Does not work with `systemd-homed`
Thesola10 opened this issue ยท 9 comments
What went wrong?
systemd-homed
is a software solution for Linux user accounts that accepts FIDO2 tokens as an alternative for the user password, essentially providing a Chromebook- or macOS-esque "Log in with watch" feature if combined with WearAuthn.
And that's where the issue occurs: systemd-homed
fails to register my watch as a login token.
Steps to reproduce
- Pair watch with Linux computer running
systemd-homed
- Run
homectl update --fido2-device=/dev/hidraw2
to register the watch as a login token (exacthidraw
path may vary) - The watch displays a confirmation for
io.systemd.home
("Home Directory"), accept it. systemd-homed
then errors out with the following error:
Initializing FIDO2 credential on security token.
๐ (Hint: This might require confirmation of user presence on security token.)
-- (this is where the first confirmation succeeds)
Generating secret key on FIDO2 security token.
Failed to ask token for assertion: FIDO_ERR_INTERNAL
-- (nothing shows up on the watch)
WebAuthn works perfectly through Firefox, through Flatpak, so it can't possibly be a permissions issue.
On a USB Yubikey, the correct behavior is that the key asks for presence twice. On WearAuthn, the second confirmation never happens.
Which model is your watch?
Fossil Q Explorist Gen 4
Which Android version is running on your watch?
Wear OS 2.34
Which version of WearAuthn are you using?
0.9.17 (Google Play)
I don't know how useful it is, but the app version also mentions "Credentials storage: Hardware".
Here is a Logcat dump, with the app set to "Debug" logging:
https://gist.github.com/Thesola10/98146c3db20051ffacf07598ea84202f
Documentation for systemd-homed
states that the hmac-secret
extension is required. Maybe that's the issue?
Yep, that's the issue. Since hmac-secret
is required for any kind of offline login features and these are becoming more and more popular, it would be a great feature to add. I'm a bit constrained on time atm and would definitely welcome and support contributions.
Your comment in #5 mentions that hmac-secret
is supported, what does that mean exactly?
It is implemented according to my understanding of the spec back at the time, but I remember the spec being unclear about some things (see
). Also, since there wasn't any application to test the feature with, it may be broken.Given the --fido2-with-user-presence=false
flag on homectl
, it appears that a hmac-secret
client might be able to not require user presence?
Browsing through the logcat, weirdly enough, there's never an error or warning on the watch side of things, not even a claim of a "malformed message".
Pausing the authentication process before the second step yields an interesting behavior: WearAuthn logs absolutely nothing. The issue might be on systemd
's side.
PS: The WearAuthn watch does not show up when I do homectl update --fido2-device=list
, whereas my Yubikey does. That command should list all hidraw
devices recognized by libfido2
, so the issue might be on libfido2
's side?
Managed to get libfido2
logging info by patching homectl
:
https://gist.github.com/Thesola10/4639fdb4d5d82e8d0fc1251aacb81219
any update?