Split gpg is just too cool.

[John Smiley]

Just tried this feature. This is one of the coolest things I've seen in a while. Will try U2F proxy next.

I have to say, getting used to Qubes and absorbing the enormous amount of material available starting from essentially zero on security in general, how Qubes works, Whonix with Qubes, getting everything installed and configured, has been both interesting and frustrating because I can only absorb so much at a time and I've only just scratched the surface.

I have nothing that needs the degree of protection Qubes affords, so this has been more or less an exercise in curiosity for me. The lights are starting to come on. The time spent is beginning to pay off. Qubes is an amazing environment filled with capabilities found no where else that I know of. It really reveals how pale and thin monolithic operating systems like Windows, OSX, and Linux really are when it comes to security.

I hope it catches fire and becomes a mainstream environment.

[John Smiley]

U2F Proxy is not so cool. So far no joy getting it to work. Someone on reddit had similar issues and questions and resolved by installing USB keyboard support. That’s not mentioned in the Qubes docs and I hope we don’t have to resort to that. If that were a requirement, surely the docs would have mentioned it.

[brenda...@gmail.com]

On Tuesday, December 25, 2018 at 9:56:40 PM UTC-5, John Smiley wrote:
> U2F Proxy is not so cool. So far no joy getting it to work. Someone on reddit
> had similar issues and questions and resolved by installing USB keyboard
> support. That’s not mentioned in the Qubes docs and I hope we don’t have to
> resort to that.

I haven't yet tried the U2F proxy, it is on my todo list.

I'm also not quite so happy about the complexity of getting a security focused device (yubikey) working with a security focused OS (QubesOS).

I believe I understand the nature of the yubikey problem, though: Qubes is engineered to protect you from untrusted peripherals...and this somewhat conflicts with the design of yubikeys on multiple fronts: we want to use yubikeys across multiple VMs (using devices across VMs increases risk); yubikeys are composite USB devices, which means they often have multiple endpoints for different functions (HID keyboard plus, CCID smartcard/javacard, U2F) which makes securely proxying them more complex; and for those who have serious safety risks, a fake yubikey could destroy one's opsec in multiple ways...even a real one could if you are not careful with your usage.

In my case, I have decided to somewhat compromise QubesOS security a bit and disable the USB/HID keyboard protections in Qubes dom0 for now so that I could log into LastPass with my yubikey OTP in a couple of my VMs without too much fiddling. I have kept notes on the changes and how to reverse them.

So, as I said above, I haven't addressed the U2F compatibility on my current R4 build (but neither do I have a multipmedia VM set up with Chrome yet :) ). So, I use my backup method of yubico authenticator on another device and type in six-digit TOTP codes instead of using the U2F functionality.

Anyway, I suggest keeping a running log of modifications/configurations (both TODO and done) somewhere easily accessible across devices (I use a google doc) to speed future configurations/rebuilds. I don't keep anything that needs to be secure there, just notes, simple scripts, etc.

> If that were a requirement, surely the docs would have
> mentioned it.

Haha. Er, I mean, that *should* be the case... :)

Brendan

[John Smiley]

Complex? Yes. Separating the USB stack from the browsers and being able to lock down which browsers can access which keys (ex: banking Qube, shopping Qube, Gmail Qube, etc.) Brilliant and worth the complexity. Just need to get it working now... Docs are leaving something out. I will either update the doc for file an issue once I figure it out.

[drogo]

Just for some extra info, I started experimenting with yubikey on my laptop as well as my desktop. Works fine on the laptop with Chromium, but is odd with Firefox. I have to disconnect the key after sending registration creds, and it will successfully register. Same for authentication with Firefox. I saw a post relating issues with FFX that you should register with Chrome, then just authenticate using FFX.

My laptop was setup with a separate USB qube during install. So I followed the qubes docs for the u2f Proxy and didn't run into any issues, other than the FFX stuff. (Also, I've got the little tweaks for FFX done). For my desktop, (which I'm just starting to test out), it wasn't, so I added a second USB card to use for everything else non-critical. Should have some info on how that goes later. The desktop has a USB keyboard. (Side rant, I wish more mechanical kbds worked well with PS/2).

[John Smiley]

WRT the U2F Proxy: I've got a desktop and a laptop running 4.0.1-rc2 that I've been trying out the U2F proxy with. I have a lengthy issue open on this documenting the problems I encountered, how I resolved them, and some changes I think needed to make the docs clearer. I will probably end up making the changes myself. Going through the docs on how to maintain the docs tonight.

There are still some rough edges and unanswered questions about the proxy, but the basics are usable in both Firefox and Google Chrome Browser.

Starting testing with the Qubes 4 advanced features next. I hope to end up with a system with a separate Qube for each use case (banking, email, GitHub, online shopping, Google, social media, etc.) where each of them has access only to the keys they need for the services they use. Still not sure if a single Qube is limited to a single key or if it can be configured to have access to multiple keys so that related accounts can be grouped in the same Qube. Will know soon enough.

[John Smiley]

Here's the link to the issue https://github.com/QubesOS/qubes-issues/issues/4661

[John Smiley]

"Starting testing with the Qubes 4 advanced features next."

Created a "twitter" qube that has exclusive access to the Yubikey key registered with my Twitter account. That key cannot be accessed from any other qube, just as described in the u2f proxy doc. Nice!

[John S.Recdep]

On 12/26/18 4:49 AM,

I'd like to see your "notes" on the yubikey and lastpass, as I long ago
gave up on using my Yubikey in OTP mode, despite many trials ....

I have the U2F proxy working it seems but just use it for 2FA for gmail
and such , lastpass I'm stuck using the Authenticator on a Mobile phone
..... because I can't use the OTP

my qubes system has a USB -> PS/2 converter, I might run qubes on
another computer but it has no PS/2 port and I fear botching the
sys-usb and getting locked out of the install again ..... so I don't try

[John Smiley]

If I need to use the YubiKey for OTP, I attach it directly to the qube that needs it and then disconnect it once I no longer need it. For LastPass, I have a Qube just for that which uses a browser that I have marked as trusted, so I only need the YubiKey every 30 days. Not the best solution, but that's where all of my personal keys are. For anon stuff, I have different accounts and use KeepassX on a clone of Vault which is much more secure. I also use different sets of YubiKeys for anon than I do for personal. Those sites that allow for U2F I configure to use the proxy. Those that don't I use the vault.

[John Smiley]

BTW, there is an excellent split config in Qubes for OTP that leverages the standard Linux oathtool, which does exactly the same thing as Google Authenticator, Lastpass Authenticator, etc. They all implement TOTP and generate the same keys given the same starting key and an accurate clock.

https://www.qubes-os.org/doc/multifactor-authentication/