2FA (via Google compatible authenticator, Authy) seems broken on Ubuntu 20.04 with AppArmor errors

nickgeorge
nickgeorge
Community Member
edited November 2021 in Desktop betas (Mac, Windows, and Linux)

Hi there,

Version: 8.1.0-28.BETA 48 latest/beta 1password✓ -

This is only a minor annoyance, as it doesn't stop 1Password from working. It appears that 1Password attempts to do something with the gnome-keyring when 2FA is in use and that attempt is being blocked by AppArmor. I'm guessing that telling AppArmor to ignore 1password might be one possible workaround

ERROR 2021-06-15T08:21:50.557 tokio-runtime-worker(ThreadId(2)) [1P:op-b5-client/src/freeze_session.rs:119] Keyring(KeyNotFound) WARN 2021-06-15T08:22:21.467 tokio-runtime-worker(ThreadId(5)) [1P:op-b5-client/src/internal/unauthorized_session.rs:538] Failed to save an account's 2FA token with an error of SystemKeyringError(LinuxError(Dbus(MethodError("org.freedesktop.DBus.Error.AccessDenied", Some("An AppArmor policy prevents this sender from sending this message to this recipient; type=\"method_call\", sender=\":1.277\" (uid=1000 pid=21079 comm=\"/snap/1password/48/app/1password --no-sandbox \" label=\"snap.1password.1password (enforce)\") interface=\"org.freedesktop.Secret.Service\" member=\"OpenSession\" error name=\"(unset)\" requested_reply=\"0\" destination=\"org.freedesktop.secrets\" (uid=1000 pid=2621 comm=\"/usr/bin/gnome-keyring-daemon --daemonize --login \" label=\"unconfined\")"), Msg { type: Error, sender: "org.freedesktop.DBus", reply-serial: 2, body: Signature: [ s (115), ] })))). 2FA will only be valid for this unlock session!

Thanks,
Nick

1Password Version: 8.1.0
Extension Version: 28
OS Version: Ubuntu 20.04
Sync Type: 1Password cloud

Comments

  • ag_Christian
    ag_Christian

    Hey there, @nickgeorge

    It looks like you're using the Snap version of 1Password, so I think there is already a solution for this available. Please have a look at this post and follow the steps for the Snap application in the second half. That should hopefully fix up your issues with 2FA. Let me know how it goes and if you need any more help.

  • nickgeorge
    nickgeorge
    Community Member

    Thanks @ag_Christian. I used the snap instructions on that page (and rebooted) but alas it didn't work.

    WARN  2021-06-16T10:12:54.502 op_executor:invocation_loop(ThreadId(8)) [1P:op-app/src/app/backend.rs:172] operation blocking event loop invoke Invocation(Internal(SaveWatchtowerData(<redacted>))) took more than 50 ms (104 ms)
WARN  2021-06-16T10:12:56.097 1Password Application Keyring Manager(ThreadId(9)) [1P:foundation/op-linux/src/kernel_keyring.rs:89] 1Password's application keyring failed to initialize (KeyringError(Os { code: 1, kind: PermissionDenied, message: "Operation not permitted" })), its functionality will be unavailable
WARN  2021-06-16T10:12:56.097 op_executor:invocation_loop(ThreadId(8)) [1P:foundation/op-linux/src/kernel_keyring.rs:366] fallback keyring was not usable
WARN  2021-06-16T10:12:56.097 op_executor:invocation_loop(ThreadId(8)) [1P:foundation/op-linux/src/kernel_keyring.rs:824] failed to initialize keyring helper, its functionality will be unavailable: KeyringError(Os { code: 1, kind: PermissionDenied, message: "Operation not permitted" })
ERROR 2021-06-16T10:12:56.101 op_executor:invocation_loop(ThreadId(8)) [1P:op-b5-client/src/freeze_session.rs:119] Keyring(KeyNotFound)
WARN  2021-06-16T10:12:56.137 op_executor:invocation_loop(ThreadId(8)) [1P:op-app/src/app/backend.rs:172] operation blocking event loop invoke Invocation(External(lock-screen)) took more than 50 ms (51 ms)
ERROR 2021-06-16T10:13:06.113 op_executor:invocation_loop(ThreadId(8)) [1P:op-b5-client/src/freeze_session.rs:119] Keyring(KeyNotFound)
INFO  2021-06-16T10:13:06.213 tokio-runtime-worker(ThreadId(4)) [1P:op-data-layer/src/load.rs:147] loaded 353 items in 13 vaults for account: CZWKUHDIFNFW3B523JCZHWPCRM
INFO  2021-06-16T10:13:06.289 tokio-runtime-worker(ThreadId(4)) [1P:op-data-layer/src/load.rs:147] loaded 557 items in 8 vaults for account: R4UVCP4XA5GHPNR6AIY2UXNDOI
ERROR 2021-06-16T10:13:06.323 op_executor:invocation_loop(ThreadId(8)) [1P:op-auto-lock/src/linux.rs:114] failed to start dbus lock service LockListenerSetup
ERROR 2021-06-16T10:13:06.326 op_executor:invocation_loop(ThreadId(8)) [1P:ffi/core-node/src/lib.rs:244] Unable to send notification to extensions, channel is closed

    Cheers,
    Nick

  • ag_Christian
    ag_Christian

    Hey again @nickgeorge,

    The errors that I'm seeing in your logs now are "expected" when running in a Snap due to some current limitations of the platform, but shouldn't lead to any issues with 2FA. The errors there are about a different keyring (even though the name is definitely confusing), but that one isn't used for anything related to two-factor. The app shouldn't be asking you for 2FA every time you unlock anymore with the Snap permission enabled.

  • nickgeorge
    nickgeorge
    Community Member

    Thanks @ag_Christian,

    I entered the 2FA details and completely quick 1password to do a test. When I started it back up again, it crashed. On the second startup however, it worked fine and I didn't have to enter any 2FA deets. Yay.

    Thanks,
    Nick

  • ag_Christian
    ag_Christian

    I'm glad to hear its working now for you, and we'll also make sure to look into the crash on our side.

    Regards,
    Christian

This discussion has been closed.