Open lachesis opened 1 year ago
There's two issues here:
1) tpm-fido uses an external program pinentry
to prompt you to confirm user presence. When I go through the registration process on that site i get a pinentry dialog popup that says FIDO Confirm Register yes/no
. If you are not seeing that then either you don't have a gui pinentry installed or you are running tpm-fido in a context where it doesn't have access to your x11/wayland session (like via sudo).
2) Once you see that dialog and try to register, that specific site will reject tpm-fido as an unsupported key. That's because tpm-fido currently only implements FIDO1 and that site requires FIDO2 (specifically resident keys). I'd like to support FIDO2 but its fairly low priority work for me right now.
If you want to test tpm-fido against a site that will work you can use https://webauthn.io/
Ahh you are correct, I was running with sudo, though I was sudo'ing as my own user. I was being lazy to avoid the logout to update my groups. If I run with sudo -E
instead, it works as expected.
As for FIDO2 vs FIDO1, which one does Google's Passkey implementation use? It seems like that will be the major driver for using this module and other similar ones.
Passkeys are built on top of FIDO2.
I got the same problem, so I debugged a bit, just note that I have little experience with golang.
go func() {
err := p.Confirm()
promptResult <- err == nil
}()
There is the line FindPinentryGUIPath() that gives preference for pinentry-gnome3, the way I fixed it was by changing to just pinentry
, others like pinentry-qt
also works.
I'm using Manjaro and kde-plasma.
So, the results of the debug:
nothing shows up
p.Confirm() -> err: pinentry: inappropriate ioctl for device
-> promptResult: false
window shows up
if I click on Cancel, I get: (no problem, but just to help debug)
p.Confirm() -> err: malformed ERR arguments
-> promptResult: false
if I click on Ok
p.Confirm() -> err: %!s(<nil>)
p.Confirm() -> promptResult: true
$ ls /usr/bin/pinentry* /usr/bin/pinentry /usr/bin/pinentry-curses /usr/bin/pinentry-emacs /usr/bin/pinentry-gnome3 /usr/bin/pinentry-gtk-2 /usr/bin/pinentry-qt /usr/bin/pinentry-tty
I also tested running echo "CONFIRM" | pinentry-gnome3
manually, this test shows a popup, but when running from golang, it doesn't work.
I also tested the others. Interesting pinentry-gtk-2
worked for me. pinentry-curses
gave the same inappropriate ioctl
err, and pinentry-tty
just gives a pinentry: not confirmed
.
And yes, I was testing using sudo ./tpm-fido
, I also tried using -E
but that didn't make a difference.
@psanford Any plans to add FIDO2 support soon?
I'm trying the demo at https://passkeys.io. I am on Arch Linux. The same issue appears in both Chromium and Firefox. I'm not using snap, flatpak, or anything else like that.
When using Chrome, I see the following in logs:
When using Firefox, I see this, repeated about 10 times a second:
The dialog in Chrome just says "Insert your security key and touch it". I don't know how to "touch" this internal TPM. :P
Am I doing something particularly silly here?