Problems installing Alex Dubois' Yubikey app in dom0 on Qubes R3

[Miguel Jacq]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi,

I recently installed Qubes R3 RC1 and I'd like to integrate Yubikey
into the dom0 authentication (e.g for login to the Qubes OS itself -
not for integration with remote services at this stage).


I am trying to follow the instructions at
https://github.com/adubois/qubes-app-linux-yubikey but I have hit a
blocker: the installation instructions say to run this in the USB AppVM:

sudo yum install qubes-yubikey-vm

But I get:

[user@fedora-21 ~]$ sudo yum install qubes-yubikey-vm
Loaded plugins: langpacks, post-transaction-actions, yum-qubes-hooks
No package qubes-yubikey-vm available.
Error: Nothing to do
[user@fedora-21 ~]$


And the instructions for the dom0:

sudo yum install qubes-yubikey-dom0

.. I get

"No package qubes-yubikey-dom0 available'

My questions are:


1) Are the yubikey packages not present in R3 (yet?) or do I do need
to do something special to enable the Qubes repository? (I'm from
Debian background and not RH/Fedora so it could be that I don't know
some extra Yum task that's been assumed by the author)

2) The instructions discuss personalizing the Yubikey with a symmetric
AES key (presumably in OTP mode). My Yubikey is already configured in
OTP because it is used with my own Yubikey validation server(s)
elsewhere. Can I just reuse the AES key which I already know is on my
Yubikey's first slot? (I can't use the other slot either as it serves
a different purpose) ).

Many thanks (especially to Alex Dubois for providing the Yubikey app,
if he's reading this)

P.S I'd have sent this to qubes-users but Alex's documentation asks
explicitly to use the qubes-devel list.


Miguel







-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJVPcsxAAoJEM5kOiC2AzVHdUgP/3dc1wnsuRS7aMz9cvW180IQ
eUdoS5bY2VjbtyZpaNp9B4RsNx3wn8AyyjEqD8zIAfxBXRWec00370B3kKsqtity
Ib1vZD/d2SttH5vOw+Lo7fZUfrX5en0dZZLmZID2dSDAYKcbytgDvv3EdwhFDIF6
beboRm5hCJ5EV6gCCVR2bEm/Yk/lLfcpOHO8YM8iG4NOMDj5ujIXUdJ55Vri8/ZJ
VyToLPAkUu+62Umig006OLqYT0bVCr1WUNCIe/0A8KTGhhxheaWv/f2LGz+03/TK
3i18Irt4ezWjlD+AbtUphTNCuJaFg7QatxWbBu+P5+wC5+AvgrCMp/S4F3s4bg8E
WG/aRtEUA++mjHkTOAHpzViZLaG6avR/jhJ/7RBxvdbMmUDLizlre6DLLSqZTYSw
492ExcSVIPE49KY8BAiDGfhs4S4X6hNuv+jJsov/copw8uoDGXXOE+sjNcVoiXPb
N+lVzTuWoVeDME6CY93EX24Ajp0VCfSnI+7xTeCBcNOFZ4h2a4FL3ovNcTMFCGMB
0WQIZe+4CEntun7kFU6BGnjgr7wZvzXIX79JN6r8pMRf3oclb37n0SOz9+wzBHhx
o42EgzHS8UPbJAxMt5nyrT06mgMhzX3YyKoDwyC87pf+efoPsS6jxKWRV/j/qyzM
WdsNtGZtevZ1o7EO3tbg
=zsfR
-----END PGP SIGNATURE-----

[Marek Marczykowski-Górecki]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, Apr 27, 2015 at 03:37:53PM +1000, Miguel Jacq wrote:
> Hi,
>
> I recently installed Qubes R3 RC1 and I'd like to integrate Yubikey
> into the dom0 authentication (e.g for login to the Qubes OS itself -
> not for integration with remote services at this stage).
>
>
> I am trying to follow the instructions at
> https://github.com/adubois/qubes-app-linux-yubikey but I have hit a
> blocker: the installation instructions say to run this in the USB AppVM:
>
> sudo yum install qubes-yubikey-vm
>
> But I get:
>
> [user@fedora-21 ~]$ sudo yum install qubes-yubikey-vm
> Loaded plugins: langpacks, post-transaction-actions, yum-qubes-hooks
> No package qubes-yubikey-vm available.
> Error: Nothing to do
> [user@fedora-21 ~]$
>
>
> And the instructions for the dom0:
>
> sudo yum install qubes-yubikey-dom0
>
> .. I get
>
> "No package qubes-yubikey-dom0 available'
>
> My questions are:
>
>
> 1) Are the yubikey packages not present in R3 (yet?) or do I do need
> to do something special to enable the Qubes repository? (I'm from
> Debian background and not RH/Fedora so it could be that I don't know
> some extra Yum task that's been assumed by the author)

Actually this was never available in qubes repository, so you need to
compile the package on your own. The readme file contains instructions
on this installation method.

> 2) The instructions discuss personalizing the Yubikey with a symmetric
> AES key (presumably in OTP mode). My Yubikey is already configured in
> OTP because it is used with my own Yubikey validation server(s)
> elsewhere. Can I just reuse the AES key which I already know is on my
> Yubikey's first slot? (I can't use the other slot either as it serves
> a different purpose) ).

Currently qubes-app-linux-yubikey does not allow for that - it requires
that the YubiKey is used exclusively for Qubes and if some missing OTP
is detected, it blocks this way of authentication. This is well
described in "Usage" paragraph, including reasoning why it is done this
way.

> Many thanks (especially to Alex Dubois for providing the Yubikey app,
> if he's reading this)
>
> P.S I'd have sent this to qubes-users but Alex's documentation asks
> explicitly to use the qubes-devel list.

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJVXQA3AAoJENuP0xzK19csi/YIAJEHW7A1V3Og7vMkfIfFeN6b
SWCChhoYtWdgBF1UYselUwopbWC/eknIk7fgKku5iOFSrt8RjCkb/BFSGcchWg6i
TJrN0MVCT/Iffw3tV7UcQ9sWlQ9rGgoSwd+VKX9yqmz2xTdF/88Sn5ATUmrAmQot
Un1I8rmBpwUG7zdx71ZEZpImO1rwJFRSDBuxqDR73V2thX3tNRzq35/sov2GtZQP
PgGnhvjPQExtnV9Yxc6ETcezMzP5KkhRz+kHCBrId66lI3+dLXpK5uD5hpxHraw8
rPWmfENR7yOwSGO5EG2ZMPsaUC5dXWrGoL8LRYsA5djJipQygu5KQXhD4KCiqk0=
=acDP
-----END PGP SIGNATURE-----

[Alex Dubois]

Hi Miguel,

I was no longer on the devel mailing list, but now I am back. I'm glad you find it useful. If you have it running and are using it, feedback on usability would be great. As for the install part, please read below, it should soon be easier to do it.

>
> P.S I'd have sent this to qubes-users but Alex's documentation asks
> explicitly to use the qubes-devel list.

Hi Marek,

I saw you've done some work on the github repo. I've re-joined the devel mailing list.

Thanks for your help, I'll review and merge the changes hopefully by the end of the week-end. I may need some help on the git side.

Do you want to add this to the community tools? Let me know how to proceed, I'll be happy to help support this package. I'm also happy to explore other strong-auth options if there are needs.

Cheers,
Alex

Alex

[Marek Marczykowski-Górecki]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, May 20, 2015 at 10:43:53PM -0700, Alex Dubois wrote:
> I saw you've done some work on the github repo. I've re-joined the devel
> mailing list.
>
> Thanks for your help, I'll review and merge the changes hopefully by the
> end of the week-end. I may need some help on the git side.
>
> Do you want to add this to the community tools? Let me know how to proceed,
> I'll be happy to help support this package. I'm also happy to explore other
> strong-auth options if there are needs.

I think its a good idea to have it in our repositories out of the box.
First I need to review the code though. This is one reason why I've
removed files which can be automatically generated - to reduce amount of
code to review...

I've added some documentation here:
https://www.qubes-os.org/doc/YubiKey/
Especially an option for challenge-response mode. What do you think
about it?

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJVY7KHAAoJENuP0xzK19cszl4IAIuqBxBVN4mQ67ljJ+5eqE+E
n+HbGjTk8th3MaCIFeqNc+ejSoX/uXZ2ogkVhFKib4gEfxN5BkygID28odmNrn/G
/VJVuCVZ/stv1GY+0Gdzdu2w2fqLM2qBhqnBVjyVIqVJIv22uE9YXTeql8NGrJer
ENRfZnlHNpowX2ISgJsDusSAYXNGb0uuPNKROeP3ZBWocs7KSXFPlWyIXwM3jMjP
kxqQeA/qPM3xi3wg3VegSTYAN8rrk7wsdkOsEfzfM56ZasiwMKjcA/dhTIwoLDd0
7PhXv+FEdKyZMJUgd+ycgO9u2nLTrtD91/Yg1neCCVzuB0uwbEVWuID9wvIJNJ4=
=i1xe
-----END PGP SIGNATURE-----

[Miguel Jacq]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi,

On 26/05/15 09:38, Marek Marczykowski-Górecki wrote:
>
> I've added some documentation here:
> https://www.qubes-os.org/doc/YubiKey/ Especially an option for
> challenge-response mode. What do you think about it?

Thanks for the docs. I find that my Yubikey (in challenge response
mode) works immediately when I plug it into dom0.. is this meant to be
the case? (i.e it works by default in dom0 even before being assigned
to a domU - not a security risk?)

In other words I found that I could use the challenge response mode
directly in the dom0 as expected with the relevant tools, but of
course this was for testing and I know it's not 'right' to install
such extra tools to the dom0.

So, it 'feels' more like the Qubes way to use some USB VM for this, but:

a) how to properly protect the dom0 when it seems to accept the
Yubikey by default

b) I can't see the Yubikey listed as a device to assign to a VM - is
it one of the USB controllers? (but which one? For me, several are
listed and nothing specifically 'Yubikey' mentioned about them).
Adding this to the docs would be nice.

Also I assume you must always ensure the USB VM is running if you want
to use the xscreensaver, KDM etc without locking yourself out (!) Am I
right? If so, worth mentioning in the docs too I think.

Cheers

Mig
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJVZEM4AAoJEM5kOiC2AzVHMHwQAMf62Ew3i97ORsujHUwBSCe7
MB2Tj7Ul+Jloog93sBi7fIxQDw+6dLPKbEft77ubxkfnK7uDp7jHL+iIBiE8Oen5
ELic4HJF1YVoV2uNKxtWkdpPjBZnfDLIJ/OL/pSPWk1htUK1l6gS1tjyrOt/LSzu
GN+ar1gOvMt8AeyB+aqQyhWqfTL20BG8V7TnyNwBF0f6Ghvl1NpfstkfkwPvqtKA
uy70oyQzkGehRrTQE62WIbY3KfgwB6DmrV0eqvQzfVQWmBQmtR/k66D8Xz03WTZ+
7mHrrgZ2DPbMFw+LVha4YB1wr8nuHZkesJHc2M+xAIUobUEXx0Yc8Fsx6mxJ+INR
lm5zYPuijUkEgd13l8douB/H7JrtxO3FfJoeTfVtJ94EuL9hv20MPlifj+YVKW5A
SVO9PGvOXLc/vrpALkjwSSI+HBZnpWPIgPdxtkrFAnfsUNJRbgc0nPZhHCmnt37p
MMUVAF+ykJVQMaVVpqQLmtMnV1SGxs4IaWm0dFrIFHQ5DdM0lopT7MqC2YywQqkM
OxOEMJxy8Zql0JwnFBw+9fMioR9kAeVehm3c8A6RwEwNGi/TI5X2dNzVo5RS6lmw
gdCAu9bYScWHvzeEXhWKSFSgjGSY4cdm9qiUVu18xqoQZyyZlg5U36/JZ7/I3J9P
HnWkGyQlRxaSW+eWDe3l
=XeuF
-----END PGP SIGNATURE-----

[Andrew]

Miguel Jacq:

> Hi,
>
> On 26/05/15 09:38, Marek Marczykowski-Górecki wrote:
>
>> I've added some documentation here:
>> https://www.qubes-os.org/doc/YubiKey/ Especially an option for
>> challenge-response mode. What do you think about it?
>
> Thanks for the docs. I find that my Yubikey (in challenge response
> mode) works immediately when I plug it into dom0.. is this meant to be
> the case? (i.e it works by default in dom0 even before being assigned
> to a domU - not a security risk?)
>
> In other words I found that I could use the challenge response mode
> directly in the dom0 as expected with the relevant tools, but of
> course this was for testing and I know it's not 'right' to install
> such extra tools to the dom0.
>
> So, it 'feels' more like the Qubes way to use some USB VM for this, but:
>
> a) how to properly protect the dom0 when it seems to accept the
> Yubikey by default

Add 'rd.qubes.hide_all_usb' to GRUB_CMDLINE_LINUX in
Dom0:/etc/default/grub and re-generate grub.cfg. This does not set up
DMA remappings by default, but will prevent Dom0 from loading a driver
for the USB controller very early in the boot process (IIUC).

The best thing to do is indeed to also use a dedicated USB VM, set to
autostart.

> b) I can't see the Yubikey listed as a device to assign to a VM - is
> it one of the USB controllers? (but which one? For me, several are
> listed and nothing specifically 'Yubikey' mentioned about them).
> Adding this to the docs would be nice.

Yes, it's one of the USB controllers. You can only assign PCI devices
to VMs. To map out which controller has which ports, you can try
plugging devices in and using lsusb -v. Maybe Marek has a better way.

> Also I assume you must always ensure the USB VM is running if you want
> to use the xscreensaver, KDM etc without locking yourself out (!) Am I
> right? If so, worth mentioning in the docs too I think.

I suppose so. Just set your USB VM to autostart.

Andrew

[bow...@gmail.com]

> On 26 May 2015, at 00:38, Marek Marczykowski-Górecki <marm...@invisiblethingslab.com> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>> On Wed, May 20, 2015 at 10:43:53PM -0700, Alex Dubois wrote:
>> I saw you've done some work on the github repo. I've re-joined the devel
>> mailing list.
>>
>> Thanks for your help, I'll review and merge the changes hopefully by the
>> end of the week-end. I may need some help on the git side.
>>
>> Do you want to add this to the community tools? Let me know how to proceed,
>> I'll be happy to help support this package. I'm also happy to explore other
>> strong-auth options if there are needs.
>
> I think its a good idea to have it in our repositories out of the box.
> First I need to review the code though. This is one reason why I've
> removed files which can be automatically generated - to reduce amount of
> code to review...
>
> I've added some documentation here:
> https://www.qubes-os.org/doc/YubiKey/
> Especially an option for challenge-response mode. What do you think
> about it?
>

Sorry missed your reply. OK, I agree that it is better in your repo as it vet the solution, if you need me to document or fix things, let me know.

I'll review all the work you did.

I am happy to also look into challenge response but I find it less secure as you have the risk of someone targeting your Dom0 random number generator (maybe Yubikey implementation has some tweaking in its implementation to protect against it) to manage to replay a response to a not-so-random challenge after a number of times.

Alex

[Marek Marczykowski-Górecki]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, May 26, 2015 at 07:31:23PM +0100, bow...@gmail.com wrote:
>
>
> > On 26 May 2015, at 00:38, Marek Marczykowski-Górecki <marm...@invisiblethingslab.com> wrote:
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> >> On Wed, May 20, 2015 at 10:43:53PM -0700, Alex Dubois wrote:
> >> I saw you've done some work on the github repo. I've re-joined the devel
> >> mailing list.
> >>
> >> Thanks for your help, I'll review and merge the changes hopefully by the
> >> end of the week-end. I may need some help on the git side.
> >>
> >> Do you want to add this to the community tools? Let me know how to proceed,
> >> I'll be happy to help support this package. I'm also happy to explore other
> >> strong-auth options if there are needs.
> >
> > I think its a good idea to have it in our repositories out of the box.
> > First I need to review the code though. This is one reason why I've
> > removed files which can be automatically generated - to reduce amount of
> > code to review...
> >
> > I've added some documentation here:
> > https://www.qubes-os.org/doc/YubiKey/
> > Especially an option for challenge-response mode. What do you think
> > about it?
> >
>
> Sorry missed your reply. OK, I agree that it is better in your repo as
> it vet the solution, if you need me to document or fix things, let me
> know.
>
> I'll review all the work you did.

Just review that pull request - I haven't actually tested it...
When you say it's good to go, I'll review that code and (if ok) upload
the binaries to our yum repository.

> I am happy to also look into challenge response but I find it less
> secure as you have the risk of someone targeting your Dom0 random
> number generator (maybe Yubikey implementation has some tweaking in
> its implementation to protect against it) to manage to replay a
> response to a not-so-random challenge after a number of times.

Yes, this may be an issue. I don't know how practical this attack would
be anyway - the challenge is 64 bytes and Qubes environment (many
different VMs) makes it really hard to assume anything about for some
interactions in hardware. Anyway, personally I have setup YubiKey to
require confirmation (using its button) to protect against such tries.

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJVZNgvAAoJENuP0xzK19cso+sH/2t48j8YwFX7W5mQQlCa0iXW
uFANuyf8CkKN9K3BPgMjUNM6Q/mE4sIjYWEeI+I8w1QeQtbnun1tPvwdg3LrubLf
6XN3OeerfPYyYHmT2QBpY4Y9pRr7Ecr7lOsZ4ZMdaJLHyljM6gSd1wo3xGMOvW2F
bDlo+kZ+9q+EBB/GDx9z854lEJGMEmhpEXI0o7SiiK3PUz1JtDKlTsVGkDviUIwa
htaaSMDfS8JrLLl9t8CEkkiHYBmu95xHM7cyw4iSXOjIq7hZhFW5Aqi24Z4aZkEi
ejmB7JWdDDM6yczOpUI0fPsnsaajvlMOscVt0RH3Z+f5Hvjo8xEbNn3jsJBUyzM=
=lU3u
-----END PGP SIGNATURE-----

[bow...@gmail.com]

OK yes will do. I would prefer your binary to be compiled on your usual set-up as I am not taking any particular precaution on my side.

>
>> I am happy to also look into challenge response but I find it less
>> secure as you have the risk of someone targeting your Dom0 random
>> number generator (maybe Yubikey implementation has some tweaking in
>> its implementation to protect against it) to manage to replay a
>> response to a not-so-random challenge after a number of times.
>
> Yes, this may be an issue. I don't know how practical this attack would
> be anyway - the challenge is 64 bytes and Qubes environment (many
> different VMs) makes it really hard to assume anything about for some
> interactions in hardware. Anyway, personally I have setup YubiKey to
> require confirmation (using its button) to protect against such tries.

The risk is the USBVM (which is assumed compromised) can request a large number of challenges until it gets the same value (only feasible in a timely manner if entropy source is attacked).
This is at the moment pure speculation, let me dig into the implementation code.

[bow...@gmail.com]

Alex

OK, I've accepted the pull request. I still need to test the overall process.

At the moment I am trying to find out the USB mapping for my current hardware...

I'll let you know when done.

Alex

[rae....@gmail.com]

any luck on the binary being in the repo yet? or do we need someone to test it still? as i have a yubikey neo - and would appreciate it being in the repo as in a rush to get the laptop setup for work - and it just makes it easier if the apps are ever updated