Device showing up in Qubes sys-usb terminal but not devices icon, and attach error in dom0

[Stumpy]

I am trying to use an onlykey U2F but have run into some issues like it
showing up in dom0 and sys-usb but seems like i cant use it.

in sys-usb:
[user@sys-usb ~]$ lsusb | grep Only
Bus 004 Device 010: ID 1d50:60fc OpenMoko, Inc. OnlyKey Two-factor
Authentication and Password Solution

and in Dom0:
[ralph@dom0 ~]$ qvm-usb | grep ONLY ; sudo qvm-usb a sys-usb sys-usb:42
sys-usb:4-2 CRYPTOTRUST_ONLYKEY_346etc
Device attach failed:
[ralph@dom0 ~]$

I decided to go with the chrome app but even though sys-usb seems to see
the onlykey I cant seem to attach it to the chrome appvm i made?

[awokd]

Stumpy wrote on 5/27/19 4:09 PM:

If you are using a custom template for your Chrome AppVM, don't forget
to install the necessary qubes-usb package in it.

[brenda...@gmail.com]

Also:
1) Is it a composite USB device (multiple services on a single endpoint, not a hub).
2) Is one or more service based on the HID interface and possibly blocked as it is seen as a keyboard?

Similar issues occur with yubikeys, I believe there are documents that may help on the qubes-os.org site related to making yubikeys work.

Brendan

[euid...@gmail.com]

Do you any update on this ?

I'll open an issue in qubes issue tracker if not.

THX

[rec wins]

so in dom0 you did
$qvm-usb

get the BDM number and do

$qvm-usb attach chromevm sys-usb:X-X

U2F keys will work in chromium for google logins with no
complicated passthrough setup necessary

OTP won't , if the key does more than U2F you may need to get a
configuration application for the key and make sure it's U2F only
slot 1 , 2 etc

[unman]

Have you looked at the qubes-u2f-proxy package?
https://www.qubes-os.org/doc/u2f-proxy

After installation in dom0 and the relevant template, you enable the
service in the qube you want to use it in, and the device should then
be available for use in that qube.
You *dont* attach the USB device to the qube.

Try that, and see how you get on.

unman

[Brendan Hoar]

On Thu, Aug 29, 2019 at 3:02 AM rec wins <yre...@riseup.net> wrote:

OTP won't ,  if the key does  more than U2F  you may need to  get  a
configuration application for the key  and  make sure it's  U2F  only
slot 1  , 2  etc

Yubikey OTP works through a keyboard-like HID, which are blacklisted by default in Qubes. In order to directly attach a keyboard-like device to a VM you have to override this setting.

See: 

https://www.qubes-os.org/doc/usb-qubes/#enable-a-usb-keyboard-for-login

B

[rec wins]

attaching does work(only in chromium fwiw) even with the FF about:config
changes, though, apparently this isn't 'secure' so

looking at the u2f proxy at this point


Repeat qvm-service --enable (or do this in VM settings -> Services in
the Qube Manager) for all qubes that should have the proxy enabled. As
usual with software updates, shut down the templates after installation,
then restart sys-usb and all qubes that use the proxy. After that, you
may use your U2F token (but see Browser support below).


after installing the proxy in the templates and shutting them down, and
restarting the appVMs based on them..... there is No qvm-service to
do qvm-service --enable

and/or what or where is this supposed to be 'repeated' ?

"Repeat qvm-service --enable for all qubes that should have the proxy
enabled."

sure sounds like by "qubes" what is meant is the AppVMs or TBAVM or
whatever they are called now :)

[unman]

"qube" is a "user friendly term for a VM"
(https://www.qubes-os.org/doc/glossary")

qvm-service is a dom0 command line tool - you can also enable the
service in the GUI interface as noted in the instructions.
You enable the service for *each* qube where you want to use the proxy -
that's the "repeat" part.
Check the policy file in /etc/qubes-rpc/policy/

[rec wins]

OK seems to be operational now in FF , not sure what I was supposed to
see in /policy/

@dom0 ~]$ !529
cat /etc/qubes-rpc/policy/u2f.Register
$anyvm sys-usb allow,user=root


u2f.Authenticate says the same



Stumpy did you do this :

https://docs.crp.to/qubes.html



need to keep the support organize or just gets too complicated IMO
or are you Sebastian please bottompost unman, awokd, brendan
are the ones to talk to

[unman]

You can configure the policy file so that individual *keys* are tied to
specific qubes, rather than all being available everywhere the proxy is
enabled..

[euid...@gmail.com]

U2F proxy not working for me, neither Chrome or FF.

Directly attaching the Onlykey to the vm works for U2F  but after detaching, Onlykey is no more a keyboard in dom0.

I did : 

https://docs.crp.to/qubes.html 

Is : https://raw.githubusercontent.com/trustcrypto/trustcrypto.github.io/master/49-onlykey.rules

needed in sys-usb ?

THX

Sébastien

 

[euid...@gmail.com]

Could you post a step by step explanation ? Is your OnlyKey working simultaneously with U2F proxy AND as a keyboard in dom0 ?

THX

Sébastien 

[rec wins]

On 8/29/19 2:36 AM, Brendan Hoar wrote:

> On Thu, Aug 29, 2019 at 3:02 AM rec wins <yrebstv-sGOZH3h...@public.gmane.org> wrote:
>
>>
>> OTP won't , if the key does more than U2F you may need to get a
>> configuration application for the key and make sure it's U2F only
>> slot 1 , 2 etc
>>
>
> Yubikey OTP works through a keyboard-like HID, which are blacklisted by
> default in Qubes. In order to directly attach a keyboard-like device to a
> VM you have to override this setting.
>
> See:
> https://www.qubes-os.org/doc/usb-qubes/#enable-a-usb-keyboard-for-login
>
> B
>

I could be wrong but I not sure you can use 1 key for both U2F and OTP
, as I mentioned, you may need to use the developers software to
disable one of them . If you disable everything but U2F

then follow the Qubes Docs for U2F


sort of defeats the purpose of an onlykey I imagine, I myself am
using a U2F only yubikey , not OTP gave up on that long time ago