Shift+J) might show any relevant error messages? Also, since the issue occurs with the Firefox snap, I'd recommend looking over https://snapcraft.io/docs/debug-snaps for some general tips for debugging snap packages for issues like apparmor policy violations, etc., and gathering and providing more logs that may help diagnose the issue.
Comment 16•6 months ago
|
||
(In reply to Oliver Klee from comment #3)
Are there any logs that would be helpful to send (syslog? Firefox console?) to help track this down?
I can't find any, but maybe :jschanck knows?
Updated•6 months ago
|
Comment 17•6 months ago
|
||
When plugging the yubikey AFTER running snap run firefox
:
- nothing in
sudo snappy-debug
about:webauthn
shows no info- browser console or tab console does not show any error
Updated•6 months ago
|
Comment 18•6 months ago
|
||
i'm reproducing the same behavior on 23.10 with the yubioath-desktop
snap:
snap run yubioath-desktop
without the yubikey plugged: not detected- plug the yubikey then
snap run yubioath-desktop
: detected
Comment 19•6 months ago
|
||
You could try setting MOZ_LOG=authenticator::*:5
.
Comment 20•6 months ago
|
||
Cross linking -- there appears to be some discussion at https://bugs.launchpad.net/snapd/+bug/2062148, which appears to indicate a potential fix is coming in the next snapd.
Updated•6 months ago
|
Updated•6 months ago
|
Comment 21•5 months ago
|
||
I'm seeing the same problem using the "firefox-next" beta build without snap since at least 125, on Ubuntu 23.10, eg:
❯ apt-cache policy firefox
firefox:
Installed: 126.0~b9+build1-0ubuntu0.23.10.1
Candidate: 126.0~b9+build1-0ubuntu0.23.10.1
Version table:
1:1snap1-0ubuntu3 -10
500 http://nz.archive.ubuntu.com/ubuntu mantic/main amd64 Packages
*** 126.0~b9+build1-0ubuntu0.23.10.1 1001
1001 https://ppa.launchpadcontent.net/mozillateam/firefox-next/ubuntu mantic/main amd64 Packages
100 /var/lib/dpkg/status
The site will ask for the button on the hardware token to be pressed, but it never lights up. In my case, this is true of three different Yubikeys, which otherwise work with Yubico Authenticator, and did work in the browser a few versions back.
A glance at /etc/apt/history.log*
indicates that I hopped from 122.0b9+build1-0ubuntu0.23.10.1 to 125.0b6+build1-0ubuntu0.23.10.1, and it was running 125 where I first observed the problem, today (2024-05-04). Upgrading to 126 has not helped, sadly.
Hopefully that's enough to bisect the u2f code.
Comment 22•5 months ago
|
||
Hello, I have noticed this today, wanted to provide a few things that may help. This is using the snap release.
I am on Firefox 125.0 on Ubuntu 22.04.02. I started noticing the issue today, where I was suddenly unable to log into Slack or anything that required my Yubikey.
- My yubikey will flash, and Firefox will prompt for a Yubikey, but nothing will happen when I touch that Yubikey.
- If I open Firefox in safe mode, Yubikeys will begin to work for both the safe mode browser and the Firefox instance that was already open. I have no extensions that would cause issues with the Yubikey (Indie Wiki Buddy and Reddit Enhancement Suite, neither of which are active when this presents).
- This only occurs when attempting to use FIDO2 auth. I have a PIN on my Yubikey for FIDO. The yubikey will work just fine when attempting to auth into Github using it as a passkey, but attempting to log into it into a website that uses it with FIDO2 (and needs a PIN prompt) fails.
Updated•5 months ago
|
Comment 23•5 months ago
|
||
Okay I got my hands on a Yubikey and tested with it, and was able to reproduce the issue.
As hinted at by the two "See Also" links added by gerard-majax, this appears to be a snapd 2.62 regression, and should be fixed in the upcoming snapd 2.63 release. If you'd like to switch to that and test it right now, you can run sudo snap refresh --beta snapd
, and later when 2.63 is released to stable run sudo snap refresh --stable snapd
to switch back to stable. If that's not an option for you, plugging in the Yubikey before launching the Firefox snap seems to work reliably as a temporary workaround.
Comment 24•5 months ago
|
||
The severity field is not set for this bug.
:gerard-majax, could you have a look please?
For more information, please visit BugBot documentation.
Updated•5 months ago
|
Comment 25•5 months ago
|
||
This problem seems not to be specific to Snap. I use Firefox Nightly 128.0a1 (2024-05-19) (not snap, installed from Mozilla's tarball) and i have same problem with Hypersecu HyperFIDo device (its legacy U2F usb device).
Attempts to register new credentials on https://webauthn.io/ does not cause device to start flash lights, pushing button do nothing. Other Webauthn test sites - same result. Device is OK, since both pamu2fcfg and Chrome works just fine with it.
Searching web also shows some results from Reddit where people complain about their FIDO devices just stop working month or two ago.
Starting fresh profile dont fix problem. Current stable version have same result.
I will try to dig it more.
Comment 26•5 months ago
|
||
I tried to run Nightly with MOZ_LOG=authenticator::*:5 and this is that i got (not much) while trying to register on Webauthn.io (actual FIDO device is /dev/hidraw7). All Firefox Webauthn setting is default.
[Parent 1061000: Unnamed thread 7fd8d22624c0]: I/authenticator::* [authenticator::statemachine] error happened with device: Error: requested operation is not available on device
[Parent 1061000: Unnamed thread 7fd8d2262940]: I/authenticator::* [authenticator::statemachine] error happened with device: Error: requested operation is not available on device
[Parent 1061000: Unnamed thread 7fd8d2262dc0]: I/authenticator::* [authenticator::statemachine] error happened with device: Error: requested operation is not available on device
[Parent 1061000: Unnamed thread 7fd8d22624c0]: I/authenticator::* [authenticator::statemachine] error happened with device: Error: requested operation is not available on device
[Parent 1061000: Unnamed thread 7fd8d22624c0]: I/authenticator::* [authenticator::statemachine] error happened with device: Error: Ioerror(Some("/dev/hidraw0")): Отказано в доступе (os error 13)
[Parent 1061000: Unnamed thread 7fd8d2262700]: I/authenticator::* [authenticator::statemachine] error happened with device: Error: Ioerror(Some("/dev/hidraw5")): Отказано в доступе (os error 13)
[Parent 1061000: Unnamed thread 7fd8d2262940]: I/authenticator::* [authenticator::statemachine] error happened with device: Error: Ioerror(Some("/dev/hidraw4")): Отказано в доступе (os error 13)
[Parent 1061000: Unnamed thread 7fd8d2262940]: I/authenticator::* [authenticator::transport::platform::device] new device "/dev/hidraw7"
[Parent 1061000: Unnamed thread 7fd8d2262940]: W/authenticator::* [authenticator::statemachine] error while initializing device: Error: Error issuing command: CommandError: Input is too small
[Parent 1061000: Main Thread]: I/authenticator::* [authenticator::statemachine] Statemachine was cancelled. Cancelling transaction now.
[Parent 1061000: Main Thread]: I/authenticator::* [authenticator::transport::platform::transaction] Transaction was cancelled.
[Parent 1061000: Unnamed thread 7fd89a9b93a0]: I/authenticator::* [authenticator::statemachine] error happened with device: Error: requested operation is not available on device
[Parent 1061000: Unnamed thread 7fd89a9b93a0]: I/authenticator::* [authenticator::statemachine] error happened with device: Error: requested operation is not available on device
[Parent 1061000: Unnamed thread 7fd888e47940]: I/authenticator::* [authenticator::statemachine] error happened with device: Error: Ioerror(Some("/dev/hidraw4")): Отказано в доступе (os error 13)
[Parent 1061000: Unnamed thread 7fd89a9b93a0]: I/authenticator::* [authenticator::statemachine] error happened with device: Error: Ioerror(Some("/dev/hidraw0")): Отказано в доступе (os error 13)
[Parent 1061000: Unnamed thread 7fd888e47940]: I/authenticator::* [authenticator::statemachine] error happened with device: Error: Ioerror(Some("/dev/hidraw5")): Отказано в доступе (os error 13)
[Parent 1061000: Unnamed thread 7fd89a987ee0]: I/authenticator::* [authenticator::statemachine] error happened with device: Error: requested operation is not available on device
[Parent 1061000: Unnamed thread 7fd89a9b94c0]: I/authenticator::* [authenticator::transport::platform::device] new device "/dev/hidraw7"
[Parent 1061000: Unnamed thread 7fd89a9b9160]: I/authenticator::* [authenticator::statemachine] error happened with device: Error: requested operation is not available on device
[Parent 1061000: Unnamed thread 7fd89a9b94c0]: W/authenticator::* [authenticator::statemachine] error while initializing device: Error: Error issuing command: CommandError: Input is too small
[Parent 1061000: IPDL Background]: I/authenticator::* [authenticator::statemachine] Statemachine was cancelled. Cancelling transaction now.
[Parent 1061000: IPDL Background]: I/authenticator::* [authenticator::transport::platform::transaction] Transaction was cancelled.
[Parent 1061000: Unnamed thread 7fd871e6bb80]: I/authenticator::* [authenticator::statemachine] error happened with device: Error: requested operation is not available on device
[Parent 1061000: Unnamed thread 7fd8
Comment 27•5 months ago
|
||
On the debian package beta builds on Ubuntu 23.10, 126.0b9 in this case, the problem I seem to be having is the Yubikey is not working when plugged into a hub but is working when plugged directly into a motherboard USB socket.
lsusb --tree
when plugged into the hub:
...
/: Bus 01.Port 1: Dev 1, Class=root_hub, Driver=xhci_hcd/10p, 480M
|__ Port 1: Dev 2, If 0, Class=Hub, Driver=hub/4p, 480M
|__ Port 1: Dev 4, If 0, Class=Hub, Driver=hub/4p, 480M
|__ Port 4: Dev 15, If 0, Class=Human Interface Device, Driver=usbhid, 12M
|__ Port 4: Dev 15, If 1, Class=Chip/SmartCard, Driver=usbfs, 12M
...
...and directly into a motherboard USB A socket:
...
/: Bus 01.Port 1: Dev 1, Class=root_hub, Driver=xhci_hcd/10p, 480M
|__ Port 1: Dev 2, If 0, Class=Hub, Driver=hub/4p, 480M
|__ Port 1: Dev 4, If 0, Class=Hub, Driver=hub/4p, 480M
|__ Port 3: Dev 16, If 0, Class=Human Interface Device, Driver=usbhid, 12M
|__ Port 3: Dev 16, If 1, Class=Chip/SmartCard, Driver=usbfs, 12M
...
So it looks like some code that used to correctly scan the whole USB tree is no longer doing that.
Comment 28•4 months ago
|
||
With snapd 2.63 having been released to stable, this can be closed as fixed.
Description
•