TODO error during login - YubiKey #7
Comments
|
yeah, yubikeys are currently not supported. i'd be willing to look over a patch to make this work, but i'm unfortunately pretty unlikely to get to this anytime soon (it'll be a decent amount of work, because as far as i can tell, there aren't really any u2f client libraries for rust yet, and i don't personally use a yubikey for bitwarden). sorry! |
doy
added
enhancement
|
@doy i assume the situation has not changed much since then? I would really like being able to use |
This commit adds support for YubiKey auth. A pinentry prompt asks the user to touch the Yubikey, which causes it to produce input (like a keyboard). That can then be sent to the Bitwarden API where it can ID the YubiKey and validate the request. Fixes: doy#7 Signed-off-by: Dave Tucker <dave@dtucker.co.uk>
This commit adds support for YubiKey auth. A pinentry prompt asks the user to touch the Yubikey, which causes it to produce input (like a keyboard). That can then be sent to the Bitwarden API where it can ID the YubiKey and validate the request. Fixes: doy#7 Signed-off-by: Dave Tucker <dave@dtucker.co.uk>
|
Getting similar issues on darwin m1: basically on any rbw action is outputs: Sorry, I lied, I've got email 2fa, after disabling it, rbw authenticated no problem. Will create a separate issue then. |
|
Wondering if https://github.com/kanidm/webauthn-rs is a valid option for getting webauthn support going. It is kinda the successor to U2F and also works directly with phones, that have TPM devices. |
|
Yep, webauthn-rs would work here. Keep in mind though, that due to recent changes in webauthn and ctap2, using a yubikey as a "second factor" is no longer really the intent of the spec/standard. These devices are moving to self-contained multifactor, and enforce some behaviours that can confuse users if you try to use them as "single factors" only. We try to guide you away from this in the design of the webauthn-rs api. But otherwise, yes, webauthn-rs has everything you would need here, and we intend to add support for hmac secret in the future if you need derived keys. |
|
I wrote a prototype PR using webauthn-rs, and it is working (With vaultwarden + yubikey 5c). Still needs clean-up, testing, and integration into the rbw pinentry (currently it expects the pin to be entered via the stdin of the agent), but once complete it solves this issue. |
Hello!
I'm having trouble logging using private server (bitwarden_rs) and Yubikey. After entering password I'm getting:
The same for sync or ls.
Version (AUR rbw-git):
The text was updated successfully, but these errors were encountered: