Enable HyperFIDO U2F Key on Linux

Recently, I bought the Hypersecu HyperFIDO K5 Key to help me secure access to several websites and services with U2F (“Universal Two-Factor Authorization”).

This works fine and easy on Windows, but with Linux things get a little complicated: The key isn’t accessible to all users by default. This has to be activated using udev rules, which is widely documented on the web, but very often erroneous or outdated. Here’s what I found:

Disclaimer: I’m not a Linux security expert. The following udev rules might look cheesy to a seasoned sysadmin but work for me.

Mike Tsao had a similar problem and blogged about the solution. So, this was a good starting point for me. I just had to adapt the “idVendor” (my key shows idVendor=2ccf instead of 096e) and added the “idProduct” to make sure no other hardware from this vendor triggers this rule:

  • Using sudo or a Super-User account, create a file “/etc/udev/rules.d/50-u2f.rules” containing:
# HyperFIDO U2F Key
SUBSYSTEMS=="usb", ATTRS{idVendor}=="2ccf|096e", ATTRS{idProduct}=="0880", OWNER="root", GROUP="plugdev", MODE:="0660"
  • Reload the rules (restart udev daemon):
# sudo udevadm control --reload-rules
  • Plug in your U2F key, open Chromium or Chrome and check whether U2F works. I used this site for my checks: https://akisec.com/demo/

Troubleshooting or enabling other vendor’s key

# You can check what's happening in udev when you plug in the USB key:
udevadm monitor

# U2F keys are often identified as "hiddev0" by usb
# Search for "idVendor" and "idProduct" in output of:
udevadm info -n /dev/usb/hiddev0 -a|less

References

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s