Le vendredi 30 août 2019 21:02:44 UTC+2, rec wins a écrit : > > On 8/30/19 2:40 AM, unman wrote: > > On Thu, Aug 29, 2019 at 08:58:33PM -1000, rec wins wrote: > >> On 8/29/19 1:49 AM, unman wrote: > >>> On Wed, Aug 28, 2019 at 09:01:46PM -1000, rec wins wrote: > >>>> On 5/27/19 6:09 AM, Stumpy wrote: > >>>>> I am trying to use an onlykey U2F but have run into some issues like > it > >>>>> showing up in dom0 and sys-usb but seems like i cant use it. > >>>>> > >>>>> in sys-usb: > >>>>> [user@sys-usb ~]$ lsusb | grep Only > >>>>> Bus 004 Device 010: ID 1d50:60fc OpenMoko, Inc. OnlyKey Two-factor > >>>>> Authentication and Password Solution > >>>>> > >>>>> and in Dom0: > >>>>> [ralph@dom0 ~]$ qvm-usb | grep ONLY ; sudo qvm-usb a sys-usb > sys-usb:42 > >>>>> sys-usb:4-2 CRYPTOTRUST_ONLYKEY_346etc > >>>>> Device attach failed: > >>>>> [ralph@dom0 ~]$ > >>>>> > >>>>> I decided to go with the chrome app but even though sys-usb seems to > see > >>>>> the onlykey I cant seem to attach it to the chrome appvm i made? > >>>>> > >>>> > >>>> > >>>> so in dom0 you did > >>>> $qvm-usb > >>>> > >>>> get the BDM number and do > >>>> > >>>> $qvm-usb attach chromevm sys-usb:X-X > >>>> > >>>> U2F keys will work in chromium for google logins with no > >>>> complicated passthrough setup necessary > >>>> > >>>> OTP won't , if the key does more than U2F you may need to get a > >>>> configuration application for the key and make sure it's U2F only > >>>> slot 1 , 2 etc > >>>> > >>> > >>> Have you looked at the qubes-u2f-proxy package? > >>> https://www.qubes-os.org/doc/u2f-proxy > >>> > >>> After installation in dom0 and the relevant template, you enable the > >>> service in the qube you want to use it in, and the device should then > >>> be available for use in that qube. > >>> You *dont* attach the USB device to the qube. > >>> > >>> Try that, and see how you get on. > >>> > >>> unman > >>> > >> > >> > >> attaching does work(only in chromium fwiw) even with the FF > about:config > >> changes, though, apparently this isn't 'secure' so > >> > >> looking at the u2f proxy at this point > >> > >> > >> Repeat qvm-service --enable (or do this in VM settings -> Services in > >> the Qube Manager) for all qubes that should have the proxy enabled. As > >> usual with software updates, shut down the templates after > installation, > >> then restart sys-usb and all qubes that use the proxy. After that, you > >> may use your U2F token (but see Browser support below). > >> > >> > >> after installing the proxy in the templates and shutting them down, and > >> restarting the appVMs based on them..... there is No qvm-service to > >> do qvm-service --enable > >> > >> and/or what or where is this supposed to be 'repeated' ? > >> > >> "Repeat qvm-service --enable for all qubes that should have the proxy > >> enabled." > >> > >> sure sounds like by "qubes" what is meant is the AppVMs or TBAVM > or > >> whatever they are called now :) > >> > > "qube" is a "user friendly term for a VM" > > (https://www.qubes-os.org/doc/glossary") > > > > qvm-service is a dom0 command line tool - you can also enable the > > service in the GUI interface as noted in the instructions. > > You enable the service for *each* qube where you want to use the proxy - > > that's the "repeat" part. > > Check the policy file in /etc/qubes-rpc/policy/ > > > > > OK seems to be operational now in FF , not sure what I was supposed to > see in /policy/ > > @dom0 ~]$ !529 > cat /etc/qubes-rpc/policy/u2f.Register > $anyvm sys-usb allow,user=root > > > u2f.Authenticate says the same > > > > Stumpy did you do this : > > https://docs.crp.to/qubes.html > > > need to keep the support organize or just gets too complicated IMO > or are you Sebastian please bottompost unman, awokd, brendan > are the ones to talk to >
Could you post a step by step explanation ? Is your OnlyKey working simultaneously with U2F proxy AND as a keyboard in dom0 ? THX Sébastien -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4169554b-84e4-488e-ae8c-30501b1f1da0%40googlegroups.com.