How to deal with Yubikey ?

[ThierryIT]

Hello,

I have today to deal with two problems:

1) I am using Yubikey to be authentified on some web site like Github ...
2) I am using Yubikey to stock my PGP keys and to use them with mainly my emails (Thinderbird+Enigmail)

What to do under Qubes to make this possible ?
I have already sys-usb running.

Thx

[Kushal Das]

On Qubes 4.0rc3, I just attach it to the vm as required, and use it.
No configuratino is required.

Kushal
--
Staff, Freedom of the Press Foundation
CPython Core Developer
Director, Python Software Foundation
https://kushaldas.in

[ThierryIT]

I am on R3.2 and I would like to avoid upgrading to 4.0 :)

Le mardi 23 janvier 2018 09:51:17 UTC+2, Kushal Das a écrit :

[Matty South]

I can confirm Kushal's experience. Two things I wanted to point out:
1) install yubikey software in the target vm template:
sudo dnf install yubioath-desktop [for Fedora template]

2) I attach it to the desired VM in dom0 terminal using
qvm-usb -a ...

Then you can double-checke that everything is working here: https://demo.yubico.com/

Hope that helps some folks out!

[ThierryIT]

Interesting ...
The software has to be installed in the sys-usb template, for me fedora 26 ?

[ThierryIT]

Hi,

If using sys-usb, I am not able to use the cli: qvm-usb ....
How to mount it ?
I can see on my sys-usb VM that the system see my key.

Thx

Le mardi 23 janvier 2018 14:42:18 UTC+2, Matty South a écrit :

[Yuraeitha]

Did you install the Qubes USB Proxy? You need that to use qvm-usb.

Some relevant background knowledge might be due first. For starts, sys-usb in and on itself adds no features, no functionality, it's specifically and purely a self-defense mechanism to protect dom0, nothing more, nothing less. It does however move all your USB to sys-usb, giving you a means to use USB the same way, as if it was used in dom0.

The USB Proxy, however, does add some functionality, and it can be installed in whichever VM you keep your USB Controllers. Be it sys-usb or your wibbly-wobbly-timey-wimey VM, in other words, it doesn't matter where, as long as it is kept safely away from dom0. If you use USB keyboard or USB mouse, however, you need to be careful you don't lock yourself out of your system, especially if sys-usb has automatic start on boot. If USB is the only input you have for keyboard/mouse, then be careful of what you do, or at least make a backup of your system first, just in case you make a mistake.

https://www.qubes-os.org/doc/usb/
Go here, you don't need the full guide. Just scroll (or cftl+f to search) for the headline containing "Qubes-USB-Proxy", it's quite a bit down the page near the bottom.

Once you installed the Qubes Proxy package, you can go the the next headline, which shows you how to use it.

Keep in mind, you need to type this in every time you need to switch it to another VM, or if you stop/start your VM and need it again. This is however far, far easier in Qubes 4, which has a widget that allows for this with 3 small quick clicks of your mouse. So this becomes much easier in Qubes 4, and it's likely not too far from final release now.

You could however make it easy in Qubes 3.2. if you use the same few VM's for the USB. For example you can write a small simple script, and then simply keybind the script with "qvm-run sys-usb bash 'path-to-your-'qvm-usb'-script".

You execute qvm-run in dom0, and you execute qvm-usb in your sys-usb (or whichever VM yo use). To keybind, go to Qubes menu ---> System Tools --> Keyboard settings --> Shortcuts tab --> Click "Add", and type in the qvm-run command.

For example you can pass your Yubi-key to VM-A with Ctrl+Shift+Alt+A or your VM-C with Ctrl+Shift+Alt+K. Whatever you can imagine or desire, the Ctrl+Shift+Alt is nice because it's easy to just hold all 3 keys down without worring about which one to holddown, while also not causing many keybind conflicts.

[rob_66]

On Mon, 22 Jan 2018 22:47:55 -0800 (PST)
ThierryIT <vmwa...@gmail.com> wrote:

> I have today to deal with two problems:
>
> 1) I am using Yubikey to be authentified on some web site like
> Github ... 2) I am using Yubikey to stock my PGP keys and to use them
> with mainly my emails (Thinderbird+Enigmail)
>
> What to do under Qubes to make this possible ?
> I have already sys-usb running.

Hi.

I studied and followed
https://mig5.net/content/yubikey-2fa-qubes-redux-adding-backup-key as
well as https://mig5.net/content/yubikey-challenge-response-mode-qubes
and it works perfectly fine on Qubes 3.2, Fedora 26. And my skills
are mediocre.

(Sending *63* bits, »variable«, you'll recognize later.)

However, Qubes' own tutorial can, of course, work flawlessly with your
set-up:

https://www.qubes-os.org/doc/yubi-key/

If you like to dig in deeper, see the discussions on Github:

https://www.qubes-os.org/doc/yubi-key/

Best regards,
r.

[ThierryIT]

Hi,

I have moved from R3.2 to 4.0R3.
And I am still dealing with the same problem, and I don't know if for 4.0R3 the documentation provided is still updated.
All my Keys are detected by dom0:

Device dom0:4-2 - Neowave_Keydo-AES_0989876... is available
Device dom0:sdd - Keydo-AES () available
Device dom0:sdf - Keydo-AES ()( is available
Device dom0:sdf1 - Keydo-AES (PUBLIC) is available

This key has two fuction as auth key (github ...) and an public and an encrypted folder

I am using it to log to Github and to my Registar under Windows.

So for a Qubes 4.0R3 how to do ?

Thx

[ThierryIT]

There is no sys-usb and I do not have installed qubes-usb-proxy

[ThierryIT]

How did you attached it ? I am trying without success ... I can attached it from dom0 using: qvm-block a vm_name dom0:sdd
Is it correct under Qubes4.0r3 ?

Le mardi 23 janvier 2018 09:51:17 UTC+2, Kushal Das a écrit :

[joev...@gmail.com]

qvm-usb command shows you how to attach USB devices to VMs. There is no GUI method like there is for block devices.

Remember, Yubikey is not a storage/block device. It is a USB that acts more like a HID keyboard.

Mine works on 3.2 just fine using sys-usb, then attaching to whatever VM needs it.

[ThierryIT]

If I did understood well, when using Qubes 4.0r3, there is no sys-usb ...

[awokd]

On Thu, February 1, 2018 8:58 am, ThierryIT wrote:
> If I did understood well, when using Qubes 4.0r3, there is no sys-usb ...

If you chose not to set one up on install there wouldn't be, but usually
you should unless using a usb keyboard maybe. You can still add one now;
check the docs.

[ThierryIT]

What am I doing wrong ?

I have a Yubikey4 U2F + CCID.
Not detected with "qvm-block"
Detected as sys-usb:4-2 by dom0 (qvm-usb).

I have tried:

- qvm-device usb attach vm_name sys-usb:4-2 (device attached failed)
- qvm-device block attach vm_name sys-usb:4-2 (backend vm 'sys-usb' doesn't expose device 4-2)

...
Lost I am :)

[awokd]

On Thu, February 1, 2018 3:46 pm, ThierryIT wrote:
> What am I doing wrong ?
>
>
> I have a Yubikey4 U2F + CCID.
> Not detected with "qvm-block"
> Detected as sys-usb:4-2 by dom0 (qvm-usb).
>
>
> I have tried:
>
>
> - qvm-device usb attach vm_name sys-usb:4-2 (device attached failed)
> - qvm-device block attach vm_name sys-usb:4-2 (backend vm 'sys-usb'
> doesn't expose device 4-2)

Another poster said these aren't block devices, so don't try to use those
commands on it.

"qvm-device usb attach vm_name sys-usb:4-2" should work. What does
"qvm-usb attach vm_name sys-usb:4-2" do?

If it's the same error, did you install qubes-usb-proxy in your templates?
See https://www.qubes-os.org/doc/usb/.

[ThierryIT]

I have installed "qubes-usb-proxy" on my StandaloneVM.
-> qvm-usb l : sys-usb:4-2 Yubico_Yubikey_4_U2F+CCID

-> qvm-device usb attach vm-name sys-usb:4-2 : Device attach failed: No device info received, connection failed, check backend side for details
-> same things

[awokd]

On Fri, February 2, 2018 6:03 am, ThierryIT wrote:

>
> I have installed "qubes-usb-proxy" on my StandaloneVM.
> -> qvm-usb l : sys-usb:4-2 Yubico_Yubikey_4_U2F+CCID
>
>
> -> qvm-device usb attach vm-name sys-usb:4-2 : Device attach failed: No
> device info received, connection failed, check backend side for details ->
> same things

How did you create sys-usb? Have you installed qubes-input-proxy-sender in
it?

[joev...@gmail.com]

You are using qvm-usb command to list... but are using "qvm-device" to attach? I don't think that is a valid command in Qubes 3.2. Do you mean qvm-pci?

You should be using qvm-usb to both list, and attach/detach usb devices.
Run qvm-usb -h... follow the manual.
usage: qvm-usb -a [options] <vm-name> <device-vm-name>:<device>

[ThierryIT]

I have followed the Qubes instructions for Qubes 4: https://www.qubes-os.org/doc/usb/

Yes, sys-usb (Debian 9 template) do have the "qubes-input-proxy-sender" installed.

When reading the doc for Qubes 4 and when using the yellow widgets on the top right of the desktop, I can see that my Yubikey4 is attached to the right VM (eject symbol) but if using, from dom0 console "qvm-usb", I do not see that my key is attached to the VM ...

Do I have to re-do my sys-usb with a fedora template ?

Thx

[ThierryIT]

Something seems to be wrong with the widgets.
After having inserted the key, and using the widget, I can attach the key to the VM and I am able to see the key attached to the vm because I can see the "eject symbol" close to the vm.

When using the dom0 console, and using "qvm-usb" I can see my key:

sys-usb:4-1 Logitech_USB_Receiver
sys-usb:4-2 Yubico_Ybikey_4_U2F+CCID

As you can see, I do not see any attached device ...

The result of this command is:

qvm-usb attach vm_name sys-usb:4.2
qvm-usb: error: backend vm 'sys-usb' doesn't expose device '4.2'

This start to be a problem, because I cannot fully use my laptop if this function is not working.

Thx anyway for your big support.



And it is not possible for me to un-attached the key through this widget ...

[ThierryIT]

Same problem with a new sys-usb but this time done with Fedora 26 template.

[awokd]

On Sat, February 3, 2018 7:16 am, ThierryIT wrote:

>> sys-usb:4-1 Logitech_USB_Receiver
>> sys-usb:4-2 Yubico_Ybikey_4_U2F+CCID

>>
>>

>> qvm-usb attach vm_name sys-usb:4.2 qvm-usb: error: backend vm 'sys-usb'
>> doesn't expose device '4.2'

You need to use "4-2", not "4.2".

>> And it is not possible for me to un-attached the key through this
>> widget ...

I noticed that too. Might be
https://github.com/QubesOS/qubes-issues/issues/3215.

[ThierryIT]

Le samedi 3 février 2018 14:33:17 UTC+2, awokd a écrit :
> On Sat, February 3, 2018 7:16 am, ThierryIT wrote:
>
> >> sys-usb:4-1 Logitech_USB_Receiver
> >> sys-usb:4-2 Yubico_Ybikey_4_U2F+CCID
>
> >>
> >>
> >> qvm-usb attach vm_name sys-usb:4.2 qvm-usb: error: backend vm 'sys-usb'
> >> doesn't expose device '4.2'
>
> You need to use "4-2", not "4.2".

yes but: Device attached failed ..... blablabla

>
> >> And it is not possible for me to un-attached the key through this
> >> widget ...
>
> I noticed that too. Might be
> https://github.com/QubesOS/qubes-issues/issues/3215.

Same for me under 4.0 rc4

[ThierryIT]

Attached device seems to work as it should be when this is a mass usb storage ...
Is there any thing special to install on sys-usb or targeting VM for Yubikey ?

[awokd]

On Sat, February 3, 2018 2:49 pm, ThierryIT wrote:

> Attached device seems to work as it should be when this is a mass usb
> storage ... Is there any thing special to install on sys-usb or targeting
> VM for Yubikey ?

Check out https://github.com/QubesOS/qubes-issues/issues/3525. Think you
missed installing qubes-usb-proxy in your sys-usb's template. I had too
actually, on my R4.0 testbed.

[ThierryIT]

I have check it, but when doing a "dnf list installed "qubes-*" on my sys-usb, I can see that qubes-usb-proxy is installed: qubes-usb-proxy.noarch 1.0.12-1.fc26 @qubes-vm-r3.2-current ....
Shouldn't be: 4.0 current instead ?

[awokd]

On Sun, February 4, 2018 7:16 am, ThierryIT wrote:

>
> I have check it, but when doing a "dnf list installed "qubes-*" on my
> sys-usb, I can see that qubes-usb-proxy is installed:
> qubes-usb-proxy.noarch 1.0.12-1.fc26 @qubes-vm-r3.2-current .... Shouldn't
> be: 4.0 current instead ?

Yes, should be 4.0. Did you see the recommendation in
https://www.qubes-os.org/doc/upgrade-to-r4.0/ to not restore your R3.2
templates to R4.0? Sounds like that might be what happened. Make sure all
your AppVMs are using an R4.0 template.

[Marek Marczykowski-Górecki]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Exactly.

But even on R3.2-based template it should work. Try updating
qubes-usb-proxy, the newest version is 1.0.15.

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlp4/csACgkQ24/THMrX
1yxUQgf/aiPRiNCz9OAKK95Mnw3zElCNgu+dujpbl755sR1FCU1EaCK5ilztRfAt
ciyP5FmhMz+ha9tbG4GpEvrYwJxx4dEqUDegWFo3dspX5j9RS7PXR0DyX989UTsk
I2HdEj7N3B7oZnc9xqPCHXJV6RzFAnzaGBrAu7JUbcEj9HFsmHnxQLxq23r8AOJG
4In4Q4ralNALy2RxnwhEBNfcMfG32pzOvkXIkeHzPfD+gjSWDzzcczL0u7lA15Z4
VBRrIGy9SDaeIWYismn4j3WHqnhM1RUoaJsOO/8yqVvwaCW1k+ooYAWUc97ANEfJ
BGiG1mAwqqUax5Qg4oOPltJiaW8PAA==
=KIs/
-----END PGP SIGNATURE-----