On 8/30/19 2:40 AM, unman wrote: > On Thu, Aug 29, 2019 at 08:58:33PM -1000, rec wins wrote: >> On 8/29/19 1:49 AM, unman wrote: >>> On Wed, Aug 28, 2019 at 09:01:46PM -1000, rec wins wrote: >>>> On 5/27/19 6:09 AM, Stumpy wrote: >>>>> I am trying to use an onlykey U2F but have run into some issues like it >>>>> showing up in dom0 and sys-usb but seems like i cant use it. >>>>> >>>>> in sys-usb: >>>>> [user@sys-usb ~]$ lsusb | grep Only >>>>> Bus 004 Device 010: ID 1d50:60fc OpenMoko, Inc. OnlyKey Two-factor >>>>> Authentication and Password Solution >>>>> >>>>> and in Dom0: >>>>> [ralph@dom0 ~]$ qvm-usb | grep ONLY ; sudo qvm-usb a sys-usb sys-usb:42 >>>>> sys-usb:4-2 CRYPTOTRUST_ONLYKEY_346etc >>>>> Device attach failed: >>>>> [ralph@dom0 ~]$ >>>>> >>>>> I decided to go with the chrome app but even though sys-usb seems to see >>>>> the onlykey I cant seem to attach it to the chrome appvm i made? >>>>> >>>> >>>> >>>> so in dom0 you did >>>> $qvm-usb >>>> >>>> get the BDM number and do >>>> >>>> $qvm-usb attach chromevm sys-usb:X-X >>>> >>>> U2F keys will work in chromium for google logins with no >>>> complicated passthrough setup necessary >>>> >>>> OTP won't , if the key does more than U2F you may need to get a >>>> configuration application for the key and make sure it's U2F only >>>> slot 1 , 2 etc >>>> >>> >>> Have you looked at the qubes-u2f-proxy package? >>> https://www.qubes-os.org/doc/u2f-proxy >>> >>> After installation in dom0 and the relevant template, you enable the >>> service in the qube you want to use it in, and the device should then >>> be available for use in that qube. >>> You *dont* attach the USB device to the qube. >>> >>> Try that, and see how you get on. >>> >>> unman >>> >> >> >> attaching does work(only in chromium fwiw) even with the FF about:config >> changes, though, apparently this isn't 'secure' so >> >> looking at the u2f proxy at this point >> >> >> Repeat qvm-service --enable (or do this in VM settings -> Services in >> the Qube Manager) for all qubes that should have the proxy enabled. As >> usual with software updates, shut down the templates after installation, >> then restart sys-usb and all qubes that use the proxy. After that, you >> may use your U2F token (but see Browser support below). >> >> >> after installing the proxy in the templates and shutting them down, and >> restarting the appVMs based on them..... there is No qvm-service to >> do qvm-service --enable >> >> and/or what or where is this supposed to be 'repeated' ? >> >> "Repeat qvm-service --enable for all qubes that should have the proxy >> enabled." >> >> sure sounds like by "qubes" what is meant is the AppVMs or TBAVM or >> whatever they are called now :) >> > "qube" is a "user friendly term for a VM" > (https://www.qubes-os.org/doc/glossary";) > > qvm-service is a dom0 command line tool - you can also enable the > service in the GUI interface as noted in the instructions. > You enable the service for *each* qube where you want to use the proxy - > that's the "repeat" part. > Check the policy file in /etc/qubes-rpc/policy/ >
OK seems to be operational now in FF , not sure what I was supposed to see in /policy/ @dom0 ~]$ !529 cat /etc/qubes-rpc/policy/u2f.Register $anyvm sys-usb allow,user=root u2f.Authenticate says the same Stumpy did you do this : https://docs.crp.to/qubes.html need to keep the support organize or just gets too complicated IMO or are you Sebastian please bottompost unman, awokd, brendan are the ones to talk to -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8cd4a8bc-4643-b539-8650-53d4eb43d6e6%40riseup.net.
