WebAuthn registration failed

showiproute

Well-Known Member
Mar 11, 2020
615
32
48
36
Austria
I recognized that PVE 7.1 supports WebAuthn so I decided to migrate from U2F to it.

But unfortunately it fails with following error message:

`The user verified even through discouragement`
 
what key and browser do you use?
 
I just checked `journalctl` while I tried to register again and found this interessting part:

Code:
Nov 17 12:32:30 kvm systemd[31845]: netdata.service: Failed to determine user credentials: No such process
Nov 17 12:32:30 kvm systemd[31845]: netdata.service: Failed at step USER spawning /bin/mkdir: No such process
░░ Subject: Process /bin/mkdir could not be executed
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░
░░ The process /bin/mkdir could not be executed and failed.
░░
░░ The error number returned by this process is ERRNO.
Nov 17 12:32:30 kvm systemd[1]: netdata.service: Control process exited, code=exited, status=217/USER
░░ Subject: Unit process exited
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░
░░ An ExecStartPre= process belonging to unit netdata.service has exited.
░░
░░ The process' exit code is 'exited' and its exit status is 217.
Nov 17 12:32:30 kvm systemd[31846]: netdata.service: Failed to determine user credentials: No such process
Nov 17 12:32:30 kvm systemd[31846]: netdata.service: Failed at step USER spawning /usr/libexec/netdata/plugins.d/reset_netdata_trace.sh: No such process
 
I am not sure if this issue is related to netdata.service but I just saw that the whole service is broken for a couple of months:

Code:
Aug 09 20:40:23 kvm systemd[2833741]: netdata.service: Failed at step USER spawning /bin/mkdir: No such process
Aug 09 20:40:23 kvm systemd[1]: netdata.service: Control process exited, code=exited, status=217/USER
Aug 09 20:40:23 kvm systemd[2833742]: netdata.service: Failed to determine user credentials: No such process
Aug 09 20:40:23 kvm systemd[2833742]: netdata.service: Failed at step USER spawning /usr/libexec/netdata/plugins.d/reset_netdata_trace.sh: No such process

Althought I never had any issues?
 
U2F is also no longer working when I try to use it from a 2nd node:
authentication failure; rhost=::ffff:192.168.10.2 user=mmuehlbacher@hks msg=origin in client authentication did not match: "https://proxmox1.hks.lan:8006" != "https://proxmox2.hks.lan:8006"
 
did you have to enter a password for unlocking the key?
the message
`The user verified even through discouragement`
indicates that there was some password entry while we discourage that (since we already require a password)
 
Seems to be an issue together with Windows.

I just checked the registration of my Yubikey on my Ubuntu laptop and this worked out of the box.
Ubuntu/Firefox does not ask for a separate PIN while Windows does.
 
Found another problem:

Login on my 1st server (proxmox1) works now with WebAuthn.
Login on 2nd server (proxmox2) does not work: Use of uninitialized value $realm_type in string eq at /usr/share/perl5/PVE/AccessControl.pm line 782.

The /etc/pve/datacenter.cfg line would be: webauthn: id=proxmox1.hks.lan,origin=https://proxmox1.hks.lan:8006,rp=proxmox1.hks.lan
 
Yeah, Windows asks to use a PIN before allowing it to use WebAuthn
ah this explains it

Seems to be an issue together with Windows.

I just checked the registration of my Yubikey on my Ubuntu laptop and this worked out of the box.
Ubuntu/Firefox does not ask for a separate PIN while Windows does.
well, not completely. the webauth library we use, throws an error for discouraged but verified requests... in newer versions it did drop that error, so the fix
on our side is to update our dependencies ;)

U2F is also no longer working when I try to use it from a 2nd node:
authentication failure; rhost=::ffff:192.168.10.2 user=mmuehlbacher@hks msg=origin in client authentication did not match: "https://proxmox1.hks.lan:8006" != "https://proxmox2.hks.lan:8006"
i believe that could not have worked before either? in such a case, you'd need an appid which links to a json file with the origins included...
 
  • Like
Reactions: showiproute
well, not completely. the webauth library we use, throws an error for discouraged but verified requests... in newer versions it did drop that error, so the fix
on our side is to update our dependencies
I'm looking forward to see any fixes :)

i believe that could not have worked before either? in such a case, you'd need an appid which links to a json file with the origins included...
How would such a JSON look like?
I just used the "autofil" function at the cluster option.


Edit: The deleted lines are no longer needed as the intention is to migrate from U2F to Webauthn.
 
Last edited:
  • Like
Reactions: showiproute
Okay so I deleted the 2FA from my user and changed the value to rp=hks.lan at datacenter.cfg.
After registering again it works for Proxmox1 but not Proxmox2?!
 
ok so after a bit of investigating, this is due to a confusion about the webauthn spec in (again) the same webauth library... we will update that soon and then this shoud be possible and working
 
  • Like
Reactions: showiproute
We've been using YubiKey 5 NFC for U2F but this breaks after upgrading to 7.1. We have a cluster of nodes with a hosted appid file, to make it work on any node:

Cluster U2F configuration:
CSS:
[root@kvm1a ~]# grep u2f /etc/pve/datacenter.cfg
u2f: appid=https://u2f.company.co.za/kvm1-appid

Content of the kvm1-appid file that's hosted elsewhere:
Code:
{
  "trustedFacets" : [{
    "version": { "major": 1, "minor" : 0 },
    "ids": [
      "https://kvm1.company.co.za:8006",
      "https://kvm1a.company.co.za:8006",
      "https://kvm1b.company.co.za:8006",
      "https://kvm1c.company.co.za:8006",
      "https://kvm1d.company.co.za:8006",
      "https://kvm1e.company.co.za:8006",
      "https://kvm1f.company.co.za:8006",
      "https://kvm1g.company.co.za:8006"
    ]
  }]
}

The following is to set headers when serving this file via Apache:
Code:
<FilesMatch "^kvm\d-appid$">
        FileETag None
        ForceType application/fido.trusted-apps+json
        Header Set Cache-Control "max-age=0, no-store, no-cache, must-revalidate"
        Header Set Expires "Thu, 1 Jan 1970 00:00:00 GMT"
        Header Set Pragma "no-cache"
        Header Unset ETag
</FilesMatch>

As WebAuthn currently appears to be confirmed not to work, is there a quick fix to restore U2F functionality?

Browser presents the following, when it would normally have prompted for a YubiKey TOPT key press:
1637406418246.png

Nothing further happens when we select Allow....


Edit: We worked around this by temporarily switching to YubiKey OTP integration on the realm. This essentially means that we removed all U2F public key portions and can start fresh with WebAuthn.

For anyone else that finds themselves in the same position:
  • Edit /etc/pve/user.cfg and replace u2f!x with x. An example user entry would thus end with ':x:'
  • Deploy or use your own in-house YubiKey OTP validation servers or register with the free cloud API servers managed by YubiKey, for which each YubiKey is automatically enrolled at the factory. Edit /etc/pve/domains.cfg to enter the API ID and keys. Herewith an example:
1637472314505.png
  • Edit the user TFA information to record the first 12 characters of a Yubico OTP (public identifier portion) to each user. The following example should provide the required structure of this file and shows how to define the identifier for different users and how to associate both primary and backup keys for some staff. NB: Remember to remove the 'enters' and make everything one long line before saving:
1637472736627.png

PS: You can navigate to www.uuidgenerator.net to generate unique UUID v4 IDs for each YubiKey identifier. The 'created' stamp is simply the Unix epoch.
 
Last edited:
  • Like
Reactions: Spartan-196

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!