Lost USB-Controller, lost tty-credentials, emergency
mastor
dhorf-hfre...@hashmail.org
> my USB controller is attached to nothing, but needed for Yubikey login.
> I lost my tty2-credentials (the username), so I'm locked out of the system.
> BIOS changes don't help.
> Is there any way to "free" USB during boot? Or get rid of the tty login
> credentials?
but you can always boot some random live-linux (like "fedora
workstation"), open the qubes luks device and mount the dom0
root and check/change whatever needs fixing there.
if you are just missing your dom0 username (huh?), getting it
through liveboot is probably easiest.
you can also change the boot config to remove all mentions
of hide-all-usb. (check a guide on how to configure a qubes
for usb-keyboard usage, basicly same thing)
Claudia
I think he means he uses his yubikey as an emulated keyboard to type his disk password, and probably enabled a USB Qube and now the yubikey can't type in early userspace.
So yeah, you'll have to boot into the installer and enter rescue mode, or boot into some other live linux distro, and disable the USB Qube. Follow these instructions for removing your USB Qube: https://www.qubes-os.org/doc/usb-qubes/#removing-a-usb-qube
Note, if you're using Grub, all you have to do is press 'e' when you're at the boot loader, and remove rd.qubes.hide_all_usb from the kernel command line. Then you should be able to login, and remove that same option from /etc/default/grub
dhorf-hfre...@hashmail.org
> I think he means he uses his yubikey as an emulated keyboard to type
> his disk password, and probably enabled a USB Qube and now the yubikey
> can't type in early userspace.
just plug the yubikey into any random computer, open an editor,
hit yk button, save/writedown what it just typed into the editor,
apply recovered secret to qubes during boot.
mas...@tuta.io
Claudia
> Dec 28, 2019, 17:42 by clau...@disroot.org:
> Thanks! Well, I can boot into nothing because my USB connection is gone.
>
> I know my dom0 username but it doesnt work, and therefore the Yubikey authentication at login
> neither.
>
> So I thought there could be a trick reattaching the USB controller to sys-usb during early boot.
>
> If I had access to tty2 there would be no big problem. I would delete the Yubikey pam.d entry for
> login.
> Best, mastor
(when replying please use reply-all to make sure a copy goes to the list and not just to me)
Ah, I see. So you're able to type in your disk passphrase and get to the user login screen? Either lightdm or a TTY, I'm assuming? And I'm assuming you're able to switch to TTY2, but you can't login to it?
The username shouldn't have anything to do with the yubikey or USB at all. What do you mean the dom0 username doesn't work? I thought the problem was that you can't sign in because the yubikey isn't working in Qubes anymore due to enabling a USB Qube. Also, did you disable password authentication after you set up the yubikey?
And what do you mean your USB connection is gone? Unless there's something physically wrong with it, you should be able to boot from a USB drive regardless of whether a USB Qube is enabled or not. Have you tried booting into the installer from USB (the same way as when you first installed Qubes)?
mas...@tuta.io
>>
>> I know my dom0 username but it doesnt work, and therefore the Yubikey authentication at login
>> neither.
>>
>> So I thought there could be a trick reattaching the USB controller to sys-usb during early boot.
>>
>> If I had access to tty2 there would be no big problem. I would delete the Yubikey pam.d entry for
>> login.
>> Best, mastor
>>
> (when replying please use reply-all to make sure a copy goes to the list and not just to me)
>
> Ah, I see. So you're able to type in your disk passphrase and get to the user login screen? Either lightdm or a TTY, I'm assuming? And I'm assuming you're able to switch to TTY2, but you can't login to it?
>
> The username shouldn't have anything to do with the yubikey or USB at all. What do you mean the dom0 username doesn't work? I thought the problem was that you can't sign in because the yubikey isn't working in Qubes anymore due to enabling a USB Qube.
>
> Also, did you disable password authentication after you set up the yubikey?
>
https://old.mig5.net/content/yubikey-2fa-qubes-redux-adding-backup-key.html
> And what do you mean your USB connection is gone? Unless there's something physically wrong with it, you should be able to boot from a USB drive regardless of whether a USB Qube is enabled or not. Have you tried booting into the installer from USB (the same way as when you first installed Qubes)?
>
Thanks for your patience!
Hauke Johannknecht
> Hm, no, no USB boot option in Bios, no way to boot from USB. I tried
> everything, I think.
just boot the qubes installer the same way you did for installation,
then use it as a rescue system.
Claudia
Thanks for the link. That explains a lot.
I don't know anything about this setup, so I don't know if there's a failsafe for this type of situation, such as when sys-usb won't start or it malfunctions.
Something you could try: when qubes is first starting, *before* you get to the disk password prompt, press f12 to switch into text mode. You should see console output and a text-based disk password prompt. From there, see if you can do anything: switch TTYs, press Ctrl-C, type the password wrong three times, or whatever you can think of. You might be able to get an early rescue shell.
Also here are some other threads about Yubikey on Qubes. See if any of them look like the same problem you're having. https://www.mail-archive.com/search?q=+Yubikey&l=qubes-users%40googlegroups.com
Also, how did you install Qubes in the first place if you can't boot from USB? If you booted from a CD, then do that again. If you did the installation on a different machine and then physically installed the disk, do the reverse. Basically, do whatever you did to install Qubes, but instead of installing, use the rescue option.
mas...@tuta.io
--
Securely sent with Tutanota. Get your own encrypted, ad-free mailbox:
https://tutanota.com
Dec 28, 2019, 19:31 by clau...@disroot.org:
mas...@tuta.io
After creating the third Live USB Stick (Tails) I could boot from it, mount and decrypt dom0 root files, comment pam.d Yubikey entries for login (tty2 was protected by the Yubikey as well ...) and lightdm and log into Qubes.
Now I have to solve "unable to reset PCI device, 00:14.0: no FLR, PM reset or bus reset available ...", but there's a thread on Github.
\ö/
awokd
> Now I have to solve "unable to reset PCI device, 00:14.0: no FLR, PM reset or bus reset available ...", but there's a thread on Github.
problems via Qube Settings on the problem VM, then Devices tab, then
large button at the bottom.
--
- don't top post
Mailing list etiquette:
- trim quoted reply to only relevant portions
- when possible, copy and paste text instead of screenshots
mas...@tuta.io
> mastor:
>
> large button at the bottom.
>
(user@dom0)$ qvm-pci detach sys-usb dom0:00_14.0
(user@dom0)$ qvm-pci attach --persistent -o no-strict-reset=True sys-usb dom0:00_14.0
See Github, Qubes issues #3205 and #3262
I'll never move the USB controller away from sys-usb again. Especially with challenge-response Yubikey in the machine ...