Package: firejail Version: 0.9.58.2-2 Severity: normal Dear Maintainer,
* What led up to the situation? Upgraded from Debian 9 to Debian 10. * What exactly did you do (or not do) that was effective (or ineffective)? Kept fiddling with Yubikey libs, u2f libs. Unistall, purge, reinstall. Ran firefox-esr with extensions disabled, ran with fresh profile. I also tried removing the Security Device configuration item from the browser. I re-loaded the Security Device into the browser. * What was the outcome of this action? WebAuthn/U2F failed. Test site demo.yubico.com. would not enable U2F registration. * What outcome did you expect instead? I expected to use demo.yubico.com to register, then authenticate with my Yubikey4. * What fixed the problem? I discovered that /etc/firejail/firejail.conf had # Disable U2F in browsers, default enabled. # browser-disable-u2f yes I uncommented that line, and changed it to "no" to solve the problem. I believe there are two problems here. First, I don't see any reason why WebAuthn would be disabled by default. I'm not aware of any reason that would improve security or usability. Second, it was very difficult to understand this setting; the man page documents BROWSER_DISABLE_U2F, and explains how to _disable_ U2F, but not how to ENable U2F. As Debian/upstream has it disabled by default, I think it would be better for the man page to show how to enable it, or preferably show how to enable it. The documentation (and this is likely an upstream issue) doesn't really describe how the profiles are used, what the config file is for, or how to override these settings. (For example, there's a command line argument to firejail, --nou2f, but no sign of how to _not_ disable U2F. I would suggest that Debian change that default setting to "no" so that U2F works out of the box. -- System Information: Debian Release: 10.4 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-9-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages firejail depends on: ii libapparmor1 2.13.2-10 ii libc6 2.28-10 Versions of packages firejail recommends: ii firejail-profiles 0.9.58.2-2 ii iproute2 4.20.0-2 ii iptables 1.8.2-4 ii xauth 1:1.0.10-1 ii xserver-xephyr 2:1.20.4-1 ii xvfb 2:1.20.4-1 firejail suggests no packages. -- Configuration Files: /etc/firejail/firejail.config changed [not included] -- no debconf information