Quotes of the day

Of all tyrannies, a tyranny sincerely exercised for the good of its victims may be the most oppressive. It would be better to live under robber barons than under omnipotent moral busybodies. The robber baron’s cruelty may sometimes sleep, his cupidity may at some point be satiated; but those who torment us for our own good will torment us without end for they do so with the approval of their own conscience…. To be ‘cured’ against one’s will and cured of states which we may not regard as disease is to be put on a level of those who have not yet reached the age of reason or those who never will; to be classed with infants, imbeciles, and domestic animals.

Frequently a [proposition] will [present itself], so to speak, in sheep’s clothing: [its undesirable consequences are] not immediately evident, and must be discerned by a careful and perceptive analysis. But this wolf comes as a wolf.

Scalia, J. dissenting in Morrison v. Olson


Using Yubikeys with Fedora 24, for example for Github two-factor authentication

Tags: , , , , , , — Jeff @ 17:17

My old laptop’s wifi went on the fritz, so I got a new Lenovo P50. Fedora 23 wouldn’t work with the Skylake architecture, so I had to jump headfirst into the Fedora 24 beta.

I’ve since hit one new issue: Yubikeys wouldn’t work for FIDO U2F authentication. Logging into a site using a Yubikey (inserting a Yubikey USB device and tapping the button when prompted) wouldn’t work. Attempting this on Github would display the error message, “Something went really wrong.” Nor would registering Yubikeys with sites work. On Github, attempting to register Yubikeys would give the error message, “This device cannot be registered.”

Interwebs sleuthing suggests that Yubikeys require special udev configuration to work on Linux. The problem is that udev doesn’t grant access to the Yubikey, so when the browser tries to access the key, things go Bad. A handful of resources pointed me toward a solution: tell udev to grant access to the device.

As root, go to the directory /etc/udev/rules.d. It contains files with names of the form *.rules, specifying rules for how to treat devices added and removed from the system. In that directory create the file 70-u2f.rules. Its contents should be those of 70-u2f.rules, from Yubico‘s libu2f-host repository. (Most of this file is just selecting various Yubikey devices to apply rules against. The important part of this file is the TAG+="uaccess" ending the various lines. This adds the “uaccess” tag to those devices; systemd-logind recognizes this tag and will grant access to the device to the current logged-in user.) Finally, run these two commands to refresh udev state:

udevadm control --reload
udevadm trigger

Yubikeys should now work for authentication.

These steps work for me, and they appear to me a sensible way to solve the problem. But I can’t say for sure that they’re the best way to solve it. (Nor am I sure why Fedora doesn’t handle this for me.) If anyone knows a better way, that doesn’t involve modifying the root file system, I’d love to hear it in comments.



Quote of the day

An excellent and concise explanation of why the First Amendment, and freedom of speech more broadly and more generally, matters to me:

Much of the Court’s opinion is devoted to deprecating the closed mindedness of our forebears…. Closed minded they were–as every age is, including our own, with regard to matters it cannot guess, because it simply does not consider them debatable. The virtue of a democratic system with a First Amendment is that it readily enables the people, over time, to be persuaded that what they took for granted is not so, and to change their laws accordingly.

Scalia, J. dissenting in United States v. Virginia

It’s taken years of following SCOTUS particularly, and the legal sphere more generally, for me to realize that of all the issues out there, freedom of speech is the one I care about most. Without it, we can’t actually argue about all the other issues that matter, persuading each other, learning from each other, and so on. It is necessary for representative democracy to be able to freely discuss everything and attempt to persuade each other, for us to have any chance at sound policy. The late Justice Scalia gets it exactly right in this quote.

(Speech implications aside: I have no immediate opinion on the legal question in the case as I only discovered it today. For the policy question — which too many people will confuse with the legal question — I would agree with the case’s outcome.)

Rest in peace, Justice Scalia. I’ll miss your First Amendment votes, from flag burning to content neutrality and forum doctrine to (especially, for the reasons noted above) political speech (if not always), among the votes you cast and opinions you wrote. Others less inclined to agree with you might choose to remember you (or at least should remember you) as the justice whose vote ultimately struck down California’s Proposition 8, even as (especially as) you considered the legal question argle-bargle. As Cass Sunstein recognized, you were “one of the most important justices ever”, and the world of law will be worse without you.

(In the spirit of freedom of speech, I generally post all comments I receive, as written. I hope to do the same for this post. But if I must, I’ll moderate excessively vitriolic comments.)


Older »