Project

General

Profile

Feature #17153

Make Tails work with U2F Security Keys

Added by bisco about 1 month ago. Updated 15 days ago.

Status:
In Progress
Priority:
Normal
Assignee:
Category:
Hardware support
Target version:
-
Start date:
Due date:
% Done:

0%

Feature Branch:
Type of work:
Code
Blueprint:
Starter:
Affected tool:
Browser

Description

Hi,

Torbrowser 9 can use U2F Security Keys as a second factor.
I think it would be great if it was possible to use U2F Security Keys (like a Yubikey) on Tails. I have managed to use a Yubikey as a second factor on Tails to login to Gitlab, but there was some manual work involved:
  • first one has to install libu2f-udev, it would be great if that package could be installed by default. Its 24.6 kB on disk. When using the additional software feature to install it, one would have to reload the udev rules as root to make the devices work.
  • the torbrowser apparmor rules deny access to the devices. I had to add the following permissions to make the yubikey work:
      #u2f
      /sys/class/ r,
      /sys/class/hidraw/ r,
      /sys/devices/** r,
      /run/udev/data/* r,
      /sys/bus/ r,
      /dev/hidraw* rw,
    

    But thats the first time I touched apparmor, so I'm sure there is potential for refinement (especially the write to /dev/hidraw makes me nervous).
    (I can also create a bug against the torbrowser-launcher package or create a merge request on salsa if the discussion regarding the apparmor rules should be moved there).

History

#1 Updated by bisco about 1 month ago

Related #12402

#2 Updated by intrigeri 26 days ago

  • Status changed from New to Confirmed
  • Assignee set to bisco

Hi,

Torbrowser 9 can use U2F Security Keys as a second factor.
I think it would be great if it was possible to use U2F Security Keys (like a Yubikey) on Tails. I have managed to use a Yubikey as a second factor on Tails

Amazing!

  • first one has to install libu2f-udev, it would be great if that package could be installed by default. Its 24.6 kB on disk. When using the additional software feature to install it, one would have to reload the udev rules as root to make the devices work.

Sounds entirely reasonable to me.

  • the torbrowser apparmor rules deny access to the devices. I had to add the following permissions to make the yubikey work:
    […]

But thats the first time I touched apparmor, so I'm sure there is potential for refinement (especially the write to /dev/hidraw makes me nervous).

Yeah, I would assume that some of these rules could be a little bit narrower.

(I can also create a bug against the torbrowser-launcher package or create a merge request on salsa if the discussion regarding the apparmor rules should be moved there).

Thanks for your offer. The AppArmor profile we ship in Tails merely contains Tails-specific delta on top of the one I've been maintaining "upstream" so far, so the best place to propose such an update would be https://github.com/micahflee/torbrowser-launcher/

#3 Updated by intrigeri 15 days ago

  • Status changed from Confirmed to In Progress

Also available in: Atom PDF