Re: [qubes-users] Re: sys-usb / template install yubikey tools ?

[awokd]

On Wed, January 17, 2018 1:09 pm, ThierryIT wrote:
> Nobody ?
>
>
> Le mercredi 17 janvier 2018 09:23:34 UTC+2, ThierryIT a écrit :
>
>> Hi,
>>
>>
>> I am going to install a new sys-usb.
>> I have before to install all what I need to the template (fedora-26)
>> first. When following your procedure:
>>
>>
>> ykpers has been installed but: I cannot do the same for qubes-yubikey-vm
>> and qubes-yubikey-dom0 :
>>
>> no match for argument
>>
>> ideas ?

Not quite sure what you are trying to do here. What procedure? What
command are you entering?

[ThierryIT]

"https://github.com/adubois/qubes-app-linux-yubikey"

[awokd]

Are you trying this on Qubes 4.0? Those Yubikey packages might not be in
the Qubes repo yet.

[ThierryIT]

No, I am still under R3.2

[Alex Dubois]

Hi,

I have not maintained this for some time. So long that I can't remember if the packages had been created/tested, I don't think they have.

Best is you follow the steps to build it on a new temporary VM, don't be afraid it should not be too hard:
- Execute the yum command in "Build dependancies"
- Also install pam-devel
- Follow the steps in preparing the build and build
- Deploy the code in Dom0 and the USB VM.

I am about to upgrade to Qubes 4.0 rc4 (when released) so won't probably be able to help until this is done.

Any help from someone who is used to packaging under Fedora would be nice.

Alex

[ThierryIT]

Not familiar with this ... Will need procediure to follow.

[Alex Dubois]

Sure, I'll update the doc and post here. However as I said don't want to touch my Qubes set-up before my upgrade to 4.0 rc4. So might be in 2-3weeks

[ThierryIT]

Did you upgrade to Q4R4 ?

[Alex Dubois]

I'm in the process. Having issues with PCI path-through of my second NIC that I need to solve. I have to use PV mode for now and not too happy to have too. I'll open another thread if I can't find a way...

[Alex Dubois]

Hi Thierry,

I have recompiled it OK. This was working on R3.2. You can test it on R4 but no idea if it will work. I hope to have a bit of time to look at it this week.

To compile it if you want to test / debugInR4
create new VM with network (to get the github) or without network but you'll have to copy the download to the VM by another mean. Then:
yum install pam-devel gettext-devel git libtool libyubikey libyubikey-devel -y
yum group install "Development Tools"
git clone https://github.com/adubois/qubes-app-linux-yubikey.git
cd qubes-app-linux-yubikey/
libtoolize --install
autoreconf --install
./configure
make check

files to copy to Dom0 are in folder back-end
files to copy to USBVM are in folder front-end

USBVM should be a VM started on boot with the USB controller that you insert the key in...

Read the doc, it is not polished.
There are mechanisms to detect USBVM compromise, hold-replay attacks, etc...

[ThierryIT]

Starting to do it, everything went fine, but I do not find the way when I need to copy a folfder (not a file) to dom0 ...

Thx

[joev...@gmail.com]

Yubikey can have different modes of authentication. I remember looking at the work of adubois last year as a possible solution.
My Yubikey has a slot used for Challenge/Response, which is MUCH easier to work with when you have multiple systems and devices.

I guess YubicoOTP would require something like a custom PAM module... but with Challenge/Response, my solution was to use the built-in pam_exec.so to run a very short script when authenticating.

The only dependency is to install ykpers on sys-usb as it uses ykchalresp.

https://gist.github.com/Joeviocoe/929ebde1066a22491bf93ccc9d6c0ba3

[Alex Dubois]

> On 10 Feb 2018, at 20:16, joev...@gmail.com wrote:
>
> Yubikey can have different modes of authentication. I remember looking at the work of adubois last year as a possible solution.
> My Yubikey has a slot used for Challenge/Response, which is MUCH easier to work with when you have multiple systems and devices.
>
> I guess YubicoOTP would require something like a custom PAM module... but with Challenge/Response, my solution was to use the built-in pam_exec.so to run a very short script when authenticating.

My solution is a custom PAM module with password + OTP and master password (to use if compromised USB VM).
This OTP slot of the Yubikey is then dedicated for 1 Qubes.
I made sure you can’t forget the yubikey in the slot, the OTP is transmitted to USBVM when key is pressed and transmitted to Dom0 when you remove the key.
If on key removal you are not authenticated you have to assume that USBVM is compromised and may be used for hold and replay attack. You have to go to a secure area, login with master password, destroy USBVM and reinstall front-end + re-initialise the PAM.
If you press by mistake the yubikey, I think you have also a risk of compromise and have to do the same.

The challenge response is more practical but I feel less secure (I might be wrong), I have not looked deeply into it. Influencing the generation of the challenge (to be the same as a previous one) via clock.

>
> The only dependency is to install ykpers on sys-usb as it uses ykchalresp.
>
> https://gist.github.com/Joeviocoe/929ebde1066a22491bf93ccc9d6c0ba3
>

> --
> You received this message because you are subscribed to a topic in the Google Groups "qubes-users" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/topic/qubes-users/BkdTuXZZnwE/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to qubes-users...@googlegroups.com.
> To post to this group, send email to qubes...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e5d1abf4-4627-4a09-927c-ec4294cc481d%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Alex Dubois]

You can compress the folder

tar czvpf QubesBack.tgz name of folder

And in dom0
tar xzvpf QubesBack.tgz

Might have some typo there...

>
> --
> You received this message because you are subscribed to a topic in the Google Groups "qubes-users" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/topic/qubes-users/BkdTuXZZnwE/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to qubes-users...@googlegroups.com.
> To post to this group, send email to qubes...@googlegroups.com.

> To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5cc4e21a-63ea-4a60-b3b8-540677789ec7%40googlegroups.com.

[ThierryIT]

Le samedi 10 février 2018 22:58:15 UTC+2, Alex Dubois a écrit :

so what I have done:

In dom0:
- copy qubes.2fa to qubes-rpc and qubes-rps/policy
- copy qyk2fa to /usr/bin/
- copy the folder yubikey to /var

In sys-usb:
- copy 99-qubes-usb-yubikey.rules to /etc/udev/rules.d
- copy the folder yubikey to /lib

Reboot .... Doesn't seems to work :)

Am I doing a mistake somewhere ?

Merci

[ThierryIT]

Le mercredi 14 février 2018 09:49:37 UTC+2, ThierryIT a écrit :

> Hello,
>
> Any news ?
>
> Thx

Dear alex,

Is what I have done correct ?

Thx

[Alex Dubois]

Hi Thierry,

I looked at the code a bit today. The way USB HID are mapped is different.
It is now a /dev/hidrawX. The encoding is different. I need to digg a bit, it will not work as it on R4.

[ThierryIT]

Hi,

The problem was a mix of Fedora-26 template between my old R3.2 and the R4.4.
When installed the right package version of "qubes-core-agent" who should be: 4.0.23, I am able to attached the Yubikey. Nothing more has to be done.
Thx anyway for your full support.
Thx

[Alex Dubois]

I suspect you are referring to attaching the Yubikey to an AppVM and use the challenge/response mechanism of the Yubikey. Not use Qubes Yubikey OTP PAM module?