On Monday, November 5, 2018 at 11:16:59 AM UTC-5, pkra...@gmail.com wrote: > On Monday, October 15, 2018 at 9:37:48 AM UTC-4, John Maher wrote: > > On Friday, October 12, 2018 at 1:17:37 AM UTC-4, awokd wrote: > > > g80vmgm...@riseup.net wrote on 10/12/18 5:07 AM: > > > > John Maher: > > > >> I have an OnlyKey and have been unable to figure out how to make use > > > >> of it in Qubes OS 4.0. > > > >> > > > >> Relevant info: > > > >> > > > >> * OnlyKey requires either its app being opened on the computer or > > > >> one's ability to go to https://apps.crp.to (simply via a browser) in > > > >> order to set its time. > > > >> * I used info from this page > > > >> https://www.qubes-os.org/doc/usb/#how-to-use-a-usb-keyboard to get the > > > >> OnlyKey to operate as a USB keyboard. Doing this resulted in the > > > >> OnlyKey being attached to sys-usb and outputting text (password info) > > > >> in dom0 and any other qube. > > > >> * Although the OnlyKey can output like a USB keyboard in any qube, it > > > >> cannot get its time set without being specifically attached to an > > > >> appVM that either has the OnlyKey app or can access > > > >> https://apps.crp.to, so TOTP will not function. > > > >> * Using the yellow drop down icon to attach the OnlyKey to a qube that > > > >> has the app results in (1) the time on the OnlyKey being set, and (2) > > > >> the OnlyKey no longer working as a USB keyboard anywhere. > > > >> * Detaching from the qube does not restore the OnlyKey's ability to > > > >> function as a USB keyboard. > > > >> > > > >> Short of installing the OnlyKey app in sys-usb, is there anything else > > > >> I can try? (And I don't even know if that would work.) > > > >> > > > >> Even if I decided it was ok to install the app in sys-usb, sys-usb is > > > >> based on Fedora, and OnlyKey only has a deb package. Installing on > > > >> Fedora has proven to be very problematic. > > > >> > > > >> Thanks for any help you can provide. > > > >> > > > >> John > > > >> > > > > > > > > Hi John, > > > > > > > > I don't have an OnlyKey and unfortunately probably can't really help you > > > > to debug the issues with it not being able to act again as an HID device > > > > after attaching it directly to a VM. > > > > > > > > However, you can absolutely use a Debian-based VM as your sys-usb qube; > > > > just install the Debian 9 template and set your sys-usb qube to use it > > > > as its template. Also make sure the qubes-usb-proxy package is > > > > installed. > > > > > > > > As for the HID issues, I do have one suggestion: have you tried not only > > > > detaching the device from the AppVM, but also physically removing the > > > > USB device and re-inserting it? > > > > > > No OnlyKey either, but I think it is possible to have two USB > > > "keyboards" in Qubes if you edit the file described here: > > > https://www.qubes-os.org/doc/usb/#r32-manual. > > > > Thanks for your responses. I figured out a solution. > > > > I figured out a way to use OnlyKey with Qubes OS. I suspect I've violated > > some basic security principles relative to how Qubes is intended to be > > used, but I accept the compromise, which I think (hope) is minimal. > > > > Because an OnlyKey needs a time source in order for its TOTP feature to > > function, either the OnlyKey app (standalone or Chrome extension) or > > navigating to https://apps.crp.to, after the OnlyKey is inserted into a USB > > port, need to be available. In Qubes, I discovered that inserting the > > OnlyKey (and unlocking it with the PIN) and attaching it to the appVM where > > I want to use it resulted in the OnlyKey not functioning as a keyboard, > > which is needed to do its job. In dom0, adding this line to the top of > > /etc/qubes-rpc/policy/qubes.InputKeyboard (see > > https://www.qubes-os.org/doc/usb/#how-to-use-a-usb-keyboard) allowed the > > OnlyKey to operate as a keyboard in all VMs (without attaching the OnlyKey > > to a VM): > > > > sys-usb dom0 allow,user=root > > > > However, to use TOTP it still needed access to the app or to > > https://apps.crp.to. But, again, when I attached the OnlyKey to an appVM, > > the OnlyKey stopped functioning as a keyboard, even when I detached it from > > the appVM. > > > > So, I did the following: > > > > 1. Temporarily provided Internet access to sys-usb. > > 2. Opened Chrome and installed the OnlyKey extension. > > 3. Disabled the sys-usb VM's Internet access. > > > > Now, after inserting the OnlyKey and entering its PIN, I can open the > > OnlyKey Chrome app (which does not need Internet access to function), > > resulting in the OnlyKey getting its time set. Because of the previous edit > > of "qubes.InputKeyboard", the OnlyKey functions as a keyboard and all is > > well. > > > > I'm happy to hear comments or cautions regarding this. > > > > John > > John, > > As I understood your setup for OnlyKey consists of two parts: first - make it > work as a keyboard, second - make TOTP work. I think I stuck on the first > one. I modified the file from Qubes docs and I able to attach a regular USB > keyboard - it works in any qubes. But when I insert the OnlyKey stick I see > it is discovered as a Teensyduino_Keyboard_RawHID_xxx but the LED indicator > on the stick doesn't work and it looks like it doesn't accept the PIN (or > even do anything). Does you LED work well for you? Any thoughts?
So the way mine works is actually consistent with using it on non-Qubes systems. I insert the onlykey, and it blinks a little, and then no lights display. I can then enter my PIN and the green light will go on. At that point the onlykey will output info from any of the buttons, but TOTP won't work. Then I open the onlykey app and then TOTP will work as well. John -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b4e0f878-950b-4345-a97a-6e212d50a3f1%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.