On Wednesday, December 26, 2018 at 6:49:47 AM UTC-8, Brendan Hoar wrote: > On Tuesday, December 25, 2018 at 9:56:40 PM UTC-5, John Smiley wrote: > > U2F Proxy is not so cool. So far no joy getting it to work. Someone on > > reddit > > had similar issues and questions and resolved by installing USB keyboard > > support. That’s not mentioned in the Qubes docs and I hope we don’t have to > > resort to that. > > I haven't yet tried the U2F proxy, it is on my todo list. > > I'm also not quite so happy about the complexity of getting a security > focused device (yubikey) working with a security focused OS (QubesOS). > > I believe I understand the nature of the yubikey problem, though: Qubes is > engineered to protect you from untrusted peripherals...and this somewhat > conflicts with the design of yubikeys on multiple fronts: we want to use > yubikeys across multiple VMs (using devices across VMs increases risk); > yubikeys are composite USB devices, which means they often have multiple > endpoints for different functions (HID keyboard plus, CCID > smartcard/javacard, U2F) which makes securely proxying them more complex; and > for those who have serious safety risks, a fake yubikey could destroy one's > opsec in multiple ways...even a real one could if you are not careful with > your usage. > > In my case, I have decided to somewhat compromise QubesOS security a bit and > disable the USB/HID keyboard protections in Qubes dom0 for now so that I > could log into LastPass with my yubikey OTP in a couple of my VMs without too > much fiddling. I have kept notes on the changes and how to reverse them. > > So, as I said above, I haven't addressed the U2F compatibility on my current > R4 build (but neither do I have a multipmedia VM set up with Chrome yet :) ). > So, I use my backup method of yubico authenticator on another device and type > in six-digit TOTP codes instead of using the U2F functionality. > > Anyway, I suggest keeping a running log of modifications/configurations (both > TODO and done) somewhere easily accessible across devices (I use a google > doc) to speed future configurations/rebuilds. I don't keep anything that > needs to be secure there, just notes, simple scripts, etc. > > > If that were a requirement, surely the docs would have > > mentioned it. > > Haha. Er, I mean, that *should* be the case... :) > > Brendan
Complex? Yes. Separating the USB stack from the browsers and being able to lock down which browsers can access which keys (ex: banking Qube, shopping Qube, Gmail Qube, etc.) Brilliant and worth the complexity. Just need to get it working now... Docs are leaving something out. I will either update the doc for file an issue once I figure it out. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/38eed1e8-1a55-4fda-af52-659bf9ed17fa%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.