WebAuthn registration failed

[showiproute]

I recognized that PVE 7.1 supports WebAuthn so I decided to migrate from U2F to it.

But unfortunately it fails with following error message:

`The user verified even through discouragement`

 

[dcsapak]

what key and browser do you use?

 

[showiproute]

I use a Yubikey 5C and Firefox 94.0.1

 

[showiproute]

I just checked `journalctl` while I tried to register again and found this interessting part:

Nov 17 12:32:30 kvm systemd[31845]: netdata.service: Failed to determine user credentials: No such process
Nov 17 12:32:30 kvm systemd[31845]: netdata.service: Failed at step USER spawning /bin/mkdir: No such process
░░ Subject: Process /bin/mkdir could not be executed
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░
░░ The process /bin/mkdir could not be executed and failed.
░░
░░ The error number returned by this process is ERRNO.
Nov 17 12:32:30 kvm systemd[1]: netdata.service: Control process exited, code=exited, status=217/USER
░░ Subject: Unit process exited
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░
░░ An ExecStartPre= process belonging to unit netdata.service has exited.
░░
░░ The process' exit code is 'exited' and its exit status is 217.
Nov 17 12:32:30 kvm systemd[31846]: netdata.service: Failed to determine user credentials: No such process
Nov 17 12:32:30 kvm systemd[31846]: netdata.service: Failed at step USER spawning /usr/libexec/netdata/plugins.d/reset_netdata_trace.sh: No such process

 

[showiproute]

I am not sure if this issue is related to netdata.service but I just saw that the whole service is broken for a couple of months:

Aug 09 20:40:23 kvm systemd[2833741]: netdata.service: Failed at step USER spawning /bin/mkdir: No such process
Aug 09 20:40:23 kvm systemd[1]: netdata.service: Control process exited, code=exited, status=217/USER
Aug 09 20:40:23 kvm systemd[2833742]: netdata.service: Failed to determine user credentials: No such process
Aug 09 20:40:23 kvm systemd[2833742]: netdata.service: Failed at step USER spawning /usr/libexec/netdata/plugins.d/reset_netdata_trace.sh: No such process

Althought I never had any issues?

 

[showiproute]

Okay I sorted it out: netdata was not the issue.

 

[showiproute]

@dcsapak I also tried it with MS Edge right now - but same result.

 

[showiproute]

U2F is also no longer working when I try to use it from a 2nd node:
authentication failure; rhost=::ffff:192.168.10.2 user=mmuehlbacher@hks msg=origin in client authentication did not match: "https://proxmox1.hks.lan:8006" != "https://proxmox2.hks.lan:8006"

 

[dcsapak]

did you have to enter a password for unlocking the key?
the message

`The user verified even through discouragement`

indicates that there was some password entry while we discourage that (since we already require a password)

 

[showiproute]

Yeah, Windows asks to use a PIN before allowing it to use WebAuthn

 

[showiproute]

Seems to be an issue together with Windows.

I just checked the registration of my Yubikey on my Ubuntu laptop and this worked out of the box.
Ubuntu/Firefox does not ask for a separate PIN while Windows does.

 

[showiproute]

Found another problem:

Login on my 1st server (proxmox1) works now with WebAuthn.
Login on 2nd server (proxmox2) does not work: Use of uninitialized value $realm_type in string eq at /usr/share/perl5/PVE/AccessControl.pm line 782.

The /etc/pve/datacenter.cfg line would be: webauthn: id=proxmox1.hks.lan,origin=https://proxmox1.hks.lan:8006,rp=proxmox1.hks.lan

 

[dcsapak]

Yeah, Windows asks to use a PIN before allowing it to use WebAuthn

ah this explains it

Seems to be an issue together with Windows.

I just checked the registration of my Yubikey on my Ubuntu laptop and this worked out of the box.
Ubuntu/Firefox does not ask for a separate PIN while Windows does.

well, not completely. the webauth library we use, throws an error for discouraged but verified requests... in newer versions it did drop that error, so the fix
on our side is to update our dependencies

U2F is also no longer working when I try to use it from a 2nd node:
authentication failure; rhost=::ffff:192.168.10.2 user=mmuehlbacher@hks msg=origin in client authentication did not match: "https://proxmox1.hks.lan:8006" != "https://proxmox2.hks.lan:8006"

i believe that could not have worked before either? in such a case, you'd need an appid which links to a json file with the origins included...

 

[showiproute]

well, not completely. the webauth library we use, throws an error for discouraged but verified requests... in newer versions it did drop that error, so the fix
on our side is to update our dependencies

I'm looking forward to see any fixes

i believe that could not have worked before either? in such a case, you'd need an appid which links to a json file with the origins included...

How would such a JSON look like?
I just used the "autofil" function at the cluster option.

Edit: The deleted lines are no longer needed as the intention is to migrate from U2F to Webauthn.

 

[showiproute]

It's just interesting the Webauthn works on host1 but not host2 - any ideas why?
Or should this also be packed as a JSON?

 

[dcsapak]

It's just interesting the Webauthn works on host1 but not host2 - any ideas why?

the relying party id must be a valid suffix of the domain where you login, see: https://www.w3.org/TR/webauthn/#relying-party-identifier
e.g. in your case the relying party should be 'hks.lan'

note that changing that may invalidate the already registered keys!

 

[showiproute]

Okay so I deleted the 2FA from my user and changed the value to rp=hks.lan at datacenter.cfg.
After registering again it works for Proxmox1 but not Proxmox2?!

 

[dcsapak]

ok so after a bit of investigating, this is due to a confusion about the webauthn spec in (again) the same webauth library... we will update that soon and then this shoud be possible and working

 

[showiproute]

Looking forward to test it!

 

[David Herselman]

We've been using YubiKey 5 NFC for U2F but this breaks after upgrading to 7.1. We have a cluster of nodes with a hosted appid file, to make it work on any node:

Cluster U2F configuration:

[root@kvm1a ~]# grep u2f /etc/pve/datacenter.cfg
u2f: appid=https://u2f.company.co.za/kvm1-appid

Content of the kvm1-appid file that's hosted elsewhere:

{
  "trustedFacets" : [{
    "version": { "major": 1, "minor" : 0 },
    "ids": [
      "https://kvm1.company.co.za:8006",
      "https://kvm1a.company.co.za:8006",
      "https://kvm1b.company.co.za:8006",
      "https://kvm1c.company.co.za:8006",
      "https://kvm1d.company.co.za:8006",
      "https://kvm1e.company.co.za:8006",
      "https://kvm1f.company.co.za:8006",
      "https://kvm1g.company.co.za:8006"
    ]
  }]
}

The following is to set headers when serving this file via Apache:

<FilesMatch "^kvm\d-appid$">
        FileETag None
        ForceType application/fido.trusted-apps+json
        Header Set Cache-Control "max-age=0, no-store, no-cache, must-revalidate"
        Header Set Expires "Thu, 1 Jan 1970 00:00:00 GMT"
        Header Set Pragma "no-cache"
        Header Unset ETag
</FilesMatch>

As WebAuthn currently appears to be confirmed not to work, is there a quick fix to restore U2F functionality?

Browser presents the following, when it would normally have prompted for a YubiKey TOPT key press:


Nothing further happens when we select Allow....


Edit: We worked around this by temporarily switching to YubiKey OTP integration on the realm. This essentially means that we removed all U2F public key portions and can start fresh with WebAuthn.

For anyone else that finds themselves in the same position:

• Edit /etc/pve/user.cfg and replace u2f!x with x. An example user entry would thus end with ':x:'
• Deploy or use your own in-house YubiKey OTP validation servers or register with the free cloud API servers managed by YubiKey, for which each YubiKey is automatically enrolled at the factory. Edit /etc/pve/domains.cfg to enter the API ID and keys. Herewith an example:

• Edit the user TFA information to record the first 12 characters of a Yubico OTP (public identifier portion) to each user. The following example should provide the required structure of this file and shows how to define the identifier for different users and how to associate both primary and backup keys for some staff. NB: Remember to remove the 'enters' and make everything one long line before saving:

PS: You can navigate to www.uuidgenerator.net to generate unique UUID v4 IDs for each YubiKey identifier. The 'created' stamp is simply the Unix epoch.