yubioath-flutter icon indicating copy to clipboard operation
yubioath-flutter copied to clipboard

Published 20 hours ago verified publisher icon Yubico

Support for Crostini (Chromebook) Linux

Open scarolan opened this issue 6 years ago • 23 comments
trafficstars

  • Yubico Authenticator version: 3.0.1
  • Operating system and version: Linux on Chromebook (Crostini Linux penguin 4.19.16-02893-g2cf2c17c8a43)
  • YubiKey model and version: YubiKey 5C Nano
  • Bug description summary:

Steps to reproduce

Downloaded and installed Yubico Desktop for Ubuntu from your PPA. Enabled USB support in chrome://flags #crostini-usb-support. Started Yubico Authenticator app and it asks me to insert a Yubikey. Yubikey is never recognized.

Expected result

It should show my 6 digit authentication codes.

Actual results

YubiKey is never detected.

Other info

Support for this app on Pixelbook would be really nice!

scarolan avatar Feb 23 '19 20:02 scarolan

I've just reviewed the Chromium bug tracker and have found no indication of work happening to allow the Linux container to access Yubikeys (although there is work happening to allow USB-hosted filesystems to be available). Also, I guess clearly USB keyboards work with Crostini already, too.

OK, I'll admit not clear if this bug is on Google's side or Yubico's side. :smile:

markstos avatar Mar 26 '19 15:03 markstos

What if we focused instead on getting the Android app working on Chromebooks? Would that be a more sensible path? I think USB support for android on Chromebooks is now available.

scarolan avatar Apr 19 '19 15:04 scarolan

Related https://github.com/Yubico/yubioath-android/issues/60

scarolan avatar Apr 19 '19 15:04 scarolan

For Crostini, I think the blocker in Google's now court. The Yubikey isn't recognized at all by the container. I opened a bug with Chromium about that:

https://bugs.chromium.org/p/chromium/issues/detail?id=949131

But it is considered a "duplicate" of work already in progress to provide the containers with more complete access to USB devices, including Yubikeys. Perhaps when that's done this app will work.

markstos avatar Apr 19 '19 16:04 markstos

Chrome OS 75 (Dev) should now support Arbitrary USB devices, but Yubikeys don't work :(

Definitely a Google problem right now though, not a Yubico one.

smiller171 avatar Apr 20 '19 02:04 smiller171

actually...looks like no devices are working for me, despite enabling the correct flags :(

smiller171 avatar Apr 20 '19 02:04 smiller171

I kinda got it working today, but the yubico-piv-tool -a status hangs.

mattstep avatar Apr 27 '19 21:04 mattstep

Awesome! Looks like you currently have to compile yubico-piv-tool yourself to get debug output, but there's an issue about this you should thumbs up

https://github.com/Yubico/yubico-piv-tool/issues/99

smiller171 avatar Apr 29 '19 14:04 smiller171

Thanks for your work on this, gents. If you need any help with testing let me know.

scarolan avatar Apr 30 '19 00:04 scarolan

@markstos It may be worth getting your Chromium Yubikey bug reopened. The larger bug 831850, which your bug ostensibly duplicated, has been resolved and closed in a way that doesn't support YubiKeys. (831850 ended up only covering Android devices connected over USB, and they decided to put support for non-Android devices in separate bugs.)

eestolano avatar Aug 07 '19 21:08 eestolano

@eestolano Thanks for the tip. I'll investigate.

markstos avatar Aug 08 '19 14:08 markstos

Can you share the new bug here if you open one @markstos ? I'd like to follow it.

scarolan avatar Aug 09 '19 18:08 scarolan

@scarolan I asked that the original bug be re-opened. I haven't heard back yet: https://bugs.chromium.org/p/chromium/issues/detail?id=949131

markstos avatar Aug 09 '19 20:08 markstos

Should I throw in the towel and close this issue? It doesn't look like any progress has been made either on the Android or Linux side of things.

scarolan avatar Oct 23 '19 23:10 scarolan

It does seem like this is a really an issue for Google to address from the Android or Crostini side. Yubico's apps might work unmodified if the underlying support was there.

markstos avatar Oct 24 '19 14:10 markstos

I do think someone should open a new Chromium bug about this, though. The request to de-duplicate the bug didn't go anywhere-- perhaps that's not something they do.

markstos avatar Oct 24 '19 14:10 markstos

I think it would be valuable to write a Chrome App using WebUSB or the ChromeOS USB APIs rather than waiting on Google to make USB work in Android apps or Crostini

smiller171 avatar Oct 25 '19 19:10 smiller171

@smiller171 That would be welcome!

markstos avatar Oct 28 '19 15:10 markstos

Unfortunately, WebUSB won't work. YubiKeys are blocked from WebUSB to prevent malicious sites from circumventing the phishing protection in U2F/WebAuthn (by talking directly to the YubiKey instead of through the browser API).

emlun avatar Oct 28 '19 15:10 emlun

@emlun Do you know if the same is true of the ChromeOS USB APIs?

https://developer.chrome.com/apps/app_usb https://developer.chrome.com/apps/usb

smiller171 avatar Oct 28 '19 18:10 smiller171

Sorry, I do not know.

emlun avatar Oct 29 '19 11:10 emlun

I did some testing with this today and I while I don't know for sure, it seems YubiKeys aren't discoverable as USB devices in ChromeOS due to the WebUSB blocking as @emlun referred to above. FIDO2/U2F still work, and so does Yubico OTP.

With that said, I did manage to find a "workaround" using a custom CCID reader to interact with YubiKeys over NFC for Yubico Authenticator and YubiKey Manager. This was more a proof of concept and is not really something I would recommend to anyone, but for those interested and really want this to work, here's how.

  1. Enable "Linux (beta)" in ChromeOS settings
  2. In Chrome, enter chrome://flags and enable "Crostini Usb Allow Unsupported"
  3. When inserting a USB custom reader, there will be a popup asking if you want to connect the new USB device to Linux (do this or enable it in Settings->Linux->USB preferences). NOTE: This will not be remembered next time you plug it in.
  4. YubiKey Authenticator v5.x has a setting for Interface, select "CCID custom reader" and enter a pattern that will match your reader (as shown in Settings->Linux->USB preferences), in my case "OMNIKEY" will work as the full name of my reader is "OMNIKEY 5022 Smart Card Reader"
  5. YubiKey Manager CLI have a similar setting, for example ykman --reader "OMNIKEY" oath code will display the OATH codes from the custom reader.

I'm afraid that this is the closest we can get with this at the moment. Yubico Authenticator is now also available for both Android and iPhone, which might be a better workaround for many.

image

braathen avatar Nov 28 '19 15:11 braathen

I have opened a new issue https://bugs.chromium.org/p/chromium/issues/detail?id=1030778 as per @markstos's comment. I've also asked for the original bug to be un-merged, as the merged bug is considered fixed (they de-scoped the merged bug to just cover Android USB devices).

liljenstolpe avatar Dec 04 '19 19:12 liljenstolpe

Yubico Authenticator 6.0 has now been released and uses a new codebase. As such, this issue has been marked with the legacy label, and will be automatically closed in 7 days. If this issue is still relevant to Yubico Authenticator 6, please comment on the issue saying so, and it will be kept open (or be re-opened). Sorry for the inconvenience!

dainnilsson avatar Nov 16 '22 10:11 dainnilsson

Hello everyone! I stumbled on this ticket and would like to let you know that the latest release (6.1.1) of Yubico Authenticator for Android available on Google Play store is compatible with Chromebooks which support Android apps (Chrome OS).

We test with two devices before releasing, everything in the app works, except the following known issues:

  • The app is forced to portrait mode.
  • The QR scanner is disabled, adding account is possible only manually
  • Only USB YubiKeys are supported at the moment, currently we don’t support NFC readers.

AdamVe avatar Mar 08 '23 15:03 AdamVe