funtoo and yubikey

[mrl5]

I can not use my YubiKey 5 NFC on funtoo. The device works on Windows. I was testing it on this webpage: https://demo.yubico.com/webauthn-technical/registration with google-chrome. The green LED is present when I plug the device and after I tap it.

So far I've installed pam_u2f and added my user to the plugdev group

$ dmesg | tail
[ 3058.732019] usb 7-1: new full-speed USB device number 7 using uhci_hcd
[ 3058.917036] usb 7-1: New USB device found, idVendor=1050, idProduct=0407
[ 3058.917039] usb 7-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[ 3058.917041] usb 7-1: Product: YubiKey OTP+FIDO+CCID
[ 3058.917043] usb 7-1: Manufacturer: Yubico
[ 3058.923627] input: Yubico YubiKey OTP+FIDO+CCID as /devices/pci0000:00/0000:00:1d.1/usb7/7-1/7-1:1.0/0003:1050:0407.000F/input/input18
[ 3058.980342] hid-generic 0003:1050:0407.000F: input,hidraw4: USB HID v1.10 Keyboard [Yubico YubiKey OTP+FIDO+CCID] on usb-0000:00:1d.1-1/input0
[ 3058.984166] hid-generic 0003:1050:0407.0010: hiddev0,hidraw5: USB HID v1.10 Device [Yubico YubiKey OTP+FIDO+CCID] on usb-0000:00:1d.1-1/input1

$ emerge -pv google-chrome pam_u2f

These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild   R    ] www-client/google-chrome-74.0.3729.108-r1::net-kit  L10N="pl -am -ar -bg -bn -ca -cs -da -de -el -en-GB -es -es-419 -et -fa -fi -fil -fr -gu -he -hi -hr -hu -id -it -ja -kn -ko -lt -lv -ml -mr -ms -nb -nl -pt-BR -pt-PT -ro -ru -sk -sl -sr -sv -sw -ta -te -th -tr -uk -vi -zh-CN -zh-TW" 0 KiB
[ebuild   R    ] sys-auth/pam_u2f-1.0.7::nokit  USE="-debug" 0 KiB

$ groups
wheel audio cdrom video plugdev users kuba

$ emerge --info
Portage 2.3.47 (python 2.7.15-final-0, funtoo/1.0/linux-gnu/arch/x86-64bit, gcc-7.4.1, glibc-2.27-r6, 4.9.168_p1-debian-sources-lts x86_64)
=================================================================
System uname: Linux-4.9.168_p1-debian-sources-lts-x86_64-Intel-R-_Core-TM-2_Quad_CPU_Q9650_@_3.00GHz-with-gentoo-2.2.2
KiB Mem:     8110396 total,   4543532 free
KiB Swap:    2097148 total,   2097148 free
sh bash 4.4_p18
ld GNU ld (Gentoo 2.31.1 p3) 2.31.1
app-shells/bash:          4.4_p18::core-kit
dev-java/java-config:     2.2.0-r4::java-kit
dev-lang/perl:            5.26.2-r1::perl-kit
dev-lang/python:          2.7.15::python-kit, 3.6.6::python-kit
dev-util/cmake:           3.12.3::core-kit
sys-apps/baselayout:      2.2.2::core-kit
sys-apps/openrc:          0.40.2-r2::core-kit
sys-apps/sandbox:         2.13::core-kit
sys-devel/autoconf:       2.13::core-kit, 2.69-r4::core-kit
sys-devel/automake:       1.11.6-r3::core-kit, 1.13.4-r2::core-kit, 1.15.1-r2::core-kit, 1.16.1-r1::core-kit
sys-devel/binutils:       2.31.1-r1::core-kit
sys-devel/gcc:            7.4.1-r6::core-kit
sys-devel/gcc-config:     2.0::core-kit
sys-devel/libtool:        2.4.6-r5::core-kit
sys-devel/make:           4.2.1-r4::core-kit
sys-kernel/linux-headers: 4.14::core-kit (virtual/os-headers)
sys-libs/glibc:           2.27-r6::core-kit
Repositories:

nokit
    location: /mnt/rwstorage/var/git/meta-repo/kits/nokit
    masters: core-kit
    priority: -500

core-gl-kit
    location: /mnt/rwstorage/var/git/meta-repo/kits/core-gl-kit
    masters: core-kit
    priority: 1

core-hw-kit
    location: /mnt/rwstorage/var/git/meta-repo/kits/core-hw-kit
    masters: core-kit
    priority: 1

core-kit
    location: /mnt/rwstorage/var/git/meta-repo/kits/core-kit
    masters: core-kit
    priority: 1
    aliases: gentoo

core-server-kit
    location: /mnt/rwstorage/var/git/meta-repo/kits/core-server-kit
    masters: core-kit
    priority: 1

core-ui-kit
    location: /mnt/rwstorage/var/git/meta-repo/kits/core-ui-kit
    masters: core-kit
    priority: 1

desktop-kit
    location: /mnt/rwstorage/var/git/meta-repo/kits/desktop-kit
    masters: core-kit
    priority: 1

dev-kit
    location: /mnt/rwstorage/var/git/meta-repo/kits/dev-kit
    masters: core-kit
    priority: 1

editors-kit
    location: /mnt/rwstorage/var/git/meta-repo/kits/editors-kit
    masters: core-kit
    priority: 1

games-kit
    location: /mnt/rwstorage/var/git/meta-repo/kits/games-kit
    masters: core-kit
    priority: 1

gnome-kit
    location: /mnt/rwstorage/var/git/meta-repo/kits/gnome-kit
    masters: core-kit
    priority: 1

haskell-kit
    location: /mnt/rwstorage/var/git/meta-repo/kits/haskell-kit
    masters: core-kit
    priority: 1

java-kit
    location: /mnt/rwstorage/var/git/meta-repo/kits/java-kit
    masters: core-kit
    priority: 1

kde-kit
    location: /mnt/rwstorage/var/git/meta-repo/kits/kde-kit
    masters: core-kit
    priority: 1

lang-kit
    location: /mnt/rwstorage/var/git/meta-repo/kits/lang-kit
    masters: core-kit
    priority: 1

lisp-scheme-kit
    location: /mnt/rwstorage/var/git/meta-repo/kits/lisp-scheme-kit
    masters: core-kit
    priority: 1

llvm-kit
    location: /mnt/rwstorage/var/git/meta-repo/kits/llvm-kit
    masters: core-kit
    priority: 1

media-kit
    location: /mnt/rwstorage/var/git/meta-repo/kits/media-kit
    masters: core-kit
    priority: 1

ml-lang-kit
    location: /mnt/rwstorage/var/git/meta-repo/kits/ml-lang-kit
    masters: core-kit
    priority: 1

net-kit
    location: /mnt/rwstorage/var/git/meta-repo/kits/net-kit
    masters: core-kit
    priority: 1

perl-kit
    location: /mnt/rwstorage/var/git/meta-repo/kits/perl-kit
    masters: core-kit
    priority: 1

python-kit
    location: /mnt/rwstorage/var/git/meta-repo/kits/python-kit
    masters: core-kit
    priority: 1

python-modules-kit
    location: /mnt/rwstorage/var/git/meta-repo/kits/python-modules-kit
    masters: core-kit
    priority: 1

ruby-kit
    location: /mnt/rwstorage/var/git/meta-repo/kits/ruby-kit
    masters: core-kit
    priority: 1

rust-kit
    location: /mnt/rwstorage/var/git/meta-repo/kits/rust-kit
    masters: core-kit
    priority: 1

science-kit
    location: /mnt/rwstorage/var/git/meta-repo/kits/science-kit
    masters: core-kit
    priority: 1

security-kit
    location: /mnt/rwstorage/var/git/meta-repo/kits/security-kit
    masters: core-kit
    priority: 1

text-kit
    location: /mnt/rwstorage/var/git/meta-repo/kits/text-kit
    masters: core-kit
    priority: 1

xfce-kit
    location: /mnt/rwstorage/var/git/meta-repo/kits/xfce-kit
    masters: core-kit
    priority: 1

xorg-kit
    location: /mnt/rwstorage/var/git/meta-repo/kits/xorg-kit
    masters: core-kit
    priority: 1

ACCEPT_KEYWORDS="amd64 ~amd64"
ACCEPT_LICENSE="* -@EULA Oracle-BCLA-JavaSE"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=native -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/lib64/libreoffice/program/sofficerc /usr/share/gnupg/qualified.txt"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-march=native -O2 -pipe"
DISTDIR="/var/cache/portage/distfiles"
FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync multilib-strict news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-march=core2 -O2 -pipe"
GENTOO_MIRRORS="https://fastpull-us.funtoo.org"
LANG="en_US.utf8"
LDFLAGS="-Wl,-O1 -Wl,--sort-common -Wl,--as-needed"
LINGUAS="en_US pl_PL"
MAKEOPTS="-j5"
PKGDIR="/var/cache/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_TMPDIR="/var/tmp"
USE="X a52 aac acl alsa amd64 apng berkdb bluray bzip2 cdda cddb cdio cdr cracklib crypt cuda cups curl cxx dbus dnssd dri dts dvd dvdr dvdread elogind encode exif faac faad ffmpeg flac gdbm gif gpm gstreamer gtk ico iconv icu ieee1394 ios ipod ipv6 jpeg jpeg2k lame libass libguess libmpeg2 mad matroska mjpeg mmx modules mp3 mpeg mtp mudflap ncurses nls nptl nsplugin nvenc nvidia ogg opencl opengl openmp pam pcre pdf png postproc pppd python quicktime readline resolvconf sdl sdl1 session sndfile sse sse2 ssl startup-notification svg taglib tcpd theora tiff truetype twolame udev udisks unicode upower v4l vdpau vorbis vpx wav wavpack webp win32codecs wmf x264 x265 xattr xdg xml xvid zeroconf zlib" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel ice1724 intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias authn_core authz_core socache_shmcb unixd" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="mmx mmxext sse sse2 sse3 ssse3" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" GRUB_PLATFORMS="efi-64 pc" INPUT_DEVICES="evdev" KERNEL="linux" L10N="en-US pl" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php7-2" POSTGRES_TARGETS="postgres9_5" PYTHON_SINGLE_TARGET="python3_6" PYTHON_TARGETS="python3_6 python2_7" QEMU_SOFTMMU_TARGETS="i386 x86_64" QEMU_USER_TARGETS="i386 x86_64" RUBY_TARGETS="ruby23 ruby24" USERLAND="GNU" VIDEO_CARDS="nvidia" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, ENV_UNSET, INSTALL_MASK, LC_ALL, PORTAGE_BINHOST, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS

 

[mrl5]

thank you very much! the only thing that I had to do to work with YubiKey on google-chrome was to add this file https://github.com/Yubico/libu2f-host/blob/master/70-u2f.rules to the /etc/udev/rules.d. Installing pam_u2f yubikey-personalization-gui yubikey-manager-qt was not needed at all

# cat /etc/udev/rules.d/70-u2f.rules 
# Copyright (C) 2013-2015 Yubico AB
#
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation; either version 2.1, or (at your option)
# any later version.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser
# General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public License
# along with this program; if not, see <http://www.gnu.org/licenses/>.

# this udev file should be used with udev 188 and newer
ACTION!="add|change", GOTO="u2f_end"

# Yubico YubiKey
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0113|0114|0115|0116|0120|0200|0402|0403|0406|0407|0410", TAG+="uaccess", GROUP="plugdev", MODE="0660"

# Happlink (formerly Plug-Up) Security KEY
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="2581", ATTRS{idProduct}=="f1d0", TAG+="uaccess", GROUP="plugdev", MODE="0660"

# Neowave Keydo and Keydo AES
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1e0d", ATTRS{idProduct}=="f1d0|f1ae", TAG+="uaccess", GROUP="plugdev", MODE="0660"

# HyperSecu HyperFIDO, KeyID U2F
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="096e|2ccf", ATTRS{idProduct}=="0880", TAG+="uaccess", GROUP="plugdev", MODE="0660"

# Feitian ePass FIDO, BioPass FIDO2, KeyID U2F
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="096e", ATTRS{idProduct}=="0850|0852|0853|0854|0856|0858|085a|085b|085d", TAG+="uaccess", GROUP="plugdev", MODE="0660"

# JaCarta U2F
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="24dc", ATTRS{idProduct}=="0101|0501", TAG+="uaccess", GROUP="plugdev", MODE="0660"

# U2F Zero
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="10c4", ATTRS{idProduct}=="8acf", TAG+="uaccess", GROUP="plugdev", MODE="0660"

# VASCO SeccureClick
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1a44", ATTRS{idProduct}=="00bb", TAG+="uaccess", GROUP="plugdev", MODE="0660"

# Bluink Key
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="2abe", ATTRS{idProduct}=="1002", TAG+="uaccess", GROUP="plugdev", MODE="0660"

# Thetis Key
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1ea8", ATTRS{idProduct}=="f025", TAG+="uaccess", GROUP="plugdev", MODE="0660"

# Nitrokey FIDO U2F
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="20a0", ATTRS{idProduct}=="4287", TAG+="uaccess", GROUP="plugdev", MODE="0660"

# Google Titan U2F
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="18d1", ATTRS{idProduct}=="5026", TAG+="uaccess", GROUP="plugdev", MODE="0660"

# Tomu board + chopstx U2F + SoloKeys
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="cdab|a2ca", TAG+="uaccess", GROUP="plugdev", MODE="0660"

# SoloKeys
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1209", ATTRS{idProduct}=="5070|50b0", TAG+="uaccess", GROUP="plugdev", MODE="0660"

# Trezor
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="534c", ATTRS{idProduct}=="0001", TAG+="uaccess", GROUP="plugdev", MODE="0660"
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1209", ATTRS{idProduct}=="53c1", TAG+="uaccess", GROUP="plugdev", MODE="0660"

# Ledger Nano S and Nano X
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="2c97", ATTRS{idProduct}=="0001|0004", TAG+="uaccess", GROUP="plugdev", MODE="0660"

# Kensington VeriMark
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="06cb", ATTRS{idProduct}=="0088", TAG+="uaccess", GROUP="plugdev", MODE="0660"

# Longmai mFIDO
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="4c4d", ATTRS{idProduct}=="f703", TAG+="uaccess", GROUP="plugdev", MODE="0660"

LABEL="u2f_end"

 

[mrl5]

one more note. If someone plans to play with yubikey-personalization-gui - adding /etc/udev/rules.d/69-yubikey.rules is also needed: https://github.com/Yubico/yubikey-personalization/blob/master/69-yubikey.rules

ACTION!="add|change", GOTO="yubico_end"

# Udev rules for letting the console user access the Yubikey USB
# device node, needed for challenge/response to work correctly.

# Yubico Yubikey II
ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010|0110|0111|0114|0116|0401|0403|0405|0407|0410", \
    ENV{ID_SECURITY_TOKEN}="1"

LABEL="yubico_end"

 

[mrl5]

aaaand one more thing: if someone wants to work with yubikey and google chrome/chromium inside SELinux OS then this is useful:

# setsebool -P chromium_rw_usb_dev on
# setsebool -P chromium_read_system_info on