Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Setting up U2F
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
dufeu
l33t
l33t


Joined: 30 Aug 2002
Posts: 897
Location: US-FL-EST

PostPosted: Thu Nov 15, 2018 10:44 pm    Post subject: Setting up U2F Reply with quote

I originally wanted to activate FIDO standard U2F tokens for the gmail account I use for my phone as it has a number of financial services tied to it. I purchase the Google Titan bundle. I tried following the Use a security key for 2-step Verification instructions. The I reach the 'ADD SECURITY KEY' step, it always fails.

I then found Google's Add a Titan Security Key on a Linux system. This is apparently old and incorrect information. The ATTRS in the suggested /etc/udev/rules.d file don't match the actual values in the shipped security tokens I received.

Instead, the libu2f-host/70-u2f.rules file listed the yubico github project do contain udev rules which contain ATTRS values matching the pair of tokens I received.

I also read the Gentoo Wiki pam_u2f article and verified everything to using dmesg to check the proper installation of installation of the pam_u2f module:
Code:
[ 1946.920987] usb 4-1: new full-speed USB device number 5 using ohci-pci
[ 1947.105039] usb 4-1: New USB device found, idVendor=096e, idProduct=0858, bcdDevice=44.00
[ 1947.105042] usb 4-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[ 1947.105043] usb 4-1: Product: U2F
[ 1947.105045] usb 4-1: Manufacturer: FT
[ 1947.113377] hid-generic 0003:096E:0858.0007: hiddev98,hidraw3: USB HID v1.00 Device [FT U2F] on usb-0000:00:13.0-1/input0

As I read the wiki article, for those computer logins for which I define using a security key will require having my security token plugged in before I can log into the account (global mapping - /etc/u2f_mappings/u2f_keys):
Code:
<username1>:<KeyHandle1>,<UserKey1>:<KeyHandle2>,<UserKey2>:...
<username2>:<KeyHandle1>,<UserKey1>:<KeyHandle2>,<UserKey2>:...
<username3>:<KeyHandleA>,<UserKeyA>:<KeyHandleB>,<UserKeyB>:...
or alternatively (per user mapping - ~/.config/Yubico/u2f_keys)
Code:
<username1>:<KeyHandle1>,<UserKey1>:<KeyHandle2>,<UserKey2>:...
Code:
<username2>:<KeyHandle1>,<UserKey1>:<KeyHandle2>,<UserKey2>:...
Code:
<username3>:<KeyHandleA>,<UserKeyA>:<KeyHandleB>,<UserKeyB>:...

The use case above implies username1 and username2 are two accounts using the same set of security keys while username3 uses a different set of security keys.

For the global u2f mapping case, the intended modification to /etc/pam.d/system-local-login would be to add:
Code:
auth      required pam_u2f.so    authfile=/etc/u2f_mappings nouserok

This implies only those users whose username appears in /etc/u2f_mappings/u2f_keys would require having their security key plugged in.

There are several things I'm still not understanding with this.
  • I have several pc login accounts I want secured with the same security key. I haven't seen a good example of a /etc/u2f_mappings/u2f_key file demonstrating this use case. Based on the Gentoo wiki article, I think I need to plug in the first set of security tokens (1,2), and issue pamu2fcfg commands like so:
    Code:
    pamu2fcfg -u<username1> >> /etc/u2f_mappings/u2f_keys
    pamu2fcfg -u<username2> >> /etc/u2f_mappings/u2f_keys
    then replace the first set of security tokens with the second set of security tokens (A,B) and issue the command:
    Code:
    pamu2fcfg -u<username3> >> /etc/u2f_mappings/u2f_keys


  • Once I've registered the keys (via pamu2fcfg), I still can't make the connection between my PC account login and my website logins such as for google. I still cannot complete Google's Add a Security Key step. Do I need to login on one of my PC accounts that will require a security token first before trying to add a security token to any of my web accounts?

  • As I read both the Wiki article and Google's instructions, it seems that using a security token for PC logins and website logins are supposed to be independent of one another. i.e. I can use a security token just to secure web accounts without having to use pam_u2f.

Some guidance would be appreciated.

I'm a little hesitant to go further because I don't want to lock myself out of any of my pc or web accounts.

My use case includes multiple pc accounts on the same initial pair of security keys, other pc accounts on an independent pair of security keys, remote pc logins on multiple accounts via x2go and multiple web accounts. I have some need to be able to access certain specific web accounts from pc accounts which will be secured with differing pairs of security keys.
_________________
People whom think M$ is mediocre, don't know the half of it.
Back to top
View user's profile Send private message
johngalt
Apprentice
Apprentice


Joined: 09 Sep 2004
Posts: 258
Location: 3rd Rock

PostPosted: Wed Jun 05, 2019 6:55 pm    Post subject: Reply with quote

Hi,

@mods - my apologies for resurrecting this semi-ancient post, but this is literally the only one since 2014 that contains the phrase 'Google Titan' when searching the forums.

@dufeu

Hopefully you still monitor these forums. I'm hoping that you have gotten this figured out on your own. While I'm on a Gentoo-derivative (Sabayon), it would still help if you had an answer for this.

FWIW, I've already locked down my Google accounts (and a few others using the the set I purchased last year, and I've already made arrangements to have the USB key replaced by Google. But the system doesn't recognize the presence of the key when inserted into the USB ports, both USB2 and USB3, or, better yet, dmesg shows that the device is present:

Code:
[  573.906688] usb 7-1: new full-speed USB device number 3 using ohci-pci
[  574.068734] usb 7-1: New USB device found, idVendor=096e, idProduct=0858, bcdDevice=44.00
[  574.068737] usb 7-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[  574.068739] usb 7-1: Product: U2F
[  574.068741] usb 7-1: Manufacturer: FT
[  574.077256] hid-generic 0003:096E:0858.0005: hiddev0,hidraw0: USB HID v1.00 Device [FT U2F] on usb-0000:00:12.0-1/input0


but Firefox Nightly 69.0a1 (2019-06-04) (64-bit) (binary direct from Mozilla, including automatic updates) gives me a prompt when attempt to access my Google accounts that only has a 'cancel' button, no OK. Same build of Firefox Nightly for Winblows works perfectly fine in WinX.

I followed both of the links you mentioned, first the Google link, and then the Gentoo wiki. Neither have gotten this working correctly.

As you mentioned, any guidance will be appreciated.
_________________
desultory wrote:
If you want to retain credibility as a functional adult; when you are told that you are acting boorishly, the correct response is to consider that possibility and act accordingly to correct that behavior.


Amen.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum