Yubikey with smartcard and HOTP together
50 views
Skip to first unread message
Konstantin Ryabitsev
Feb 6, 2018, 11:12:05 AM2/6/18
to qubes...@googlegroups.com
Hi, all:
This is a different and a more nuanced problem than recently discussed,
and I'm not sure if there's a solution, but I wanted to ask. :)
Yubikey-4 can act in multiple capacities:
- Smartcard
- U2F device
- HOTP
HOTP functionality is really just a keyboard and registers with Linux as
such (USB keyboard). With 3.2 I was attaching the USB controller
directly to the VM where I was doing the work that required the
smartcard/HOTP functionality and both worked just fine. With 4.0 I
created a separate sys-usb VM and it seems I can use only one or the
other, not both.
When I plug in the yubikey, it registers correctly and I get a pop-up
notification that it's available to be used. At that point, I am able to
use HOTP-press without needing to attach the device to my work vm
(because it's a "keyboard"). However, if I want to use the smartcard
functionality, I have to assign the device to the work VM -- and gnupg
interacts with it correctly. However, once I do that, I am no longer
able to use HOTP -- pressing the button does nothing.
Any ideas if this is fixable at all, or is it the downside of the way
USB devices are assigned with usb-proxy?
Best,
--
Konstantin Ryabitsev
Director, IT Infrastructure Security
The Linux Foundation
This is a different and a more nuanced problem than recently discussed,
and I'm not sure if there's a solution, but I wanted to ask. :)
Yubikey-4 can act in multiple capacities:
- Smartcard
- U2F device
- HOTP
HOTP functionality is really just a keyboard and registers with Linux as
such (USB keyboard). With 3.2 I was attaching the USB controller
directly to the VM where I was doing the work that required the
smartcard/HOTP functionality and both worked just fine. With 4.0 I
created a separate sys-usb VM and it seems I can use only one or the
other, not both.
When I plug in the yubikey, it registers correctly and I get a pop-up
notification that it's available to be used. At that point, I am able to
use HOTP-press without needing to attach the device to my work vm
(because it's a "keyboard"). However, if I want to use the smartcard
functionality, I have to assign the device to the work VM -- and gnupg
interacts with it correctly. However, once I do that, I am no longer
able to use HOTP -- pressing the button does nothing.
Any ideas if this is fixable at all, or is it the downside of the way
USB devices are assigned with usb-proxy?
Best,
--
Konstantin Ryabitsev
Director, IT Infrastructure Security
The Linux Foundation
Tim W
Feb 6, 2018, 9:01:31 PM2/6/18
to qubes-users
Be interested to see if that functionality can be made to work smoothly. I could be wrong but sounds like the yubikey would have to be reset as a regonized device for that to work. Something has to reintialize the keyboard function as that is released once the device is assigned to a vm. That is if I am understanding it correctly.
Reply all
Reply to author
Forward
0 new messages