Package: firejail
Version: 0.9.58.2-2
Severity: normal
Dear Maintainer,
* What led up to the situation?
Upgraded from Debian 9 to Debian 10.
* What exactly did you do (or not do) that was effective (or
ineffective)?
Kept fiddling with Yubikey libs, u2f libs. Unistall, purge, reinstall. Ran
firefox-esr with extensions disabled, ran with fresh profile.
I also tried removing the Security Device configuration item from the
browser. I re-loaded the Security Device into the browser.
* What was the outcome of this action?
WebAuthn/U2F failed. Test site demo.yubico.com. would not enable U2F
registration.
* What outcome did you expect instead?
I expected to use demo.yubico.com to register, then authenticate with my
Yubikey4.
* What fixed the problem?
I discovered that /etc/firejail/firejail.conf had
# Disable U2F in browsers, default enabled.
# browser-disable-u2f yes
I uncommented that line, and changed it to "no" to solve the problem.
I believe there are two problems here. First, I don't see any reason why
WebAuthn would be disabled by default. I'm not aware of any reason that would
improve security or usability. Second, it was very difficult to understand
this setting; the man page documents BROWSER_DISABLE_U2F, and explains how to
_disable_ U2F, but not how to ENable U2F. As Debian/upstream has it disabled
by default, I think it would be better for the man page to show how to enable
it, or preferably show how to enable it. The documentation (and this is likely
an upstream issue) doesn't really describe how the profiles are used, what the
config file is for, or how to override these settings. (For example, there's a
command line argument to firejail, --nou2f, but no sign of how to _not_ disable
U2F.
I would suggest that Debian change that default setting to "no" so that U2F
works out of the box.
-- System Information:
Debian Release: 10.4
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-9-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL
set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set
to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages firejail depends on:
ii libapparmor1 2.13.2-10
ii libc6 2.28-10
Versions of packages firejail recommends:
ii firejail-profiles 0.9.58.2-2
ii iproute2 4.20.0-2
ii iptables 1.8.2-4
ii xauth 1:1.0.10-1
ii xserver-xephyr 2:1.20.4-1
ii xvfb 2:1.20.4-1
firejail suggests no packages.
-- Configuration Files:
/etc/firejail/firejail.config changed [not included]
-- no debconf information
