Enabling Yubikeys?

alexintokyo

vimanuelt Thanks for this suggestion. I did

sudo service webcamd stop

but this returned

webcamd is not running.

So it seems to be something else. Is it perhaps possible that my locale (Japanese) is garbling the output from the Yubikey? Is there a way to switch the locale for instance to English to see whether this might make a difference?

vimanuelt

alexintokyo
That is good to know.

To temporarily switch your locale to English, you can launch Firefox with a temporary environment:

LANG=en_US.UTF-8 firefox &

or more explicitly:

LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8 firefox &

That will only affect the process you launch this way, not your whole system. Then test webauthn.io and Bitwarden again.

alexintokyo

vimanuelt Thanks for this. I tried switching the locale for the Firefox with the temporary environment. It didn't allow the use of my Yubikey in either webauthn.io or in bitwarden.

I did notice though that whereas the error message returned by bitwarden before I had changed the timeserver to the jp one was:

NotAllowedError: The request is not allowed by the user agent or the platform in the current context, possibly because the user denied permission.

Bitwarden is now returning the following error message to a Yubikey press:

AbortError: The operation was aborted.

vimanuelt

Do the same for fido2-token:

LC_ALL=en_US.UTF-8 fido2-token -L

If it lists the device, we know permissions and HID access are fine.

alexintokyo

vimanuelt I typed in the fido2-token command, but found that it did not return anything No list of device, no error message either...

vimanuelt

alexintokyo
Add your user to the operator group: sudo pw groupmod operator -m your-user-name-here

Log out and back in for the group change to take effect.

alexintokyo

vimanuelt I added myself to the operator group, but am still not able to get Yubikey working.

I noticed that when I press on my yubikey at the prompt "Touch your security key to continue with vault.bitwarden.com" the prompt blinks for an instant and then the error message AbortError: The operation was aborted. comes up. But then when I dismiss the "Touch your security key to continue with vault.bitwarden.com" prompt the error message changes to NotAllowedError: The request is not allowed by the user agent or the platform in the current context, possibly because the user denied permission. I agree that it does seem to be an issue related to user permissions. I will search the internet to see if I can find some info regarding this error message... Thanks for all your suggestions!

alexintokyo

Having read the thread “Caja (MATE) shows wrong file timestamps due to missing TZ in GUI environment” by @Vincent and @ericbsd, I made a new file with Cana in my install and found that the timestamp of the file was 9 hours behind my JST local time which is correctly reported by date command in terminal.

I wonder whether webauthn in Firefox using Yubikey might be referencing the time from the wrong time zone in a similar way to Caja? Is there some way to check this?

vimanuelt

Japanese Standard Time is UTC +9. For example, midnight UTC is 9:00 AM Japan Standard Time.

alexintokyo

vimanuelt So shouldn't the timestamp in Caja also be in Japanese standard time, rather than UTC? And I am wondering whether the Webauthn.io was able to get the time in Japanese standard time rather than in UTC.

ericbsd

alexintokyo You should try the tzsetup in the terminal.

alexintokyo

ericbsd Thanks. Running tzsetup in the terminal fixed the file timestamp issue in Caja.

No change in Yubikey not working in Firefox though. I see from this discussion from last year on the FreeBSD Forum that other users have also found some issues with using Yubikey with Firefox, although experiences seem to differ according to each user. I'll keep looking.

ericbsd

alexintokyo I do get the same error, so I might be able to help to fix the problem.

ericbsd

I will take time to test my YubiKey. I got one last here to test and help users.

ericbsd

It seems to be something related to webauthn and Firefox. I kinda have it working, but there is something wrong.

My Firefox is protected with a password, and I set up the Yubikeys and forgot about it. So the key is working with my Firefox login, but everything related to webauthn seems not to work correctly. It's almost like it sends a cancel/abort signal. That's also how it behaves with Chromium.

Also, I found a bug with the py311-yubikey-manager. I am unsure if that affects the use of the key.

alexintokyo

ericbsd Is it possible that you are using the "long press" Yubikey slot to log in to Firefox? I myself use a "remembered password" + "long press" Yubikey-slot-2-password (very long... over 30 random characters) to log in to GhostBSD and this works fine.

On the other hand, the "short press" slot used for WebAuthn/FIDO2 challenge-response seems to result in the abort response in WebAuthn.io and Bitwarden.com among other sites when using Firefox on GhostBSD.

The same Yubikey works when I use them on Linux (Feren OS) browsers such as Firefox, Vivaldi and Floorp so it may be something to do with the bug you found in py311-yubikey-manager or some other Yubikey or WebAuthn related software which works with Firefox in GhostBSD to enable Yubikey based authentication? Perhaps either libu2f-host or u2f-devd somehow no longer works with the current version of FreeBSD/GhostBSD? Just making wild guesses here...

alexintokyo

alexintokyo I tried the Yubikey on Ungoogled Chromium on GhostBSD and found that on WebAuthn.io, it fails with the following error message:

The operation either timed out or was not allowed. 
See: https://www.w3.org/TR/webauthn-2/#sctn-privacy-considerations-client.

On Bitwarden.com, it fails with the following error message (translation in brackets):

エラーが発生しました。
認証がキャンセルされたか、時間がかかりすぎました。もう一度やり直してください。
(An error has occurred.
Authentication has been canceled or took too long. Please try again.)

Since yubikey fails in both Firefox and Ungoogled Chromium on GhostBSD, it may mean that the problem is not with the browsers themselves, but with libu2f-host or u2f-devd or how they work or do not work properly with the current FreeBSD/GhostBSD version?

ericbsd

I am starting to think that all those issues are due to old versions of all dependencies to make that work. For example, py311-yubikey-manager has an issue, and I reported it here https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=288893. Furthermore, the port has an old version.

alexintokyo

ericbsd I searched the FreeBSD forums and there was the following post in the thread titled "What would you like to see over the next few FreeBSD versions?":

I would like a working yubikey 5 nfc key at the kernel and system level  
I would like a working yubikey 5 nfc key at the kernel and system level  
I would like a working yubikey 5 nfc key at the kernel and system level

It does look as though for the time being, FreeBSD/GhostBSD cannot work with Yubikeys.

I have sent a query to Yubico to ask them whether Yubikey 5 NFC works with FreeBSD or not. This should clarify the current support status of FreeBSD.

alexintokyo

I have no idea whether this scdaemon mentioned in the below post from FreeBSD forums is related to the issue of using Yubikeys with WebAuthn/FIDO2 2FA but this may be a possible reason for it.