On Wednesday, January 2, 2019 at 11:54:57 AM UTC-8, John S.Recdep wrote: > On 12/26/18 4:49 AM, > brendan.hoar-re5jqeeqqe8avxtiumw...@public.gmane.org wrote: > > On Tuesday, December 25, 2018 at 9:56:40 PM UTC-5, John Smiley wrote: > >> U2F Proxy is not so cool. So far no joy getting it to work. Someone on > >> reddit > >> had similar issues and questions and resolved by installing USB keyboard > >> support. That’s not mentioned in the Qubes docs and I hope we don’t have to > >> resort to that. > > > > I haven't yet tried the U2F proxy, it is on my todo list. > > > > I'm also not quite so happy about the complexity of getting a security > > focused device (yubikey) working with a security focused OS (QubesOS). > > > > I believe I understand the nature of the yubikey problem, though: Qubes is > > engineered to protect you from untrusted peripherals...and this somewhat > > conflicts with the design of yubikeys on multiple fronts: we want to use > > yubikeys across multiple VMs (using devices across VMs increases risk); > > yubikeys are composite USB devices, which means they often have multiple > > endpoints for different functions (HID keyboard plus, CCID > > smartcard/javacard, U2F) which makes securely proxying them more complex; > > and for those who have serious safety risks, a fake yubikey could destroy > > one's opsec in multiple ways...even a real one could if you are not careful > > with your usage. > > > > In my case, I have decided to somewhat compromise QubesOS security a bit > > and disable the USB/HID keyboard protections in Qubes dom0 for now so that > > I could log into LastPass with my yubikey OTP in a couple of my VMs without > > too much fiddling. I have kept notes on the changes and how to reverse them. > > > > So, as I said above, I haven't addressed the U2F compatibility on my > > current R4 build (but neither do I have a multipmedia VM set up with Chrome > > yet :) ). So, I use my backup method of yubico authenticator on another > > device and type in six-digit TOTP codes instead of using the U2F > > functionality. > > > > Anyway, I suggest keeping a running log of modifications/configurations > > (both TODO and done) somewhere easily accessible across devices (I use a > > google doc) to speed future configurations/rebuilds. I don't keep anything > > that needs to be secure there, just notes, simple scripts, etc. > > > >> If that were a requirement, surely the docs would have > >> mentioned it. > > > > Haha. Er, I mean, that *should* be the case... :) > > > > Brendan > > > > I'd like to see your "notes" on the yubikey and lastpass, as I long ago > gave up on using my Yubikey in OTP mode, despite many trials .... > > I have the U2F proxy working it seems but just use it for 2FA for gmail > and such , lastpass I'm stuck using the Authenticator on a Mobile phone > ..... because I can't use the OTP > > my qubes system has a USB -> PS/2 converter, I might run qubes on > another computer but it has no PS/2 port and I fear botching the > sys-usb and getting locked out of the install again ..... so I don't try
If I need to use the YubiKey for OTP, I attach it directly to the qube that needs it and then disconnect it once I no longer need it. For LastPass, I have a Qube just for that which uses a browser that I have marked as trusted, so I only need the YubiKey every 30 days. Not the best solution, but that's where all of my personal keys are. For anon stuff, I have different accounts and use KeepassX on a clone of Vault which is much more secure. I also use different sets of YubiKeys for anon than I do for personal. Those sites that allow for U2F I configure to use the proxy. Those that don't I use the vault. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/fe8c891b-90bd-4695-995a-6604260ca188%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.