Join the AMA (Ask Me Anything) with the Firefox leadership team to celebrate Firefox 20th anniversary and discuss Firefox’s future on Mozilla Connect. Mark your calendar on Thursday, November 14, 18:00 - 20:00 UTC!

Tìm kiếm hỗ trợ

Tránh các lừa đảo về hỗ trợ. Chúng tôi sẽ không bao giờ yêu cầu bạn gọi hoặc nhắn tin đến số điện thoại hoặc chia sẻ thông tin cá nhân. Vui lòng báo cáo hoạt động đáng ngờ bằng cách sử dụng tùy chọn "Báo cáo lạm dụng".

Tìm hiểu thêm

How to easily disable annoying PKCS#11 pop-up when Yubikey is plugged in

  • 9 trả lời
  • 1 gặp vấn đề này
  • 1 lượt xem
  • Trả lời mới nhất được viết bởi zeroknight

more options

Hi,

I am using Firefox for Linux, and whenever my yubikey is plugged in, firefox will start bothering me for a pkcs#11 password. It always happens on start-up but it gets relentlessly annoying if I happen to be on a site which potentially utilizes certificate auth, which I do not use this yubikey for.

I do however use it for 2fa, which does work perfectly fine.

How do I permanently stop whatever Firefox process keeps bothering me about this PKCS#11 password for functionality that I never use?

Hi, I am using Firefox for Linux, and whenever my yubikey is plugged in, firefox will start bothering me for a pkcs#11 password. It always happens on start-up but it gets relentlessly annoying if I happen to be on a site which potentially utilizes certificate auth, which I do not use this yubikey for. I do however use it for 2fa, which does work perfectly fine. How do I permanently stop whatever Firefox process keeps bothering me about this PKCS#11 password for functionality that I never use?

Giải pháp được chọn

I was able to solve this on my own by adding: "disable-in: firefox" into: /usr/share/p11-kit/modules/opensc.module

And now it doesn't show up.

It's ridiculous for firefox to be automatically importing and re-adding random security devices from my system without giving me the ability to disable firefox from excluding devices, and a security risk to do so.

Đọc câu trả lời này trong ngữ cảnh 👍 2

Tất cả các câu trả lời (9)

more options

The issue is with firefox, not my yubikey. Firefox detects a device with pkcs#11 capabilities, assumes that I must want to use it no matter what, then spams me pop-ups to log in with it. I have not found a config option to ignore specific capabilities for a securty device.

Được chỉnh sửa bởi Dave vào

more options

Firefox is enumerating all my devices and has determined that the yubikey has smart card capabilities, which it does, but I have no intention of using them in firefox. I am only using the TOTP features of yubikey in firefox.

I also have a microphone attached to my computer, but that doesn't mean firefox should assume I want it on and recording all the time.

In this picture you can see the screen shot under the "Privacy and Settings" screen for the "Security Devices" heading in the "Certificates" section.

As you can see, it has my yubikey under the "p11kit-proxy" node. I just want to be able to disable it for the p11kit-proxy section, but "unload" is greyed out.

more options

Giải pháp được chọn

I was able to solve this on my own by adding: "disable-in: firefox" into: /usr/share/p11-kit/modules/opensc.module

And now it doesn't show up.

It's ridiculous for firefox to be automatically importing and re-adding random security devices from my system without giving me the ability to disable firefox from excluding devices, and a security risk to do so.

more options

A change mentioned in Fx 112.0 release notes could be related. https://www.mozilla.org/en-US/firefox/112.0/releasenotes/

The deprecated U2F Javascript API is now disabled by default. The U2F protocol remains usable through the WebAuthn API. The U2F API can be re-enabled using the security.webauth.u2f preference.
more options

I solved this by disabling it in the opensc config. I did notice if I unload the p11kit-proxy node in the settings that it keeps coming back. It seems that by default p11-proxy kit it is loaded into every nssdb on the system.

I believe this is related: https://bugzilla.mozilla.org/show_bug.cgi?id=1161219

I would categorize it as a firefox bug that the p11-proxy-kit section that I am clicking "unload" on in firefox settings gets reloaded without my consent, but at least I have a workaround by disabling it in opensc.

more options
more options

I'm seeing a similar issue, but I'm on macOS Ventura 13.5.2

There is no `/usr/share/p11-kit/modules/opensc.module` file -- I'm not sure if macOS has an equivalent to that file?

The prompt only pops up when I use a secondary FF profile.

I'm on OpenSC-0.22.0-rc1-74-gc902e199, rev: c902e199 + Yubikey Nano 5c.

more options

Of course I found the solution about 5 seconds after posting my issue.

On the Security Devices Page (Which you can find by clicking on settings and then searching for "Security Devices"), find the OpenSC library and then click unload. This will remove it until you manually re-add the library.

more options

The enterprise policy "SecurityDevices" lets you delete devices, it only requires a policies.json file in the installation path. Visit about:policies in the address bar for more details.