On Thu, Aug 29, 2019 at 08:58:33PM -1000, rec wins wrote: > On 8/29/19 1:49 AM, unman wrote: > > On Wed, Aug 28, 2019 at 09:01:46PM -1000, rec wins wrote: > >> On 5/27/19 6:09 AM, Stumpy wrote: > >>> I am trying to use an onlykey U2F but have run into some issues like it > >>> showing up in dom0 and sys-usb but seems like i cant use it. > >>> > >>> in sys-usb: > >>> [user@sys-usb ~]$ lsusb | grep Only > >>> Bus 004 Device 010: ID 1d50:60fc OpenMoko, Inc. OnlyKey Two-factor > >>> Authentication and Password Solution > >>> > >>> and in Dom0: > >>> [ralph@dom0 ~]$ qvm-usb | grep ONLY ; sudo qvm-usb a sys-usb sys-usb:42 > >>> sys-usb:4-2 CRYPTOTRUST_ONLYKEY_346etc > >>> Device attach failed: > >>> [ralph@dom0 ~]$ > >>> > >>> I decided to go with the chrome app but even though sys-usb seems to see > >>> the onlykey I cant seem to attach it to the chrome appvm i made? > >>> > >> > >> > >> so in dom0 you did > >> $qvm-usb > >> > >> get the BDM number and do > >> > >> $qvm-usb attach chromevm sys-usb:X-X > >> > >> U2F keys will work in chromium for google logins with no > >> complicated passthrough setup necessary > >> > >> OTP won't , if the key does more than U2F you may need to get a > >> configuration application for the key and make sure it's U2F only > >> slot 1 , 2 etc > >> > > > > Have you looked at the qubes-u2f-proxy package? > > https://www.qubes-os.org/doc/u2f-proxy > > > > After installation in dom0 and the relevant template, you enable the > > service in the qube you want to use it in, and the device should then > > be available for use in that qube. > > You *dont* attach the USB device to the qube. > > > > Try that, and see how you get on. > > > > unman > > > > > attaching does work(only in chromium fwiw) even with the FF about:config > changes, though, apparently this isn't 'secure' so > > looking at the u2f proxy at this point > > > Repeat qvm-service --enable (or do this in VM settings -> Services in > the Qube Manager) for all qubes that should have the proxy enabled. As > usual with software updates, shut down the templates after installation, > then restart sys-usb and all qubes that use the proxy. After that, you > may use your U2F token (but see Browser support below). > > > after installing the proxy in the templates and shutting them down, and > restarting the appVMs based on them..... there is No qvm-service to > do qvm-service --enable > > and/or what or where is this supposed to be 'repeated' ? > > "Repeat qvm-service --enable for all qubes that should have the proxy > enabled." > > sure sounds like by "qubes" what is meant is the AppVMs or TBAVM or > whatever they are called now :) > "qube" is a "user friendly term for a VM" (https://www.qubes-os.org/doc/glossary";)
qvm-service is a dom0 command line tool - you can also enable the service in the GUI interface as noted in the instructions. You enable the service for *each* qube where you want to use the proxy - that's the "repeat" part. Check the policy file in /etc/qubes-rpc/policy/ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190830124047.GA12823%40thirdeyesecurity.org.
