On 10/15/18 9:37 AM, John Maher wrote:
On Friday, October 12, 2018 at 1:17:37 AM UTC-4, awokd wrote:
g80vmgm...@riseup.net wrote on 10/12/18 5:07 AM:
John Maher:
I have an OnlyKey and have been unable to figure out how to make use of it in
Qubes OS 4.0.
Relevant info:
* OnlyKey requires either its app being opened on the computer or one's ability
to go to https://apps.crp.to (simply via a browser) in order to set its time.
* I used info from this page
https://www.qubes-os.org/doc/usb/#how-to-use-a-usb-keyboard to get the OnlyKey
to operate as a USB keyboard. Doing this resulted in the OnlyKey being attached
to sys-usb and outputting text (password info) in dom0 and any other qube.
* Although the OnlyKey can output like a USB keyboard in any qube, it cannot
get its time set without being specifically attached to an appVM that either
has the OnlyKey app or can access https://apps.crp.to, so TOTP will not
function.
* Using the yellow drop down icon to attach the OnlyKey to a qube that has the
app results in (1) the time on the OnlyKey being set, and (2) the OnlyKey no
longer working as a USB keyboard anywhere.
* Detaching from the qube does not restore the OnlyKey's ability to function as
a USB keyboard.
Short of installing the OnlyKey app in sys-usb, is there anything else I can
try? (And I don't even know if that would work.)
Even if I decided it was ok to install the app in sys-usb, sys-usb is based on
Fedora, and OnlyKey only has a deb package. Installing on Fedora has proven to
be very problematic.
Thanks for any help you can provide.
John
Hi John,
I don't have an OnlyKey and unfortunately probably can't really help you
to debug the issues with it not being able to act again as an HID device
after attaching it directly to a VM.
However, you can absolutely use a Debian-based VM as your sys-usb qube;
just install the Debian 9 template and set your sys-usb qube to use it
as its template. Also make sure the qubes-usb-proxy package is installed.
As for the HID issues, I do have one suggestion: have you tried not only
detaching the device from the AppVM, but also physically removing the
USB device and re-inserting it?
No OnlyKey either, but I think it is possible to have two USB
"keyboards" in Qubes if you edit the file described here:
https://www.qubes-os.org/doc/usb/#r32-manual.
Thanks for your responses. I figured out a solution.
I figured out a way to use OnlyKey with Qubes OS. I suspect I've violated some
basic security principles relative to how Qubes is intended to be used, but I
accept the compromise, which I think (hope) is minimal.
Because an OnlyKey needs a time source in order for its TOTP feature to
function, either the OnlyKey app (standalone or Chrome extension) or navigating
to https://apps.crp.to, after the OnlyKey is inserted into a USB port, need to
be available. In Qubes, I discovered that inserting the OnlyKey (and unlocking
it with the PIN) and attaching it to the appVM where I want to use it resulted
in the OnlyKey not functioning as a keyboard, which is needed to do its job. In
dom0, adding this line to the top of /etc/qubes-rpc/policy/qubes.InputKeyboard
(see https://www.qubes-os.org/doc/usb/#how-to-use-a-usb-keyboard) allowed the
OnlyKey to operate as a keyboard in all VMs (without attaching the OnlyKey to a
VM):
sys-usb dom0 allow,user=root
However, to use TOTP it still needed access to the app or to
https://apps.crp.to. But, again, when I attached the OnlyKey to an appVM, the
OnlyKey stopped functioning as a keyboard, even when I detached it from the
appVM.
So, I did the following:
1. Temporarily provided Internet access to sys-usb.
2. Opened Chrome and installed the OnlyKey extension.
3. Disabled the sys-usb VM's Internet access.
Now, after inserting the OnlyKey and entering its PIN, I can open the OnlyKey Chrome app
(which does not need Internet access to function), resulting in the OnlyKey getting its
time set. Because of the previous edit of "qubes.InputKeyboard", the OnlyKey
functions as a keyboard and all is well.
I'm happy to hear comments or cautions regarding this.
John
thanks for this John. I have been interested in OnlyKey but wasnt sure
about using it on Qubes. Your volunteering to be a test hamster is
appreciated. I too would be interested in hearing from the sec gurus
about their thoughts on your work around.
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/d617bcc9-3e3e-2829-261c-193f4f42aabf%40posteo.net.
For more options, visit https://groups.google.com/d/optout.
