Closed Bug 1892628 Opened 6 months ago Closed 4 months ago

Regression: YubiKey (U2F) not reliably recognized anymore with Snap builds

Categories

(Firefox Build System :: Third Party Packaging, defect, P2)

defect

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: dev+mozilla, Unassigned)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

This is with Firefox 125.0 installed via Snap on Kubuntu Linux 23.10 with Kernel 6.5.0.

I'm using my YubiKey Neo as second factor via U2F for my accounts at Heroku, Google, GitHub, TYPO3 and Bitwaren. This is the device description my system logs when I insert my YubiKey:

Yubico YubiKey OTP+FIDO+CCID

A few days ago (possibly after a Firefox update, but I'm not completely sure, as I do all updates in a timely manner), using the YubiKey U2F for 2FA stopped working reliably anymore in Firefox: Most of the times, the website does not register when I touch the pad on the YubiKey, and sometimes it still does.

My private GPG key on the key is still working fine, and U2F on Chrome also continues to work reliably.

We have the same problem on a different computer (also Kubuntu 23.10, also on Firefox) with a different YubiKey on different accounts.

Can you please try a regular (non-snap) Firefox build?

Flags: needinfo?(dev+mozilla)
Component: General → DOM: Web Authentication
Product: Firefox → Core

I've just tested with Firefox 125.0.1 downloaded as tgz: In this non-Snap version, the problem does indeed not occur (anymore).

Very strangely, now with the Snap version of Firefox, the problem doesn't occur anymore.

Flags: needinfo?(dev+mozilla)

Are there any logs that would be helpful to send (syslog? Firefox console?) to help track this down?

I'm having the same issue with:

  • Firefox 124.0.2, Snap on Ubuntu 22.04.4 LTS
  • Yubikey 5C NFC

Using my yubikey worked reliable for months (mainly for GitHub login), but since somewhere last week it stopped working.

It still works in Chromium (124.0.6367.60, snap)

Component: DOM: Web Authentication → Release Automation: Snap
Product: Core → Release Engineering
Duplicate of this bug: 1892476

While not yet merged, it is possible to run mozregression on Snap builds, https://github.com/lissyx/mozregression/tree/tc-snap-upstream

(and I just tested, my Firefox 125 on Snap works well with yubikey, tested on https://webauthn.io on 23.10)

Amin, is there something on 22.04 which might be regressed and not on newer versions?

Flags: needinfo?(bandali)
$ snap info firefox 
name:      firefox
summary:   Mozilla Firefox web browser
publisher: Mozilla✓
store-url: https://snapcraft.io/firefox
contact:   https://support.mozilla.org/kb/file-bug-report-or-feature-request-mozilla
license:   unset
description: |
  Firefox is a powerful, extensible web browser with support for modern web application
  technologies.
commands:
  - firefox
  - firefox.geckodriver
snap-id:      3wdHCAVyZEmYsCMFDE9qt92UV8rC8Wdk
tracking:     latest/stable
refresh-date: Il y a 4 jours, à 13 h 21 HNR
channels:
  latest/stable:    125.0.2-1     2024-04-22 (4173) 282MB -
  latest/candidate: 125.0.2-1     2024-04-19 (4173) 282MB -
  latest/beta:      126.0b3-1     2024-04-19 (4170) 285MB -
  latest/edge:      127.0a1       2024-04-22 (4179) 303MB -
  esr/stable:       115.10.0esr-1 2024-04-16 (4126) 256MB -
  esr/candidate:    115.10.0esr-1 2024-04-11 (4126) 256MB -
  esr/beta:         ↑                                     
  esr/edge:         ↑                                     
installed:          125.0-1                  (4136) 282MB -
$ snap connections firefox
Interface               Connecteur                      Prise                           Notes
alsa                    firefox:alsa                    -                               -
audio-playback          firefox:audio-playback          :audio-playback                 -
audio-record            firefox:audio-record            :audio-record                   -
avahi-observe           firefox:avahi-observe           :avahi-observe                  -
browser-support         firefox:browser-sandbox         :browser-support                -
camera                  firefox:camera                  :camera                         -
content[gnome-42-2204]  firefox:gnome-42-2204           gnome-42-2204:gnome-42-2204     -
content[gtk-3-themes]   firefox:gtk-3-themes            gtk-common-themes:gtk-3-themes  -
content[icon-themes]    firefox:icon-themes             gtk-common-themes:icon-themes   -
content[sound-themes]   firefox:sound-themes            gtk-common-themes:sound-themes  -
cups-control            firefox:cups-control            :cups-control                   -
dbus                    -                               firefox:dbus-daemon             -
desktop                 firefox:desktop                 :desktop                        -
desktop-legacy          firefox:desktop-legacy          :desktop-legacy                 -
gsettings               firefox:gsettings               :gsettings                      -
hardware-observe        firefox:hardware-observe        :hardware-observe               -
home                    firefox:home                    :home                           -
joystick                firefox:joystick                :joystick                       -
mount-control           firefox:host-hunspell           :mount-control                  -
mpris                   -                               firefox:mpris                   -
network                 firefox:network                 :network                        -
network-bind            firefox:network-bind            :network-bind                   -
network-observe         firefox:network-observe         -                               -
opengl                  firefox:opengl                  :opengl                         -
personal-files          firefox:dot-mozilla-firefox     :personal-files                 -
removable-media         firefox:removable-media         :removable-media                -
screen-inhibit-control  firefox:screen-inhibit-control  :screen-inhibit-control         -
system-files            firefox:etc-firefox             :system-files                   -
system-packages-doc     firefox:system-packages-doc     :system-packages-doc            -
u2f-devices             firefox:u2f-devices             :u2f-devices                    -
unity7                  firefox:unity7                  :unity7                         -
upower-observe          firefox:upower-observe          :upower-observe                 -
wayland                 firefox:wayland                 :wayland                        -
x11                     firefox:x11                     :x11                            -

(In reply to stefaan.lippens from comment #4)

I'm having the same issue with:

  • Firefox 124.0.2, Snap on Ubuntu 22.04.4 LTS
  • Yubikey 5C NFC

Using my yubikey worked reliable for months (mainly for GitHub login), but since somewhere last week it stopped working.

It still works in Chromium (124.0.6367.60, snap)

Can you check snap connections firefox and especially if you have:

u2f-devices firefox:u2f-devices :u2f-devices -

I think this is used for any of those keys

This is where I'm stuck on when I disconnect the u2f-device plug of snap:

$ snap connections firefox 
[...]
u2f-devices             firefox:u2f-devices             -                               -
[...]

Ok so now it is not working anymore for me as well, even after reconnecting

Unfortunately, I cannot use mozregression because:

I manually went back to version 122 and it was still no working, so based on comment 7 and comment 2, I suspect it's more likely to be a snapd / integration issue below firefox and unrelated with us?

So if I start snap run firefox with the key plugged in, then it works

I'm not aware of any related regressions on 22.04. Sadly I can't do any testing for this at the moment because I don't have any U2F devices, but I will look into acquiring one and see if I can reproduce the issue and/or find out anything more.

I wonder if Firefox's Browser Console (Ctrl+Shift+J) might show any relevant error messages? Also, since the issue occurs with the Firefox snap, I'd recommend looking over https://snapcraft.io/docs/debug-snaps for some general tips for debugging snap packages for issues like apparmor policy violations, etc., and gathering and providing more logs that may help diagnose the issue.

Flags: needinfo?(bandali)

(In reply to Oliver Klee from comment #3)

Are there any logs that would be helpful to send (syslog? Firefox console?) to help track this down?

I can't find any, but maybe :jschanck knows?

Flags: needinfo?(jschanck)

When plugging the yubikey AFTER running snap run firefox:

  • nothing in sudo snappy-debug
  • about:webauthn shows no info
  • browser console or tab console does not show any error
Blocks: snap
Component: Release Automation: Snap → Third Party Packaging
Product: Release Engineering → Firefox Build System

i'm reproducing the same behavior on 23.10 with the yubioath-desktop snap:

  • snap run yubioath-desktop without the yubikey plugged: not detected
  • plug the yubikey then snap run yubioath-desktop: detected

You could try setting MOZ_LOG=authenticator::*:5.

Flags: needinfo?(jschanck)

Cross linking -- there appears to be some discussion at https://bugs.launchpad.net/snapd/+bug/2062148, which appears to indicate a potential fix is coming in the next snapd.

I'm seeing the same problem using the "firefox-next" beta build without snap since at least 125, on Ubuntu 23.10, eg:

❯ apt-cache policy firefox
firefox:
  Installed: 126.0~b9+build1-0ubuntu0.23.10.1
  Candidate: 126.0~b9+build1-0ubuntu0.23.10.1
  Version table:
       1:1snap1-0ubuntu3 -10
           500 http://nz.archive.ubuntu.com/ubuntu mantic/main amd64 Packages
*** 126.0~b9+build1-0ubuntu0.23.10.1 1001
           1001 https://ppa.launchpadcontent.net/mozillateam/firefox-next/ubuntu mantic/main amd64 Packages
             100 /var/lib/dpkg/status

The site will ask for the button on the hardware token to be pressed, but it never lights up. In my case, this is true of three different Yubikeys, which otherwise work with Yubico Authenticator, and did work in the browser a few versions back.

A glance at /etc/apt/history.log* indicates that I hopped from 122.0b9+build1-0ubuntu0.23.10.1 to 125.0b6+build1-0ubuntu0.23.10.1, and it was running 125 where I first observed the problem, today (2024-05-04). Upgrading to 126 has not helped, sadly.

Hopefully that's enough to bisect the u2f code.

Hello, I have noticed this today, wanted to provide a few things that may help. This is using the snap release.

I am on Firefox 125.0 on Ubuntu 22.04.02. I started noticing the issue today, where I was suddenly unable to log into Slack or anything that required my Yubikey.

  1. My yubikey will flash, and Firefox will prompt for a Yubikey, but nothing will happen when I touch that Yubikey.
  2. If I open Firefox in safe mode, Yubikeys will begin to work for both the safe mode browser and the Firefox instance that was already open. I have no extensions that would cause issues with the Yubikey (Indie Wiki Buddy and Reddit Enhancement Suite, neither of which are active when this presents).
  3. This only occurs when attempting to use FIDO2 auth. I have a PIN on my Yubikey for FIDO. The yubikey will work just fine when attempting to auth into Github using it as a passkey, but attempting to log into it into a website that uses it with FIDO2 (and needs a PIN prompt) fails.
Summary: Regression: YubiKey (U2F) not reliably recognized anymore → Regression: YubiKey (U2F) not reliably recognized anymore with Snap builds

Okay I got my hands on a Yubikey and tested with it, and was able to reproduce the issue.

As hinted at by the two "See Also" links added by gerard-majax, this appears to be a snapd 2.62 regression, and should be fixed in the upcoming snapd 2.63 release. If you'd like to switch to that and test it right now, you can run sudo snap refresh --beta snapd, and later when 2.63 is released to stable run sudo snap refresh --stable snapd to switch back to stable. If that's not an option for you, plugging in the Yubikey before launching the Firefox snap seems to work reliably as a temporary workaround.

The severity field is not set for this bug.
:gerard-majax, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(lissyx+mozillians)
Severity: -- → S3
Flags: needinfo?(lissyx+mozillians)
Priority: -- → P2

This problem seems not to be specific to Snap. I use Firefox Nightly 128.0a1 (2024-05-19) (not snap, installed from Mozilla's tarball) and i have same problem with Hypersecu HyperFIDo device (its legacy U2F usb device).
Attempts to register new credentials on https://webauthn.io/ does not cause device to start flash lights, pushing button do nothing. Other Webauthn test sites - same result. Device is OK, since both pamu2fcfg and Chrome works just fine with it.

Searching web also shows some results from Reddit where people complain about their FIDO devices just stop working month or two ago.
Starting fresh profile dont fix problem. Current stable version have same result.

I will try to dig it more.

I tried to run Nightly with MOZ_LOG=authenticator::*:5 and this is that i got (not much) while trying to register on Webauthn.io (actual FIDO device is /dev/hidraw7). All Firefox Webauthn setting is default.

[Parent 1061000: Unnamed thread 7fd8d22624c0]: I/authenticator::* [authenticator::statemachine] error happened with device: Error: requested operation is not available on device
[Parent 1061000: Unnamed thread 7fd8d2262940]: I/authenticator::* [authenticator::statemachine] error happened with device: Error: requested operation is not available on device
[Parent 1061000: Unnamed thread 7fd8d2262dc0]: I/authenticator::* [authenticator::statemachine] error happened with device: Error: requested operation is not available on device
[Parent 1061000: Unnamed thread 7fd8d22624c0]: I/authenticator::* [authenticator::statemachine] error happened with device: Error: requested operation is not available on device
[Parent 1061000: Unnamed thread 7fd8d22624c0]: I/authenticator::* [authenticator::statemachine] error happened with device: Error: Ioerror(Some("/dev/hidraw0")): Отказано в доступе (os error 13)
[Parent 1061000: Unnamed thread 7fd8d2262700]: I/authenticator::* [authenticator::statemachine] error happened with device: Error: Ioerror(Some("/dev/hidraw5")): Отказано в доступе (os error 13)
[Parent 1061000: Unnamed thread 7fd8d2262940]: I/authenticator::* [authenticator::statemachine] error happened with device: Error: Ioerror(Some("/dev/hidraw4")): Отказано в доступе (os error 13)
[Parent 1061000: Unnamed thread 7fd8d2262940]: I/authenticator::* [authenticator::transport::platform::device] new device "/dev/hidraw7"
[Parent 1061000: Unnamed thread 7fd8d2262940]: W/authenticator::* [authenticator::statemachine] error while initializing device: Error: Error issuing command: CommandError: Input is too small
[Parent 1061000: Main Thread]: I/authenticator::* [authenticator::statemachine] Statemachine was cancelled. Cancelling transaction now.
[Parent 1061000: Main Thread]: I/authenticator::* [authenticator::transport::platform::transaction] Transaction was cancelled.
[Parent 1061000: Unnamed thread 7fd89a9b93a0]: I/authenticator::* [authenticator::statemachine] error happened with device: Error: requested operation is not available on device
[Parent 1061000: Unnamed thread 7fd89a9b93a0]: I/authenticator::* [authenticator::statemachine] error happened with device: Error: requested operation is not available on device
[Parent 1061000: Unnamed thread 7fd888e47940]: I/authenticator::* [authenticator::statemachine] error happened with device: Error: Ioerror(Some("/dev/hidraw4")): Отказано в доступе (os error 13)
[Parent 1061000: Unnamed thread 7fd89a9b93a0]: I/authenticator::* [authenticator::statemachine] error happened with device: Error: Ioerror(Some("/dev/hidraw0")): Отказано в доступе (os error 13)
[Parent 1061000: Unnamed thread 7fd888e47940]: I/authenticator::* [authenticator::statemachine] error happened with device: Error: Ioerror(Some("/dev/hidraw5")): Отказано в доступе (os error 13)
[Parent 1061000: Unnamed thread 7fd89a987ee0]: I/authenticator::* [authenticator::statemachine] error happened with device: Error: requested operation is not available on device
[Parent 1061000: Unnamed thread 7fd89a9b94c0]: I/authenticator::* [authenticator::transport::platform::device] new device "/dev/hidraw7"
[Parent 1061000: Unnamed thread 7fd89a9b9160]: I/authenticator::* [authenticator::statemachine] error happened with device: Error: requested operation is not available on device
[Parent 1061000: Unnamed thread 7fd89a9b94c0]: W/authenticator::* [authenticator::statemachine] error while initializing device: Error: Error issuing command: CommandError: Input is too small
[Parent 1061000: IPDL Background]: I/authenticator::* [authenticator::statemachine] Statemachine was cancelled. Cancelling transaction now.
[Parent 1061000: IPDL Background]: I/authenticator::* [authenticator::transport::platform::transaction] Transaction was cancelled.
[Parent 1061000: Unnamed thread 7fd871e6bb80]: I/authenticator::* [authenticator::statemachine] error happened with device: Error: requested operation is not available on device
[Parent 1061000: Unnamed thread 7fd8

On the debian package beta builds on Ubuntu 23.10, 126.0b9 in this case, the problem I seem to be having is the Yubikey is not working when plugged into a hub but is working when plugged directly into a motherboard USB socket.

lsusb --tree when plugged into the hub:

...
/:  Bus 01.Port 1: Dev 1, Class=root_hub, Driver=xhci_hcd/10p, 480M
    |__ Port 1: Dev 2, If 0, Class=Hub, Driver=hub/4p, 480M
        |__ Port 1: Dev 4, If 0, Class=Hub, Driver=hub/4p, 480M
            |__ Port 4: Dev 15, If 0, Class=Human Interface Device, Driver=usbhid, 12M
            |__ Port 4: Dev 15, If 1, Class=Chip/SmartCard, Driver=usbfs, 12M
...

...and directly into a motherboard USB A socket:

...
/:  Bus 01.Port 1: Dev 1, Class=root_hub, Driver=xhci_hcd/10p, 480M
    |__ Port 1: Dev 2, If 0, Class=Hub, Driver=hub/4p, 480M
        |__ Port 1: Dev 4, If 0, Class=Hub, Driver=hub/4p, 480M
    |__ Port 3: Dev 16, If 0, Class=Human Interface Device, Driver=usbhid, 12M
    |__ Port 3: Dev 16, If 1, Class=Chip/SmartCard, Driver=usbfs, 12M
...

So it looks like some code that used to correctly scan the whole USB tree is no longer doing that.

With snapd 2.63 having been released to stable, this can be closed as fixed.

Status: NEW → RESOLVED
Closed: 4 months ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: