On Tuesday, December 25, 2018 at 9:56:40 PM UTC-5, John Smiley wrote: > U2F Proxy is not so cool. So far no joy getting it to work. Someone on reddit > had similar issues and questions and resolved by installing USB keyboard > support. That’s not mentioned in the Qubes docs and I hope we don’t have to > resort to that.
I haven't yet tried the U2F proxy, it is on my todo list. I'm also not quite so happy about the complexity of getting a security focused device (yubikey) working with a security focused OS (QubesOS). I believe I understand the nature of the yubikey problem, though: Qubes is engineered to protect you from untrusted peripherals...and this somewhat conflicts with the design of yubikeys on multiple fronts: we want to use yubikeys across multiple VMs (using devices across VMs increases risk); yubikeys are composite USB devices, which means they often have multiple endpoints for different functions (HID keyboard plus, CCID smartcard/javacard, U2F) which makes securely proxying them more complex; and for those who have serious safety risks, a fake yubikey could destroy one's opsec in multiple ways...even a real one could if you are not careful with your usage. In my case, I have decided to somewhat compromise QubesOS security a bit and disable the USB/HID keyboard protections in Qubes dom0 for now so that I could log into LastPass with my yubikey OTP in a couple of my VMs without too much fiddling. I have kept notes on the changes and how to reverse them. So, as I said above, I haven't addressed the U2F compatibility on my current R4 build (but neither do I have a multipmedia VM set up with Chrome yet :) ). So, I use my backup method of yubico authenticator on another device and type in six-digit TOTP codes instead of using the U2F functionality. Anyway, I suggest keeping a running log of modifications/configurations (both TODO and done) somewhere easily accessible across devices (I use a google doc) to speed future configurations/rebuilds. I don't keep anything that needs to be secure there, just notes, simple scripts, etc. > If that were a requirement, surely the docs would have > mentioned it. Haha. Er, I mean, that *should* be the case... :) Brendan -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/66e8ca46-c561-47df-be2b-cb68d9701088%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
