U2F on Gmail not working (using Chrome on Personal AppVM)

[qube...@gmail.com]

Hello there, I was wondering if there is a workaround to make this work.
I have a Yubikey with U2F, which has the dual purpose of being a normal Yubikey as well as being able to do U2F when the webbrowser requests it.

I am on the latest stable Qubes 4.0.
This is so far what I have been doing:

1) I go to gmail.com and enter my user and password.
2) I plug the yubikey to the laptop, sys-usb recognizes it
3) I "attach" the usb to "personal" from the sys-usb

And nothing happens, the yubikey is not blinking, the light stays steadily on.
It doesn't react in any way by touching on it, it neither generating yubikeys nor the u2f.

Does anyone have a solution to this?
Regards

[qube...@gmail.com]

I've read that there are ways to connect the usb as a passthrough straight to the AppVM, but I find it ironic that to log-in securely to the email we have to lower the security of the OS. I also have an Yubikey NEO and the sys-usb attached to the personal VM doesn't allow the use of the U2F. Is this by design or it is an issue to be fixed?

If anyone effectively solved this issue please let me know.

[john]

On 05/15/18 18:09, qubesque-Re5JQE...@public.gmane.org wrote:

that goes for all 3 of my expensive Yubikeys, since 4.0, I can't use,
am falling back to SMS 2FA , which I am not happy about, in my case
its for 2FA for pw manager , HOTP or OTP not even sure .....have given up

[Benjamin Mord]

Is this the same as issue 3524?

https://github.com/QubesOS/qubes-issues/issues/3524

https://github.com/QubesOS/qubes-issues/issues/3612

I am thinking it is different. I am new to Qubes, but it sounds like no U2F-specific sanitizing proxy exists, and like this is what is being proposed. I wonder if remoteu2f would be a good starting point for such a feature, although code comments suggest it is not yet doing sanitizing, which would need to be added.

[Name]

On 05/16/18 09:55, Benjamin Mord wrote:
> Is this the same as issue 3524?
> https://github.com/QubesOS/qubes-issues/issues/3524
> https://github.com/QubesOS/qubes-issues/issues/3612

.....I don't think the attachment is the issue, I can attach the
yubikeys, the problem is they aren't operational as designed, and the
issued gets confused, as people use the keys for various things, that
aren't the same, eg the Qubes docs, talking about Yubikeys for
authentication login, etc .

>
> I am thinking it is different. I am new to Qubes, but it sounds like no
> U2F-specific sanitizing proxy exists, and like this is what is being
> proposed. I wonder if remoteu2f would be a good starting point for such a
> feature, although code comments suggest it is not yet doing sanitizing,
> which would need to be added.
>

.....if you fix U2F (which might be nice as apparently FF60.0 now
supports U2f, before was just chrome) ..... please also fix OTP , in
Q3.2 with no sys-usb I was able to use all my keys FWIW ....... I
would think with 30,000 qube users, that there should be many
security focused people with yubikeys, but I have only seen it
mentioned rarely eg the host of the github project above
Mr.Thiery in some 2018 posts, but afaik he was never able to find a
solution

[Troy]

Hello, I was able to successfully log into gmail using google chrome on an Debian AppVM on Qubes R4.0

Questions for your own issue:
1. What template are you using for your AppVM?
2. Have you tried to install the qubes-usb-proxy tool on the template for your AppVM?
3. Have you tried the command-line qvm-usb attach [VMName] [USB ID]? Did it return any errors? You can list the USB IDs by entering "qvm-usb" into dom0 terminal.

Documentation: https://www.qubes-os.org/doc/usb/

[Marek Marczykowski-Górecki]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

In Fedora (template) you need to install u2f-hidraw-policy package, it
will setup udev rules to fix device permissions.

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlsA2IIACgkQ24/THMrX
1yyWvQf9HryTAYEvYjj8VkssWYFn8krZiuKfxCVKBcM2qdTPiWfM0fUGLBAJGny6
yhacow9awVbbcrB0iLrHPXLO9WWqt8h6n0lIZvPkZ0oDuxzUhGRUw6WYDteGZOrR
jlP7nSk18cU/JC5HPV/Q5k6BZMrd4JOAe9XtyB3Gj4cIbG3gKMp12dgp39ewUpRB
okjy2aPlcOQMDNxelo/p953e8M8+3ZBWQbcsr/sfFpjbCs4IpmlJyMa7YsstE3+t
HDZ34u+PN4/ZgGWVS5+MOkc8xYDIZoWBnWT1362EoTS+nFs87o4y/gsHie0NyQ0a
aXv0iSBFE3NQ9fK8tXIiZQbmYGcqcw==
=1rIT
-----END PGP SIGNATURE-----

[john]

On 05/19/18 16:08, Marek Marczykowski-Górecki wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>

......what about the same thing but for OTP, for a cloud password
manager 2FA

------the 2 yubikey packages , 1 for fedora, 1 for qubes, don't seem to
have any effect

[john]

On 05/19/18 16:08, Marek Marczykowski-Górecki wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>

not so surprising in Fed28 , FF60, Q4.0, adding this package, attached
the key to the AppVM, logging into webmail (gmail) this does nothing ,
it immediately fails ; however it does work ! in chromium surprise
surprise , now if OTP would work would be nice

[john]

>> -----END PGP SIGNATURE-----
>>
>
> not so surprising in Fed28 , FF60, Q4.0, adding this package, attached
> the key to the AppVM, logging into webmail (gmail) this does nothing ,
> it immediately fails ;    however it does work !  in chromium  surprise
> surprise ,  now if OTP would work would be nice
>

Found out in FF60 one must do about:config and enable U2f , then my
blue U2F yubikey works on gmail , but NOT my Yubi Neo, I am guessing
because the Neo supports > 1 format, and haven't tried it by
disabling the other functions/slots

too bad OTP couldn't work same way, as it's the more important one to
me ..........**BUMP