Dec 28, 2019, 19:31 by claud...@disroot.org:
> December 28, 2019 6:02 PM, mas...@tuta.io wrote: > >> my USB controller is attached to nothing, but needed for Yubikey login. >> >>> I lost my tty2-credentials (the username), so I'm locked out of the system. >>> BIOS changes don't help. >>> Is there any way to "free" USB during boot? Or get rid of the tty login >>> credentials? >>> >>> not sure what "tty login credentials" means. >>> but you can always boot some random live-linux (like "fedora >>> workstation"), open the qubes luks device and mount the dom0 >>> root and check/change whatever needs fixing there. >>> >>> if you are just missing your dom0 username (huh?), getting it >>> through liveboot is probably easiest. >>> you can also change the boot config to remove all mentions >>> of hide-all-usb. (check a guide on how to configure a qubes >>> for usb-keyboard usage, basicly same thing) >>> >>> I think he means he uses his yubikey as an emulated keyboard to type his >>> disk password, and >>> probably enabled a USB Qube and now the yubikey can't type in early >>> userspace. >>> >>> So yeah, you'll have to boot into the installer and enter rescue mode, or >>> boot into some other live >>> linux distro, and disable the USB Qube. Follow these instructions for >>> removing your USB Qube: >>> https://www.qubes-os.org/doc/usb-qubes/#removing-a-usb-qube >>> >>> Note, if you're using Grub, all you have to do is press 'e' when you're at >>> the boot loader, and >>> remove rd.qubes.hide_all_usb from the kernel command line. Then you should >>> be able to login, and >>> remove that same option from /etc/default/grub >>> >>>> Thanks! Well, I can boot into nothing because my USB connection is gone. >>>> >>>> I know my dom0 username but it doesnt work, and therefore the Yubikey >>>> authentication at login >>>> neither. >>>> >>>> So I thought there could be a trick reattaching the USB controller to >>>> sys-usb during early boot. >>>> >>>> If I had access to tty2 there would be no big problem. I would delete the >>>> Yubikey pam.d entry for >>>> login. >>>> Best, mastor >>>> >>> >>> (when replying please use reply-all to make sure a copy goes to the list >>> and not just to me) >>> >> >> Sorry, this is a mess on a/my mobile phone. >> >>> Ah, I see. So you're able to type in your disk passphrase and get to the >>> user login screen? Either >>> lightdm or a TTY, I'm assuming? And I'm assuming you're able to switch to >>> TTY2, but you can't login >>> to it? >>> >> >> Yes, lightdm. >> >>> The username shouldn't have anything to do with the yubikey or USB at all. >>> What do you mean the >>> dom0 username doesn't work? I thought the problem was that you can't sign >>> in because the yubikey >>> isn't working in Qubes anymore due to enabling a USB Qube. >>> >> >> Both. No tty login, no Yubikey, because the controller is not attached to >> the USB qube. >> >>> Also, did you disable password authentication after you set up the yubikey? >>> >> >> I use this, and it usually worked fine for years: >> >> https://old.mig5.net/content/yubikey-2fa-qubes-redux-adding-backup-key.html >> >>> And what do you mean your USB connection is gone? Unless there's something >>> physically wrong with >>> it, you should be able to boot from a USB drive regardless of whether a USB >>> Qube is enabled or not. >>> Have you tried booting into the installer from USB (the same way as when >>> you first installed >>> Qubes)? >>> >> >> Hm, no, no USB boot option in Bios, no way to boot from USB. I tried >> everything, I think. >> >> Thanks for your patience! >> > > Thanks for the link. That explains a lot. > > I don't know anything about this setup, so I don't know if there's a failsafe > for this type of situation, such as when sys-usb won't start or it > malfunctions. > > Something you could try: when qubes is first starting, *before* you get to > the disk password prompt, press f12 to switch into text mode. You should see > console output and a text-based disk password prompt. From there, see if you > can do anything: switch TTYs, press Ctrl-C, type the password wrong three > times, or whatever you can think of. You might be able to get an early rescue > shell. > > Also here are some other threads about Yubikey on Qubes. See if any of them > look like the same problem you're having. > https://www.mail-archive.com/search?q=+Yubikey&l=qubes-users%40googlegroups.com > > Also, how did you install Qubes in the first place if you can't boot from > USB? If you booted from a CD, then do that again. If you did the installation > on a different machine and then physically installed the disk, do the > reverse. Basically, do whatever you did to install Qubes, but instead of > installing, use the rescue option. > Success! Thank you SO much for the most important hint, Claudia: Losing the USB controller in Qubes has nothing to do with booting the laptop from USB. Of course. After creating the third Live USB Stick (Tails) I could boot from it, mount and decrypt dom0 root files, comment pam.d Yubikey entries for login (tty2 was protected by the Yubikey as well ...) and lightdm and log into Qubes. Now I have to solve "unable to reset PCI device, 00:14.0: no FLR, PM reset or bus reset available ...", but there's a thread on Github. \ö/ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/LxHUTRl--3-2%40tuta.io.
