Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add new config option to disable U2F in browsers, enabled by default #2247

Merged
merged 1 commit into from
Nov 7, 2018
Merged

Add new config option to disable U2F in browsers, enabled by default #2247

merged 1 commit into from
Nov 7, 2018

Conversation

SkewedZeppelin
Copy link
Collaborator

@SkewedZeppelin SkewedZeppelin commented Nov 5, 2018
edited
Loading

Allows easily reenabling security dongles where needed.

Am I missing anything?

Also should we consider allowing U2F in supported browsers by default?
U2F dongles can be had for under $10 and add easy security to online accounts.
With Google's recent push again and the future FIDO2 potential we'll hopefully see increased adoption of it.

@netblue30 netblue30 merged commit 0fc095b into netblue30:master Nov 7, 2018
@netblue30
Copy link
Owner

merged!

@SkewedZeppelin SkewedZeppelin deleted the u2f_cond branch January 2, 2019 02:28
@SkewedZeppelin
Copy link
Collaborator Author

@njfox Nothing, just edit /etc/firejail/firejail.config and change #browser-disable-u2f yes to browser-disable-u2f no

@njfox
Copy link
Contributor

njfox commented Mar 6, 2019

Thanks, I think I misread the description--I thought it was saying that u2f would be disabled by default after this patch. My FIDO U2F key currently isnt working in firefox under firejail and I thought this might be the culprit.

@SkewedZeppelin
Copy link
Collaborator Author

SkewedZeppelin commented Mar 6, 2019
edited
Loading

@njfox go to about:config and change security.webauth.u2f to true

also you might need u2f-hidraw-policy installed on your system or equivalent udev rules

@njfox
Copy link
Contributor

njfox commented Mar 6, 2019

I did, the key works without firejail but doesn't work with firejail. I've noticed there are some previous issues about this that suggested something like --ignore=privatedev so I'll give that a try

@SkewedZeppelin
Copy link
Collaborator Author

@njfox to confirm you did change browser-disable-u2f to no in /etc/firejail/firejail.config, correct?

@njfox
Copy link
Contributor

njfox commented Mar 6, 2019

Just tried, didn't fix the problem

@SkewedZeppelin
Copy link
Collaborator Author

SkewedZeppelin commented Mar 6, 2019
edited
Loading

@njfox to confirm, you are running firejail 0.9.58 or newer?

@njfox
Copy link
Contributor

njfox commented Mar 6, 2019 

$ firejail --version
firejail version 0.9.58

@SkewedZeppelin
Copy link
Collaborator Author

@njfox try just removing the whole nou2f line from /etc/firejail/firefox-common.profile
if that doesn't work then try firejail --ignore=private-dev /usr/bin/firefox in addition to it

@njfox
Copy link
Contributor

njfox commented Mar 6, 2019
edited
Loading

Removing ?BROWSER_DISABLE_U2F: nou2f from /etc/firejail/firefox-common.profile resolved the issue. Is this something I should open an issue about? I also updated to 0.9.58.2 beforehand which didn't fix it.

@SkewedZeppelin
Copy link
Collaborator Author

@njfox you can if you want, I however cannot reproduce.

@njfox
Copy link
Contributor

njfox commented Mar 6, 2019

Thanks for your help. Just to make sure I understand, does #2201 essentially turn off U2F for everything by default?

@SkewedZeppelin
Copy link
Collaborator Author

@njfox yes, #2201 disabled it in all profiles by default. #2247 however made it easier to reenable in profiles that actually utilize it

@njfox njfox mentioned this pull request Mar 6, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@SkewedZeppelin @netblue30 @njfox