# Setting up U2F

## dufeu

I originally wanted to activate FIDO standard U2F tokens for the gmail account I use for my phone as it has a number of financial services tied to it. I purchase the Google Titan bundle. I tried following the Use a security key for 2-step Verification instructions. The I reach the 'ADD SECURITY KEY' step, it always fails.

I then found Google's Add a Titan Security Key on a Linux system. This is apparently old and incorrect information. The ATTRS in the suggested /etc/udev/rules.d file don't match the actual values in the shipped security tokens I received.

Instead, the libu2f-host/70-u2f.rules file listed the yubico github project do contain udev rules which contain ATTRS values matching the pair of tokens I received.

I also read the Gentoo Wiki pam_u2f article and verified everything to using dmesg to check the proper installation of installation of the pam_u2f module:

```
[ 1946.920987] usb 4-1: new full-speed USB device number 5 using ohci-pci

[ 1947.105039] usb 4-1: New USB device found, idVendor=096e, idProduct=0858, bcdDevice=44.00

[ 1947.105042] usb 4-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0

[ 1947.105043] usb 4-1: Product: U2F

[ 1947.105045] usb 4-1: Manufacturer: FT

[ 1947.113377] hid-generic 0003:096E:0858.0007: hiddev98,hidraw3: USB HID v1.00 Device [FT U2F] on usb-0000:00:13.0-1/input0
```

As I read the wiki article, for those computer logins for which I define using a security key will require having my security token plugged in before I can log into the account (global mapping - /etc/u2f_mappings/u2f_keys):

```
<username1>:<KeyHandle1>,<UserKey1>:<KeyHandle2>,<UserKey2>:...

<username2>:<KeyHandle1>,<UserKey1>:<KeyHandle2>,<UserKey2>:...

<username3>:<KeyHandleA>,<UserKeyA>:<KeyHandleB>,<UserKeyB>:...
```

 or alternatively (per user mapping - ~/.config/Yubico/u2f_keys) 

```
<username1>:<KeyHandle1>,<UserKey1>:<KeyHandle2>,<UserKey2>:...
```

```
<username2>:<KeyHandle1>,<UserKey1>:<KeyHandle2>,<UserKey2>:...
```

```
<username3>:<KeyHandleA>,<UserKeyA>:<KeyHandleB>,<UserKeyB>:...
```

The use case above implies username1 and username2 are two accounts using the same set of security keys while username3 uses a different set of security keys.

For the global u2f mapping case, the intended modification to /etc/pam.d/system-local-login would be to add:

```
auth      required pam_u2f.so    authfile=/etc/u2f_mappings nouserok
```

This implies only those users whose username appears in /etc/u2f_mappings/u2f_keys would require having their security key plugged in.

There are several things I'm still not understanding with this.I have several pc login accounts I want secured with the same security key. I haven't seen a good example of a /etc/u2f_mappings/u2f_key file demonstrating this use case. Based on the Gentoo wiki article, I think I need to plug in the first set of security tokens (1,2), and issue pamu2fcfg commands like so:

```
pamu2fcfg -u<username1> >> /etc/u2f_mappings/u2f_keys

pamu2fcfg -u<username2> >> /etc/u2f_mappings/u2f_keys
```

 then replace the first set of security tokens with the second set of security tokens (A,B) and issue the command:

```
pamu2fcfg -u<username3> >> /etc/u2f_mappings/u2f_keys
```

Once I've registered the keys (via pamu2fcfg), I still can't make the connection between my PC account login and my website logins such as for google. I still cannot complete Google's Add a Security Key step. Do I need to login on one of my PC accounts that will require a security token first before trying to add a security token to any of my web accounts?

As I read both the Wiki article and Google's instructions, it seems that using a security token for PC logins and website logins are supposed to be independent of one another. i.e. I can use a security token just to secure web accounts without having to use pam_u2f.

Some guidance would be appreciated.

I'm a little hesitant to go further because I don't want to lock myself out of any of my pc or web accounts.

My use case includes multiple pc accounts on the same initial pair of security keys, other pc accounts on an independent pair of security keys, remote pc logins on multiple accounts via x2go and multiple web accounts. I have some need to be able to access certain specific web accounts from pc accounts which will be secured with differing pairs of security keys.

----------

## johngalt

Hi,

@mods - my apologies for resurrecting this semi-ancient post, but this is literally the only one since 2014 that contains the phrase 'Google Titan' when searching the forums.

@dufeu

Hopefully you still monitor these forums.  I'm hoping that you have gotten this figured out on your own.  While I'm on a Gentoo-derivative (Sabayon), it would still help if you had an answer for this.

FWIW, I've already locked down my Google accounts (and a few others using the the set I purchased last year, and I've already made arrangements to have the USB key replaced by Google.  But the system doesn't recognize the presence of the key when inserted into the USB ports, both USB2 and USB3, or, better yet, dmesg shows that the device is present:

```
[  573.906688] usb 7-1: new full-speed USB device number 3 using ohci-pci

[  574.068734] usb 7-1: New USB device found, idVendor=096e, idProduct=0858, bcdDevice=44.00

[  574.068737] usb 7-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0

[  574.068739] usb 7-1: Product: U2F

[  574.068741] usb 7-1: Manufacturer: FT

[  574.077256] hid-generic 0003:096E:0858.0005: hiddev0,hidraw0: USB HID v1.00 Device [FT U2F] on usb-0000:00:12.0-1/input0

```

but Firefox Nightly 69.0a1 (2019-06-04) (64-bit) (binary direct from Mozilla, including automatic updates) gives me a prompt when attempt to access my Google accounts that only has a 'cancel' button, no OK.  Same build of Firefox Nightly for Winblows works perfectly fine in WinX.

I followed both of the links you mentioned, first the Google link, and then the Gentoo wiki.  Neither have gotten this working correctly.

As you mentioned, any guidance will be appreciated.

----------

## snaffinch

I don't know if this is exactly the same problem, but I was seeing the symptoms you describe

when attempting to log in to GMail in Firefox using a Yubikey for 2FA.

The following steps got it working:

 emerge libu2f-host

 add relevant users to the plugdev group

 reboot (this seemed to be crucial - it didn't work after the first two steps)

This was with the Firefox from www-client/firefox-68.1.0.

----------

