Yubikeys not recognized by Firefox and Chromium in new 14.2 installation?

puppydog

puppydog

Is there a definite way to get a Yubikey working in Firefox/Librewolf/Chromium in 14.2?

I put 14.2-RELEASE on a laptop of mine yesterday, using xorg and xfce (not sure if this is relevant to the problem or not). I noticed that fresh out of the box Firefox was not recognizing Yubikieys when I tried to use them to log into a site (I have two Yubikey 5, and I tried both). I did some Googling and I see other people with similar problems but with no definite solutions. The supposed solutions I found were just about installing the u2f-devd and libu2f-host packages and adding the user to the u2f group, which unfortunately did not change anything.

I'm at work right now so I can't pull any specific information from the laptop for another several hours, but I thought I would ask my question here. The device is being seen by the OS and is visible with usbconfig, but does not appear as /dev/uhid0 (which according to this Github gist is what I should be seeing). So I suspect the problem lies with devd not handling it correctly, but that's really just a semi-educated guess on my part, and I don't know what kind of change would be necessary regardless.

I'm not worried about using it for ssh or anything else - as long as I can use it in my web browsers, I'll be happy. Is there something I need to do that I'm overlooking?
 
I'm using one of the very old "Yubikey FIDO U2F Security Key (BLUE)" with librewolf 134.0.2. I had used that same Github page to get this old key working. If I remember correctly, I installed libu2f-host u2f-devd; added my desktop user to the u2f group; restarted devd; logged out and back in (to refresh my group memberships); started librewolf. It's been working fine since. For reference, I do have a /dev/uhid0 owned by group "u2f". With this older key at least, when I run 'usbconfig show_ifdrv', my uhid0 device does not say "FIDO," but it works anyway. (Not sure if that's just the way this older key is listed.) Although I have a yubikey 5c, I don't use it on my FreeBSD workstation, because that workstation doesn't have USB-C, so I can't test that. (Sorry!)
 
I am on 14.1 and have several Yubikeys 5. I am only able to use it for FIDO2/U2F with Chromium. I am not able to use them on Firefox. I do not use other browsers.
 
I couldn't get the browser and webauth to work with ubikey 5 on Firefox or Chrome. I tried many instructions. Has this mechanism ever worked on older versions of keys?

:(
 
jbo@ I tried this instruction. Unfortunately, it doesn't work for me as it should. I don't know what I'm doing wrong. When I have to log in, a window should pop up asking me to enter the PIN for the key. Unfortunately, it doesn't. It skips this step. The next step appears. It asks me to touch the key. I can't figure out what's wrong. On Linux, everything works as it should.
 
Has anyone managed to get the Yubikey 5 NFC USB-A to work properly for webauth authentication on FreeBSD 14.2?
(with the latest firmware on the dongle) either on Firefox or Chromium?
 
I don't know if this post will still be useful to anyone, but how I got it was:
I installed
libu2f-host
libfido2
u2f-devd
I added it to my /etc/devfs.rules
[localrules=10]
add path 'uhid*' mode 0660 group operator
in /etc/rc.conf:
devfs_system_ruleset="localrules"
kld_list="usbhid"
restart devfs service:
sudo service devfs restart
I added my user to the group:
pw group mod u2f -m myuser
In firefox, go to about:config and change:
security.webauth.u2f true
security.webauth.webauthn true
security.webauth.webauthn_enable_softtoken true
security.webauth.webauthn_enable_usbtoken true
In /boot/loader.conf:
hw.usb.usbhid.enable="0"

Reboot.

For me worked.

I am in FreeBSD 14.3-RELEASE
 
I've been analyzing this problem recently as well. And I finally came up with a solution... Similar solution. Note that the usbhid device is created in the system with the operator group. Therefore, all you need to do is add the user to the operator group and install a few packages and configuration in /boot/loader.conf and /etc/rc.conf. The u2f-devd package is a package that assigns the u2f group to the usbhid device. This is need to work with ubikey and users rights on u2f group. Only users added to the u2f group can use usbkey

so the following
added it to my /etc/devfs.rules[localrules=10]
add path 'uhid*' mode 0660 group operatorin
Click to expand...

/etc/rc.conf:devfs_system_ruleset="localrules"
Click to expand...
would be unnecessary.
 
Last edited:
What worked for me on 14.3-RELEASE:

pkg install u2f-devd and restart devd

add myself to the u2f group

hw.usb.usbhid.enable="0" in /loader.conf; reboot

Firefox:
security.webauth.u2f true
security.webauth.webauthn true
security.webauth.webauthn_enable_softtoken true
security.webauth.webauthn_enable_usbtoken true


Now it was functioning on the Yubikey demo page: https://demo.yubico.com/webauthn-technical/registration

However, it's possible only the Firefox change will be needed in FreeBSD 15 as it should have this new u2f driver: https://reviews.freebsd.org/D51612
 
I created my own instructions:

Yampress

Thread 'Yubico yubikey 5 nfc on FreeBSD'

Tested on FreeBSD 14.3
manual version 20251009

Note: It is assumed that the user has secured/set a PIN on the Ubikey key before using the instructions below.

I am installing the necessary packages
Code: 
# pkg install yubico-piv-tool pcsc-lite ccid py311-fido2 libfido2
# pkg install libu2f-host u2f-devd

Adds myself (an authorized user) to the U2F group. Only users in the U2F group can use Ubikey.
Code: 
# pw group mod u2f -m yampress

Check device
(put ubikey in usb port and run the commands below)
Code: 
# usbconfig show_ifdrv
# ykman info

Enable pcscd daemon
...
Click to expand...
  • Like

 
You must log in or register to reply here.
Back
Top