New issue
Advanced search Search tips
Starred by 17 users
Status: WontFix
Owner: ----
Closed: Apr 2015
Cc:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment
FIDO U2F Security Key not recognized by Chrome
Reported by samh@google.com, Oct 28 2014 Back to list
UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.111 Safari/537.36

Steps to reproduce the problem:
0. purchase fido u2f ready security key here: http://www.amazon.com/Yubico-Y-123-FIDO-U2F-Security/dp/B00NLKA0D8/ref=sr_1_4?ie=UTF8&qid=1414517077&sr=8-4&keywords=yubikey
1. Follow instructions for how to add a security key.
https://support.google.com/accounts/answer/6103534?hl=en
2. after pressing register button, inserting security key and pressing the button on the key, they button lights up but the spinner keeps spinning.
3. eventually the button goes dark, spinner spins forever

What is the expected behavior?
Chrome detects and registers the u2f device.

What went wrong?
I'm not certain, but from the news I've read it sounds like the device ids are supposed to be present in this file:
https://chromium.googlesource.com/chromium/src.git/+/master/chrome/browser/resources/cryptotoken/manifest.json

according to the commands I ran, it looks like it should be "vendorId": 1050,
"productId": 0120

$ dmesg
[28561.525072] hid-generic 0003:1050:0120.0008: hiddev0,hidraw0: USB HID v1.10 Device [Yubico Security Key by Yubico] on usb-0000:00:1d.0-1.2/input0

$lsusb
Bus 002 Device 031: ID 1050:0120 Yubico.com 

Did this work before? N/A 

Chrome version: 38.0.2125.111  Channel: stable
OS Version: Ubuntu 12.04.2 LTS
Flash Version: Shockwave Flash 15.0 r0

If you need some of these to test, I have several available, I can drop one off.
 
Labels: Hotlist-Google
Comment 2 by samh@google.com, Oct 28 2014
I should append that I've tried this on three machines, two running Ubuntu 14.04, on both stable and beta channels as well.
The vendor IDs are hex, so that's a 0x1050=4176 and 0x0120=288.
Comment 4 by samh@google.com, Oct 28 2014
Hmm.  I wonder why it isn't recognized then. Is there a way for me to get debug output?
Comment 5 by samh@google.com, Oct 28 2014
My nano device with vendor/product:
Bus 001 Device 023: ID 1050:0211 Yubico.com 

0x1050=4176,0x211=529 which is the first entry in the manifest continues to be recognized just fine.
Comment 6 by cfa...@gmail.com, Oct 29 2014
Did you put the key in U2F mode?  This seems to require downloading software.

It looks like he has the blue U2F-only device. The FIDO U2F Chrome extension prints out some debug console info - perhaps try that? 
Comment 8 by Deleted ...@, Oct 29 2014
Same for me with a fido u2f token (plug-up). This is the log output when enter the usb key:
 
27.10.2014 17:52:31	User	kernel	[ 6164.565791] usb 3-1: new full-speed USB device number 10 using xhci_hcd
27.10.2014 17:52:32	User	kernel	[ 6164.695766] usb 3-1: New USB device found, idVendor=2581, idProduct=f1d0
27.10.2014 17:52:32	User	kernel	[ 6164.695769] usb 3-1: New USB device strings: Mfr=1, Product=1, SerialNumber=1
27.10.2014 17:52:32	User	kernel	[ 6164.695770] usb 3-1: Product: Plug-up
27.10.2014 17:52:32	User	kernel	[ 6164.695771] usb 3-1: Manufacturer: Plug-up
27.10.2014 17:52:32	User	kernel	[ 6164.695771] usb 3-1: SerialNumber: Plug-up
27.10.2014 17:52:52	User	mtp-probe	checking bus 3, device 10: "/sys/devices/pci0000:00/0000:00:14.0/usb3/3-1"
27.10.2014 17:52:52	User	mtp-probe	bus: 3, device: 10 was not an MTP device
27.10.2014 17:52:52	User	kernel	[ 6184.670329] usbhid 3-1:1.0: can't add hid device: -110
27.10.2014 17:52:52	User	kernel	[ 6184.670340] usbhid: probe of 3-1:1.0 failed with error -110
Might be the same issue I had during tt under Arch Linux.

For Ubuntu systems, creating /etc/udev/rules.d/50-securitykey.rules with

SUBSYSTEM=="usb", ATTR{idVendor}=="1050", MODE="0664", GROUP="plugdev"

might be the solution.


On systemd based systems, I'd recommend

SUBSYSTEMS=="usb", ATTR{idVendor}=="1050", TAG+="uaccess", TAG+="udev-acl"

instead.

Hope this helps.
Comment 10 by Deleted ...@, Oct 30 2014
I have the same problem , I added rules for udev but does't change anything.
The key still not recognized.

Just in case: this might require a restart depending on your setup. Also make sure that the value of idVendor actually matches the vendor id of your key. If yours is not a key from Yubico, it's definitly a different value.
Comment 12 by Deleted ...@, Oct 30 2014
My key is the one from Yubico, I have restarted udev service, and then reboot PC. but still not recognized.

 new full-speed USB device number 24 using xhci_hcd
[17338.903320] usb 3-2: New USB device found, idVendor=1050, idProduct=0120
[17338.903323] usb 3-2: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[17338.903325] usb 3-2: Product: Security Key by Yubico
[17338.903326] usb 3-2: Manufacturer: Yubico
[17338.904367] hid-generic 0003:1050:0120.0012: hiddev0,hidraw5: USB HID v1.10 Device [Yubico Security Key by Yubico] on usb-0000:00:14.0-2/input0

Can you add some details about your OS? I'm currently clueless what it could be otherwise but maybe it will help someone else to suggest you a different solution.
Comment 14 by Deleted ...@, Oct 30 2014
Sorry, I forget to put these information I'm running ubuntu 14.04 LTS Intel® Core™ i7-4900MQ CPU @ 2.80GHz × 8 / 64 bits
Comment 15 by samh@google.com, Oct 30 2014
I managed to try this same key on a Windows 7 Ultimate SP1 machine running Chrome "38.0.2125.11 m", and it worked.  So the key is functional, this seems to be a linux-specific issue (which in many ways is a good thing).
Labels: TE-NeedsTriageFromMTV
Issue related to 'FIDO U2F Security Key' device.
Comment 17 by Deleted ...@, Oct 31 2014
Thx urga.be...@chromium.org, but what's the problem with this key ?

Thanks for the answer

I can confirm I have the same problem with a security key from Plug-up on my Arch Linux machine:

Security Key: http://sk.plug-up.com/

When I do an "lsusb", I see the Fido security key:

[ tpavlic@TedliX200 ~ ]$ lsusb
...
Bus 004 Device 008: ID 2581:f1d0
...

However, the "Register" button spins and spins when I try to add the security key to my Google Account. I am using Chrome 38.0.2125.111 (64-bit).
florian.kiersch had it right in comment 11: Security keys on Linux require additional setup: they require a udev rule to be added so that Chrome can open them. The instructions are unfortunately both vendor- and distro-specific.

Here are his instructions made a little more generic by using the string xxxVENDORxxx instead of a specific vendor's USB vendor id. You'll want to replace this string with the id of the vendor of the token you have, e.g. 1050 for Yubico, 2581 for Plug-up.

For ArchLinux:
SUBSYSTEMS=="usb", ATTRS{idVendor}=="xxxVENDORxxx", TAG+="uaccess", TAG+="udev-acl"

For Ubuntu:
SUBSYSTEMS=="usb", ATTRS{idVendor}=="xxxVENDORxxx", MODE="0644", GROUP="plugdev"
Looks like this is starting to be addressed upstream:

https://www.mail-archive.com/systemd-devel@lists.freedesktop.org/msg24277.html

(It'd be great if the U2F team could follow up to ensure broader distro support.)
Comment 21 by samh@google.com, Nov 3 2014
I have the following in my udev rules, and it still is unrecognized on my Ubuntu 12.04.2 LTS machine.  Is there something wrong with this that I'm not seeing?  I rebooted on the off chance that udev rules need one, but still no luck.

~$ cat /etc/udev/rules.d/50-yubikey.rules
######

# All Yubico products (yubikey variants)
SUBSYSTEM=="usb", ATTR{idVendor}=="1050", MODE="0664", GROUP="plugdev"

You might consider, via Yubico:

ACTION!="add|change", GOTO="u2f_end"

KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1050", TAG+="uaccess"

LABEL="u2f_end"


For more recent versions of udev, I think you can just set ID_SECURITY_TOKEN:


ACTION!="add|change", GOTO="gnubby_end"

ATTRS{idVendor}=="1050", ENV{ID_SECURITY_TOKEN}="1"

LABEL="gnubby_end"
@Sam: Did you check if your user is actually part of the plugdev group?
Comment 24 by samh@google.com, Nov 3 2014
I hadn't checked the groups, but I was and am a member of plugdev.  I'll attempt some of your suggested variants for the udev config.
I was having this issue.  Created a /etc/udev/rules.d/50-yubikey.rules file with the following, per comment #22:

ACTION!="add|change", GOTO="u2f_end"

KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1050", TAG+="uaccess"

LABEL="u2f_end"


--

After restarting the udev service, the key worked as expected!
Comment 26 by Deleted ...@, Nov 20 2014
I had this issue as well for the Security KEY by Plug-up

Nov 20 11:26:02 casper kernel: [  983.247717] usb 3-1: new full-speed USB device number 8 using xhci_hcd
Nov 20 11:26:02 casper kernel: [  983.415490] usb 3-1: New USB device found, idVendor=2581, idProduct=f1d0
Nov 20 11:26:02 casper kernel: [  983.415502] usb 3-1: New USB device strings: Mfr=1, Product=1, SerialNumber=1
Nov 20 11:26:02 casper kernel: [  983.415516] usb 3-1: Product: Plug-up
Nov 20 11:26:02 casper kernel: [  983.415518] usb 3-1: Manufacturer: Plug-up
Nov 20 11:26:02 casper kernel: [  983.415520] usb 3-1: SerialNumber: Plug-up
Nov 20 11:26:02 casper kernel: [  983.419368] hid-generic 0003:2581:F1D0.000D: hiddev0,hidraw2: USB HID v1.01 Device [Plug-up Plug-up] on usb-0000:03:00.0-1/input0
Nov 20 11:26:02 casper mtp-probe: checking bus 3, device 8: "/sys/devices/pci0000:00/0000:00:1c.3/0000:03:00.0/usb3/3-1"
Nov 20 11:26:02 casper mtp-probe: bus: 3, device: 8 was not an MTP device


Creating a rule /etc/udev/rules.d/50-fidoUDF.rules

and adding 

SUBSYSTEM=="hidraw", MODE="0666", ATTRS{idVendor}=="2581", ATTRS{idProduct}=="f1d0",  GROUP="plugdev"


Then after running udevadm trigger, I can then register the key without trouble.

Then of course, I checked their website and it's clearly written what to do if using linux at the bottom of the page, my rule isn't the same as theirs, but it works.
http://sk.plug-up.com/





Cc: phajdan.jr@chromium.org
Adding 'Pawel' in case he can provide any inputs here.

Thank you!
I'm having a similar issue. I've already added the udev rule and I'm in the plugdev group. However I suspect I might be missing some kernel option and the device is not getting created as I see this in dmesg:
[  228.418319] usb 3-2: new full-speed USB device number 6 using xhci_hcd
[  228.561367] usb 3-2: New USB device found, idVendor=2581, idProduct=f1d0
[  228.561379] usb 3-2: New USB device strings: Mfr=1, Product=1, SerialNumber=1
[  228.561385] usb 3-2: Product: Plug-up
[  228.561390] usb 3-2: Manufacturer: Plug-up
[  228.561395] usb 3-2: SerialNumber: Plug-up
[  228.693086] hid-generic 0003:2581:F1D0.0008: device has no listeners, quitting

What's the device that should be created?
/dev/input/eventX?
I can also confirm that comment #22 & #25 works for me as well.
---
ACTION!="add|change", GOTO="u2f_end"

KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1050", TAG+="uaccess"

LABEL="u2f_end"
---
Restarted udev with "sudo service udev restart".

Ubuntu 14.10 64-Bit
Chrome Version 41.0.2251.0 dev (64-bit)
This problem also exists on Chroembooks but there is no way for the user to fix the problem in this way because of the secure manner of ChromeOS.

1. Insert key.
2. Click register.
3. Spin spin spin.

Of note, if the key is already registered on the account it works just fine.

It just can't be registered.
Status: WontFix
It sounds like a Linux udev configuration issue that's out of Chrome's control. For ChromeOS, please file a separate bug.
Comment 32 by v...@markovic.io, Oct 16 2015
For those reaching this issue via Google search (like me), here's the link to Yubico's instructions on setting up their tokens on Linux: https://www.yubico.com/faq/enable-u2f-linux/

They are confirmed working for me on Ubuntu 14.04.2 LTS.
Comment 33 by kkel...@gmail.com, Mar 13 2017
The link in "Comment 32" is broken. Here is the correct link: https://www.yubico.com/support/knowledge-base/categories/articles/can-set-linux-system-use-u2f/
it works for me, the link in "Comment 33", I added a udev rule in /etc/udev/rules.d
I see the same problem as samh@ on Ubuntu Linux, even with adding the 0211 "gnubby" preprod device ID to the udev/rules.d file. I have the 0211 model numbers both for NFC keychain and for mini security key format when I look in lsusb.

A regular production security key from Yubico works fine, so this problem is unique to Googlers who received gnubbies in the early days AND are trying to use them on non-ChromeOS linux I think.
Sign in to add a comment