On Wednesday, October 24, 2018 at 9:19:52 PM UTC-4, Stumpy wrote: > On 10/15/18 9:37 AM, John Maher wrote: > > On Friday, October 12, 2018 at 1:17:37 AM UTC-4, awokd wrote: > >> g80vmgm...@riseup.net wrote on 10/12/18 5:07 AM: > >>> John Maher: > >>>> I have an OnlyKey and have been unable to figure out how to make use of > >>>> it in Qubes OS 4.0. > >>>> > >>>> Relevant info: > >>>> > >>>> * OnlyKey requires either its app being opened on the computer or one's > >>>> ability to go to https://apps.crp.to (simply via a browser) in order to > >>>> set its time. > >>>> * I used info from this page > >>>> https://www.qubes-os.org/doc/usb/#how-to-use-a-usb-keyboard to get the > >>>> OnlyKey to operate as a USB keyboard. Doing this resulted in the OnlyKey > >>>> being attached to sys-usb and outputting text (password info) in dom0 > >>>> and any other qube. > >>>> * Although the OnlyKey can output like a USB keyboard in any qube, it > >>>> cannot get its time set without being specifically attached to an appVM > >>>> that either has the OnlyKey app or can access https://apps.crp.to, so > >>>> TOTP will not function. > >>>> * Using the yellow drop down icon to attach the OnlyKey to a qube that > >>>> has the app results in (1) the time on the OnlyKey being set, and (2) > >>>> the OnlyKey no longer working as a USB keyboard anywhere. > >>>> * Detaching from the qube does not restore the OnlyKey's ability to > >>>> function as a USB keyboard. > >>>> > >>>> Short of installing the OnlyKey app in sys-usb, is there anything else I > >>>> can try? (And I don't even know if that would work.) > >>>> > >>>> Even if I decided it was ok to install the app in sys-usb, sys-usb is > >>>> based on Fedora, and OnlyKey only has a deb package. Installing on > >>>> Fedora has proven to be very problematic. > >>>> > >>>> Thanks for any help you can provide. > >>>> > >>>> John > >>>> > >>> > >>> Hi John, > >>> > >>> I don't have an OnlyKey and unfortunately probably can't really help you > >>> to debug the issues with it not being able to act again as an HID device > >>> after attaching it directly to a VM. > >>> > >>> However, you can absolutely use a Debian-based VM as your sys-usb qube; > >>> just install the Debian 9 template and set your sys-usb qube to use it > >>> as its template. Also make sure the qubes-usb-proxy package is installed. > >>> > >>> As for the HID issues, I do have one suggestion: have you tried not only > >>> detaching the device from the AppVM, but also physically removing the > >>> USB device and re-inserting it? > >> > >> No OnlyKey either, but I think it is possible to have two USB > >> "keyboards" in Qubes if you edit the file described here: > >> https://www.qubes-os.org/doc/usb/#r32-manual. > > > > Thanks for your responses. I figured out a solution. > > > > I figured out a way to use OnlyKey with Qubes OS. I suspect I've violated > > some basic security principles relative to how Qubes is intended to be > > used, but I accept the compromise, which I think (hope) is minimal. > > > > Because an OnlyKey needs a time source in order for its TOTP feature to > > function, either the OnlyKey app (standalone or Chrome extension) or > > navigating to https://apps.crp.to, after the OnlyKey is inserted into a USB > > port, need to be available. In Qubes, I discovered that inserting the > > OnlyKey (and unlocking it with the PIN) and attaching it to the appVM where > > I want to use it resulted in the OnlyKey not functioning as a keyboard, > > which is needed to do its job. In dom0, adding this line to the top of > > /etc/qubes-rpc/policy/qubes.InputKeyboard (see > > https://www.qubes-os.org/doc/usb/#how-to-use-a-usb-keyboard) allowed the > > OnlyKey to operate as a keyboard in all VMs (without attaching the OnlyKey > > to a VM): > > > > sys-usb dom0 allow,user=root > > > > However, to use TOTP it still needed access to the app or to > > https://apps.crp.to. But, again, when I attached the OnlyKey to an appVM, > > the OnlyKey stopped functioning as a keyboard, even when I detached it from > > the appVM. > > > > So, I did the following: > > > > 1. Temporarily provided Internet access to sys-usb. > > 2. Opened Chrome and installed the OnlyKey extension. > > 3. Disabled the sys-usb VM's Internet access. > > > > Now, after inserting the OnlyKey and entering its PIN, I can open the > > OnlyKey Chrome app (which does not need Internet access to function), > > resulting in the OnlyKey getting its time set. Because of the previous edit > > of "qubes.InputKeyboard", the OnlyKey functions as a keyboard and all is > > well. > > > > I'm happy to hear comments or cautions regarding this. > > > > John > > > > thanks for this John. I have been interested in OnlyKey but wasnt sure > about using it on Qubes. Your volunteering to be a test hamster is > appreciated. I too would be interested in hearing from the sec gurus > about their thoughts on your work around.
You're welcome! I've also since learned that one can use a python script (https://docs.crp.to/command-line.html) from OnlyKey, so I didn't actually have to give sys-usb Internet access or use Chrome. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/33dc18aa-c0cf-4c5e-a270-9b7a1bb4f50a%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
