On Wednesday, December 26, 2018 at 7:25:09 PM UTC-5, John Smiley wrote: > On Wednesday, December 26, 2018 at 6:49:47 AM UTC-8, Brendan Hoar wrote: > > On Tuesday, December 25, 2018 at 9:56:40 PM UTC-5, John Smiley wrote: > > > U2F Proxy is not so cool. So far no joy getting it to work. Someone on > > > reddit > > > had similar issues and questions and resolved by installing USB keyboard > > > support. That’s not mentioned in the Qubes docs and I hope we don’t have > > > to > > > resort to that. > > > > I haven't yet tried the U2F proxy, it is on my todo list. > > > > I'm also not quite so happy about the complexity of getting a security > > focused device (yubikey) working with a security focused OS (QubesOS). > > > > I believe I understand the nature of the yubikey problem, though: Qubes is > > engineered to protect you from untrusted peripherals...and this somewhat > > conflicts with the design of yubikeys on multiple fronts: we want to use > > yubikeys across multiple VMs (using devices across VMs increases risk); > > yubikeys are composite USB devices, which means they often have multiple > > endpoints for different functions (HID keyboard plus, CCID > > smartcard/javacard, U2F) which makes securely proxying them more complex; > > and for those who have serious safety risks, a fake yubikey could destroy > > one's opsec in multiple ways...even a real one could if you are not careful > > with your usage. > > > > In my case, I have decided to somewhat compromise QubesOS security a bit > > and disable the USB/HID keyboard protections in Qubes dom0 for now so that > > I could log into LastPass with my yubikey OTP in a couple of my VMs without > > too much fiddling. I have kept notes on the changes and how to reverse them. > > > > So, as I said above, I haven't addressed the U2F compatibility on my > > current R4 build (but neither do I have a multipmedia VM set up with Chrome > > yet :) ). So, I use my backup method of yubico authenticator on another > > device and type in six-digit TOTP codes instead of using the U2F > > functionality. > > > > Anyway, I suggest keeping a running log of modifications/configurations > > (both TODO and done) somewhere easily accessible across devices (I use a > > google doc) to speed future configurations/rebuilds. I don't keep anything > > that needs to be secure there, just notes, simple scripts, etc. > > > > > If that were a requirement, surely the docs would have > > > mentioned it. > > > > Haha. Er, I mean, that *should* be the case... :) > > > > Brendan > > Complex? Yes. Separating the USB stack from the browsers and being able to > lock down which browsers can access which keys (ex: banking Qube, shopping > Qube, Gmail Qube, etc.) Brilliant and worth the complexity. Just need to > get it working now... Docs are leaving something out. I will either update > the doc for file an issue once I figure it out.
Just for some extra info, I started experimenting with yubikey on my laptop as well as my desktop. Works fine on the laptop with Chromium, but is odd with Firefox. I have to disconnect the key after sending registration creds, and it will successfully register. Same for authentication with Firefox. I saw a post relating issues with FFX that you should register with Chrome, then just authenticate using FFX. My laptop was setup with a separate USB qube during install. So I followed the qubes docs for the u2f Proxy and didn't run into any issues, other than the FFX stuff. (Also, I've got the little tweaks for FFX done). For my desktop, (which I'm just starting to test out), it wasn't, so I added a second USB card to use for everything else non-critical. Should have some info on how that goes later. The desktop has a USB keyboard. (Side rant, I wish more mechanical kbds worked well with PS/2). -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/f7ed5594-21ac-493c-9f39-1385386e4e08%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
