Re: [qubes-users] Using an OnlyKey

[g80vmgmsqw]

John Maher:
> I have an OnlyKey and have been unable to figure out how to make use of it in 
> Qubes OS 4.0.
> 
> Relevant info:
> 
> * OnlyKey requires either its app being opened on the computer or one's 
> ability to go to https://apps.crp.to (simply via a browser) in order to set 
> its time.
> * I used info from this page 
> https://www.qubes-os.org/doc/usb/#how-to-use-a-usb-keyboard to get the 
> OnlyKey to operate as a USB keyboard. Doing this resulted in the OnlyKey 
> being attached to sys-usb and outputting text (password info) in dom0 and any 
> other qube. 
> * Although the OnlyKey can output like a USB keyboard in any qube, it cannot 
> get its time set without being specifically attached to an appVM that either 
> has the OnlyKey app or can access https://apps.crp.to, so TOTP will not 
> function.
> * Using the yellow drop down icon to attach the OnlyKey to a qube that has 
> the app results in (1) the time on the OnlyKey being set, and (2) the OnlyKey 
> no longer working as a USB keyboard anywhere.
> * Detaching from the qube does not restore the OnlyKey's ability to function 
> as a USB keyboard.
> 
> Short of installing the OnlyKey app in sys-usb, is there anything else I can 
> try? (And I don't even know if that would work.)
> 
> Even if I decided it was ok to install the app in sys-usb, sys-usb is based 
> on Fedora, and OnlyKey only has a deb package. Installing on Fedora has 
> proven to be very problematic.
> 
> Thanks for any help you can provide.
> 
> John
> 

Hi John,

I don't have an OnlyKey and unfortunately probably can't really help you
to debug the issues with it not being able to act again as an HID device
after attaching it directly to a VM.

However, you can absolutely use a Debian-based VM as your sys-usb qube;
just install the Debian 9 template and set your sys-usb qube to use it
as its template.  Also make sure the qubes-usb-proxy package is installed.

As for the HID issues, I do have one suggestion: have you tried not only
detaching the device from the AppVM, but also physically removing the
USB device and re-inserting it?

Best,
Andrew


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/323247f7-f155-f700-1e62-ca21cb6359ca%40riseup.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Using an OnlyKey

['awokd' via qubes-users]

g80vmgm...@riseup.net wrote on 10/12/18 5:07 AM:

John Maher:

I have an OnlyKey and have been unable to figure out how to make use of it in 
Qubes OS 4.0.

Relevant info:

* OnlyKey requires either its app being opened on the computer or one's ability 
to go to https://apps.crp.to (simply via a browser) in order to set its time.
* I used info from this page 
https://www.qubes-os.org/doc/usb/#how-to-use-a-usb-keyboard to get the OnlyKey 
to operate as a USB keyboard. Doing this resulted in the OnlyKey being attached 
to sys-usb and outputting text (password info) in dom0 and any other qube.
* Although the OnlyKey can output like a USB keyboard in any qube, it cannot 
get its time set without being specifically attached to an appVM that either 
has the OnlyKey app or can access https://apps.crp.to, so TOTP will not 
function.
* Using the yellow drop down icon to attach the OnlyKey to a qube that has the 
app results in (1) the time on the OnlyKey being set, and (2) the OnlyKey no 
longer working as a USB keyboard anywhere.
* Detaching from the qube does not restore the OnlyKey's ability to function as 
a USB keyboard.

Short of installing the OnlyKey app in sys-usb, is there anything else I can 
try? (And I don't even know if that would work.)

Even if I decided it was ok to install the app in sys-usb, sys-usb is based on 
Fedora, and OnlyKey only has a deb package. Installing on Fedora has proven to 
be very problematic.

Thanks for any help you can provide.

John



Hi John,

I don't have an OnlyKey and unfortunately probably can't really help you
to debug the issues with it not being able to act again as an HID device
after attaching it directly to a VM.

However, you can absolutely use a Debian-based VM as your sys-usb qube;
just install the Debian 9 template and set your sys-usb qube to use it
as its template.  Also make sure the qubes-usb-proxy package is installed.

As for the HID issues, I do have one suggestion: have you tried not only
detaching the device from the AppVM, but also physically removing the
USB device and re-inserting it?


No OnlyKey either, but I think it is possible to have two USB 
"keyboards" in Qubes if you edit the file described here: 
https://www.qubes-os.org/doc/usb/#r32-manual.



--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/edb906a4-19ef-2fc1-d78b-1bd28dde647b%40danwin1210.me.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Using an OnlyKey

[John Maher]

On Friday, October 12, 2018 at 1:17:37 AM UTC-4, awokd wrote:
> g80vmgm...@riseup.net wrote on 10/12/18 5:07 AM:
> > John Maher:
> >> I have an OnlyKey and have been unable to figure out how to make use of it 
> >> in Qubes OS 4.0.
> >>
> >> Relevant info:
> >>
> >> * OnlyKey requires either its app being opened on the computer or one's 
> >> ability to go to https://apps.crp.to (simply via a browser) in order to 
> >> set its time.
> >> * I used info from this page 
> >> https://www.qubes-os.org/doc/usb/#how-to-use-a-usb-keyboard to get the 
> >> OnlyKey to operate as a USB keyboard. Doing this resulted in the OnlyKey 
> >> being attached to sys-usb and outputting text (password info) in dom0 and 
> >> any other qube.
> >> * Although the OnlyKey can output like a USB keyboard in any qube, it 
> >> cannot get its time set without being specifically attached to an appVM 
> >> that either has the OnlyKey app or can access https://apps.crp.to, so TOTP 
> >> will not function.
> >> * Using the yellow drop down icon to attach the OnlyKey to a qube that has 
> >> the app results in (1) the time on the OnlyKey being set, and (2) the 
> >> OnlyKey no longer working as a USB keyboard anywhere.
> >> * Detaching from the qube does not restore the OnlyKey's ability to 
> >> function as a USB keyboard.
> >>
> >> Short of installing the OnlyKey app in sys-usb, is there anything else I 
> >> can try? (And I don't even know if that would work.)
> >>
> >> Even if I decided it was ok to install the app in sys-usb, sys-usb is 
> >> based on Fedora, and OnlyKey only has a deb package. Installing on Fedora 
> >> has proven to be very problematic.
> >>
> >> Thanks for any help you can provide.
> >>
> >> John
> >>
> > 
> > Hi John,
> > 
> > I don't have an OnlyKey and unfortunately probably can't really help you
> > to debug the issues with it not being able to act again as an HID device
> > after attaching it directly to a VM.
> > 
> > However, you can absolutely use a Debian-based VM as your sys-usb qube;
> > just install the Debian 9 template and set your sys-usb qube to use it
> > as its template.  Also make sure the qubes-usb-proxy package is installed.
> > 
> > As for the HID issues, I do have one suggestion: have you tried not only
> > detaching the device from the AppVM, but also physically removing the
> > USB device and re-inserting it?
> 
> No OnlyKey either, but I think it is possible to have two USB 
> "keyboards" in Qubes if you edit the file described here: 
> https://www.qubes-os.org/doc/usb/#r32-manual.

Thanks for your responses. I figured out a solution.

I figured out a way to use OnlyKey with Qubes OS. I suspect I've violated some 
basic security principles relative to how Qubes is intended to be used, but I 
accept the compromise, which I think (hope) is minimal.

Because an OnlyKey needs a time source in order for its TOTP feature to 
function, either the OnlyKey app (standalone or Chrome extension) or navigating 
to https://apps.crp.to, after the OnlyKey is inserted into a USB port, need to 
be available. In Qubes, I discovered that inserting the OnlyKey (and unlocking 
it with the PIN) and attaching it to the appVM where I want to use it resulted 
in the OnlyKey not functioning as a keyboard, which is needed to do its job. In 
dom0, adding this line to the top of /etc/qubes-rpc/policy/qubes.InputKeyboard 
(see https://www.qubes-os.org/doc/usb/#how-to-use-a-usb-keyboard) allowed the 
OnlyKey to operate as a keyboard in all VMs (without attaching the OnlyKey to a 
VM):

  sys-usb dom0 allow,user=root

However, to use TOTP it still needed access to the app or to 
https://apps.crp.to. But, again, when I attached the OnlyKey to an appVM, the 
OnlyKey stopped functioning as a keyboard, even when I detached it from the 
appVM.

So, I did the following:

1. Temporarily provided Internet access to sys-usb.
2. Opened Chrome and installed the OnlyKey extension.
3. Disabled the sys-usb VM's Internet access.

Now, after inserting the OnlyKey and entering its PIN, I can open the OnlyKey 
Chrome app (which does not need Internet access to function), resulting in the 
OnlyKey getting its time set. Because of the previous edit of 
"qubes.InputKeyboard", the OnlyKey functions as a keyboard and all is well.

I'm happy to hear comments or cautions regarding this.

John

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2e34c68f-8488-4188-a2f2-a6e5e68ad118%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Using an OnlyKey

[Stumpy]

On 10/15/18 9:37 AM, John Maher wrote:

On Friday, October 12, 2018 at 1:17:37 AM UTC-4, awokd wrote:

g80vmgm...@riseup.net wrote on 10/12/18 5:07 AM:

John Maher:

I have an OnlyKey and have been unable to figure out how to make use of it in 
Qubes OS 4.0.

Relevant info:

* OnlyKey requires either its app being opened on the computer or one's ability 
to go to https://apps.crp.to (simply via a browser) in order to set its time.
* I used info from this page 
https://www.qubes-os.org/doc/usb/#how-to-use-a-usb-keyboard to get the OnlyKey 
to operate as a USB keyboard. Doing this resulted in the OnlyKey being attached 
to sys-usb and outputting text (password info) in dom0 and any other qube.
* Although the OnlyKey can output like a USB keyboard in any qube, it cannot 
get its time set without being specifically attached to an appVM that either 
has the OnlyKey app or can access https://apps.crp.to, so TOTP will not 
function.
* Using the yellow drop down icon to attach the OnlyKey to a qube that has the 
app results in (1) the time on the OnlyKey being set, and (2) the OnlyKey no 
longer working as a USB keyboard anywhere.
* Detaching from the qube does not restore the OnlyKey's ability to function as 
a USB keyboard.

Short of installing the OnlyKey app in sys-usb, is there anything else I can 
try? (And I don't even know if that would work.)

Even if I decided it was ok to install the app in sys-usb, sys-usb is based on 
Fedora, and OnlyKey only has a deb package. Installing on Fedora has proven to 
be very problematic.

Thanks for any help you can provide.

John



Hi John,

I don't have an OnlyKey and unfortunately probably can't really help you
to debug the issues with it not being able to act again as an HID device
after attaching it directly to a VM.

However, you can absolutely use a Debian-based VM as your sys-usb qube;
just install the Debian 9 template and set your sys-usb qube to use it
as its template.  Also make sure the qubes-usb-proxy package is installed.

As for the HID issues, I do have one suggestion: have you tried not only
detaching the device from the AppVM, but also physically removing the
USB device and re-inserting it?


No OnlyKey either, but I think it is possible to have two USB
"keyboards" in Qubes if you edit the file described here:
https://www.qubes-os.org/doc/usb/#r32-manual.


Thanks for your responses. I figured out a solution.

I figured out a way to use OnlyKey with Qubes OS. I suspect I've violated some 
basic security principles relative to how Qubes is intended to be used, but I 
accept the compromise, which I think (hope) is minimal.

Because an OnlyKey needs a time source in order for its TOTP feature to 
function, either the OnlyKey app (standalone or Chrome extension) or navigating 
to https://apps.crp.to, after the OnlyKey is inserted into a USB port, need to 
be available. In Qubes, I discovered that inserting the OnlyKey (and unlocking 
it with the PIN) and attaching it to the appVM where I want to use it resulted 
in the OnlyKey not functioning as a keyboard, which is needed to do its job. In 
dom0, adding this line to the top of /etc/qubes-rpc/policy/qubes.InputKeyboard 
(see https://www.qubes-os.org/doc/usb/#how-to-use-a-usb-keyboard) allowed the 
OnlyKey to operate as a keyboard in all VMs (without attaching the OnlyKey to a 
VM):

   sys-usb dom0 allow,user=root

However, to use TOTP it still needed access to the app or to 
https://apps.crp.to. But, again, when I attached the OnlyKey to an appVM, the 
OnlyKey stopped functioning as a keyboard, even when I detached it from the 
appVM.

So, I did the following:

1. Temporarily provided Internet access to sys-usb.
2. Opened Chrome and installed the OnlyKey extension.
3. Disabled the sys-usb VM's Internet access.

Now, after inserting the OnlyKey and entering its PIN, I can open the OnlyKey Chrome app 
(which does not need Internet access to function), resulting in the OnlyKey getting its 
time set. Because of the previous edit of "qubes.InputKeyboard", the OnlyKey 
functions as a keyboard and all is well.

I'm happy to hear comments or cautions regarding this.

John



thanks for this John. I have been interested in OnlyKey but wasnt sure 
about using it on Qubes. Your volunteering to be a test hamster is 
appreciated. I too would be interested in hearing from the sec gurus 
about their thoughts on your work around.


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d617bcc9-3e3e-2829-261c-193f4f42aabf%40posteo.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Using an OnlyKey

[John Maher]

On Wednesday, October 24, 2018 at 9:19:52 PM UTC-4, Stumpy wrote:
> On 10/15/18 9:37 AM, John Maher wrote:
> > On Friday, October 12, 2018 at 1:17:37 AM UTC-4, awokd wrote:
> >> g80vmgm...@riseup.net wrote on 10/12/18 5:07 AM:
> >>> John Maher:
>  I have an OnlyKey and have been unable to figure out how to make use of 
>  it in Qubes OS 4.0.
> 
>  Relevant info:
> 
>  * OnlyKey requires either its app being opened on the computer or one's 
>  ability to go to https://apps.crp.to (simply via a browser) in order to 
>  set its time.
>  * I used info from this page 
>  https://www.qubes-os.org/doc/usb/#how-to-use-a-usb-keyboard to get the 
>  OnlyKey to operate as a USB keyboard. Doing this resulted in the OnlyKey 
>  being attached to sys-usb and outputting text (password info) in dom0 
>  and any other qube.
>  * Although the OnlyKey can output like a USB keyboard in any qube, it 
>  cannot get its time set without being specifically attached to an appVM 
>  that either has the OnlyKey app or can access https://apps.crp.to, so 
>  TOTP will not function.
>  * Using the yellow drop down icon to attach the OnlyKey to a qube that 
>  has the app results in (1) the time on the OnlyKey being set, and (2) 
>  the OnlyKey no longer working as a USB keyboard anywhere.
>  * Detaching from the qube does not restore the OnlyKey's ability to 
>  function as a USB keyboard.
> 
>  Short of installing the OnlyKey app in sys-usb, is there anything else I 
>  can try? (And I don't even know if that would work.)
> 
>  Even if I decided it was ok to install the app in sys-usb, sys-usb is 
>  based on Fedora, and OnlyKey only has a deb package. Installing on 
>  Fedora has proven to be very problematic.
> 
>  Thanks for any help you can provide.
> 
>  John
> 
> >>>
> >>> Hi John,
> >>>
> >>> I don't have an OnlyKey and unfortunately probably can't really help you
> >>> to debug the issues with it not being able to act again as an HID device
> >>> after attaching it directly to a VM.
> >>>
> >>> However, you can absolutely use a Debian-based VM as your sys-usb qube;
> >>> just install the Debian 9 template and set your sys-usb qube to use it
> >>> as its template.  Also make sure the qubes-usb-proxy package is installed.
> >>>
> >>> As for the HID issues, I do have one suggestion: have you tried not only
> >>> detaching the device from the AppVM, but also physically removing the
> >>> USB device and re-inserting it?
> >>
> >> No OnlyKey either, but I think it is possible to have two USB
> >> "keyboards" in Qubes if you edit the file described here:
> >> https://www.qubes-os.org/doc/usb/#r32-manual.
> > 
> > Thanks for your responses. I figured out a solution.
> > 
> > I figured out a way to use OnlyKey with Qubes OS. I suspect I've violated 
> > some basic security principles relative to how Qubes is intended to be 
> > used, but I accept the compromise, which I think (hope) is minimal.
> > 
> > Because an OnlyKey needs a time source in order for its TOTP feature to 
> > function, either the OnlyKey app (standalone or Chrome extension) or 
> > navigating to https://apps.crp.to, after the OnlyKey is inserted into a USB 
> > port, need to be available. In Qubes, I discovered that inserting the 
> > OnlyKey (and unlocking it with the PIN) and attaching it to the appVM where 
> > I want to use it resulted in the OnlyKey not functioning as a keyboard, 
> > which is needed to do its job. In dom0, adding this line to the top of 
> > /etc/qubes-rpc/policy/qubes.InputKeyboard (see 
> > https://www.qubes-os.org/doc/usb/#how-to-use-a-usb-keyboard) allowed the 
> > OnlyKey to operate as a keyboard in all VMs (without attaching the OnlyKey 
> > to a VM):
> > 
> >sys-usb dom0 allow,user=root
> > 
> > However, to use TOTP it still needed access to the app or to 
> > https://apps.crp.to. But, again, when I attached the OnlyKey to an appVM, 
> > the OnlyKey stopped functioning as a keyboard, even when I detached it from 
> > the appVM.
> > 
> > So, I did the following:
> > 
> > 1. Temporarily provided Internet access to sys-usb.
> > 2. Opened Chrome and installed the OnlyKey extension.
> > 3. Disabled the sys-usb VM's Internet access.
> > 
> > Now, after inserting the OnlyKey and entering its PIN, I can open the 
> > OnlyKey Chrome app (which does not need Internet access to function), 
> > resulting in the OnlyKey getting its time set. Because of the previous edit 
> > of "qubes.InputKeyboard", the OnlyKey functions as a keyboard and all is 
> > well.
> > 
> > I'm happy to hear comments or cautions regarding this.
> > 
> > John
> > 
> 
> thanks for this John. I have been interested in OnlyKey but wasnt sure 
> about using it on Qubes. Your volunteering to be a test hamster is 
> appreciated. I too would be interested in hearing from the sec gurus 
> about their thoughts on your work around.

You're welcome

Re: [qubes-users] Using an OnlyKey

[pkraskov]

On Monday, October 15, 2018 at 9:37:48 AM UTC-4, John Maher wrote:
> On Friday, October 12, 2018 at 1:17:37 AM UTC-4, awokd wrote:
> > g80vmgm...@riseup.net wrote on 10/12/18 5:07 AM:
> > > John Maher:
> > >> I have an OnlyKey and have been unable to figure out how to make use of 
> > >> it in Qubes OS 4.0.
> > >>
> > >> Relevant info:
> > >>
> > >> * OnlyKey requires either its app being opened on the computer or one's 
> > >> ability to go to https://apps.crp.to (simply via a browser) in order to 
> > >> set its time.
> > >> * I used info from this page 
> > >> https://www.qubes-os.org/doc/usb/#how-to-use-a-usb-keyboard to get the 
> > >> OnlyKey to operate as a USB keyboard. Doing this resulted in the OnlyKey 
> > >> being attached to sys-usb and outputting text (password info) in dom0 
> > >> and any other qube.
> > >> * Although the OnlyKey can output like a USB keyboard in any qube, it 
> > >> cannot get its time set without being specifically attached to an appVM 
> > >> that either has the OnlyKey app or can access https://apps.crp.to, so 
> > >> TOTP will not function.
> > >> * Using the yellow drop down icon to attach the OnlyKey to a qube that 
> > >> has the app results in (1) the time on the OnlyKey being set, and (2) 
> > >> the OnlyKey no longer working as a USB keyboard anywhere.
> > >> * Detaching from the qube does not restore the OnlyKey's ability to 
> > >> function as a USB keyboard.
> > >>
> > >> Short of installing the OnlyKey app in sys-usb, is there anything else I 
> > >> can try? (And I don't even know if that would work.)
> > >>
> > >> Even if I decided it was ok to install the app in sys-usb, sys-usb is 
> > >> based on Fedora, and OnlyKey only has a deb package. Installing on 
> > >> Fedora has proven to be very problematic.
> > >>
> > >> Thanks for any help you can provide.
> > >>
> > >> John
> > >>
> > > 
> > > Hi John,
> > > 
> > > I don't have an OnlyKey and unfortunately probably can't really help you
> > > to debug the issues with it not being able to act again as an HID device
> > > after attaching it directly to a VM.
> > > 
> > > However, you can absolutely use a Debian-based VM as your sys-usb qube;
> > > just install the Debian 9 template and set your sys-usb qube to use it
> > > as its template.  Also make sure the qubes-usb-proxy package is installed.
> > > 
> > > As for the HID issues, I do have one suggestion: have you tried not only
> > > detaching the device from the AppVM, but also physically removing the
> > > USB device and re-inserting it?
> > 
> > No OnlyKey either, but I think it is possible to have two USB 
> > "keyboards" in Qubes if you edit the file described here: 
> > https://www.qubes-os.org/doc/usb/#r32-manual.
> 
> Thanks for your responses. I figured out a solution.
> 
> I figured out a way to use OnlyKey with Qubes OS. I suspect I've violated 
> some basic security principles relative to how Qubes is intended to be used, 
> but I accept the compromise, which I think (hope) is minimal.
> 
> Because an OnlyKey needs a time source in order for its TOTP feature to 
> function, either the OnlyKey app (standalone or Chrome extension) or 
> navigating to https://apps.crp.to, after the OnlyKey is inserted into a USB 
> port, need to be available. In Qubes, I discovered that inserting the OnlyKey 
> (and unlocking it with the PIN) and attaching it to the appVM where I want to 
> use it resulted in the OnlyKey not functioning as a keyboard, which is needed 
> to do its job. In dom0, adding this line to the top of 
> /etc/qubes-rpc/policy/qubes.InputKeyboard (see 
> https://www.qubes-os.org/doc/usb/#how-to-use-a-usb-keyboard) allowed the 
> OnlyKey to operate as a keyboard in all VMs (without attaching the OnlyKey to 
> a VM):
> 
>   sys-usb dom0 allow,user=root
> 
> However, to use TOTP it still needed access to the app or to 
> https://apps.crp.to. But, again, when I attached the OnlyKey to an appVM, the 
> OnlyKey stopped functioning as a keyboard, even when I detached it from the 
> appVM.
> 
> So, I did the following:
> 
> 1. Temporarily provided Internet access to sys-usb.
> 2. Opened Chrome and installed the OnlyKey extension.
> 3. Disabled the sys-usb VM's Internet access.
> 
> Now, after inserting the OnlyKey and entering its PIN, I can open the OnlyKey 
> Chrome app (which does not need Internet access to function), resulting in 
> the OnlyKey getting its time set. Because of the previous edit of 
> "qubes.InputKeyboard", the OnlyKey functions as a keyboard and all is well.
> 
> I'm happy to hear comments or cautions regarding this.
> 
> John

John, 

As I understood your setup for OnlyKey consists of two parts: first - make it 
work as a keyboard, second - make TOTP work. I think I stuck on the first one. 
I modified the file from Qubes docs and I able to attach a regular USB keyboard 
- it works in any qubes. But when I insert the OnlyKey stick I see it is 
discovered as a Teensyduino_Keyboard_RawHID_xxx but the LED indicator on the 
stick do

Re: [qubes-users] Using an OnlyKey

[John Maher]

On Monday, November 5, 2018 at 11:16:59 AM UTC-5, pkra...@gmail.com wrote:
> On Monday, October 15, 2018 at 9:37:48 AM UTC-4, John Maher wrote:
> > On Friday, October 12, 2018 at 1:17:37 AM UTC-4, awokd wrote:
> > > g80vmgm...@riseup.net wrote on 10/12/18 5:07 AM:
> > > > John Maher:
> > > >> I have an OnlyKey and have been unable to figure out how to make use 
> > > >> of it in Qubes OS 4.0.
> > > >>
> > > >> Relevant info:
> > > >>
> > > >> * OnlyKey requires either its app being opened on the computer or 
> > > >> one's ability to go to https://apps.crp.to (simply via a browser) in 
> > > >> order to set its time.
> > > >> * I used info from this page 
> > > >> https://www.qubes-os.org/doc/usb/#how-to-use-a-usb-keyboard to get the 
> > > >> OnlyKey to operate as a USB keyboard. Doing this resulted in the 
> > > >> OnlyKey being attached to sys-usb and outputting text (password info) 
> > > >> in dom0 and any other qube.
> > > >> * Although the OnlyKey can output like a USB keyboard in any qube, it 
> > > >> cannot get its time set without being specifically attached to an 
> > > >> appVM that either has the OnlyKey app or can access 
> > > >> https://apps.crp.to, so TOTP will not function.
> > > >> * Using the yellow drop down icon to attach the OnlyKey to a qube that 
> > > >> has the app results in (1) the time on the OnlyKey being set, and (2) 
> > > >> the OnlyKey no longer working as a USB keyboard anywhere.
> > > >> * Detaching from the qube does not restore the OnlyKey's ability to 
> > > >> function as a USB keyboard.
> > > >>
> > > >> Short of installing the OnlyKey app in sys-usb, is there anything else 
> > > >> I can try? (And I don't even know if that would work.)
> > > >>
> > > >> Even if I decided it was ok to install the app in sys-usb, sys-usb is 
> > > >> based on Fedora, and OnlyKey only has a deb package. Installing on 
> > > >> Fedora has proven to be very problematic.
> > > >>
> > > >> Thanks for any help you can provide.
> > > >>
> > > >> John
> > > >>
> > > > 
> > > > Hi John,
> > > > 
> > > > I don't have an OnlyKey and unfortunately probably can't really help you
> > > > to debug the issues with it not being able to act again as an HID device
> > > > after attaching it directly to a VM.
> > > > 
> > > > However, you can absolutely use a Debian-based VM as your sys-usb qube;
> > > > just install the Debian 9 template and set your sys-usb qube to use it
> > > > as its template.  Also make sure the qubes-usb-proxy package is 
> > > > installed.
> > > > 
> > > > As for the HID issues, I do have one suggestion: have you tried not only
> > > > detaching the device from the AppVM, but also physically removing the
> > > > USB device and re-inserting it?
> > > 
> > > No OnlyKey either, but I think it is possible to have two USB 
> > > "keyboards" in Qubes if you edit the file described here: 
> > > https://www.qubes-os.org/doc/usb/#r32-manual.
> > 
> > Thanks for your responses. I figured out a solution.
> > 
> > I figured out a way to use OnlyKey with Qubes OS. I suspect I've violated 
> > some basic security principles relative to how Qubes is intended to be 
> > used, but I accept the compromise, which I think (hope) is minimal.
> > 
> > Because an OnlyKey needs a time source in order for its TOTP feature to 
> > function, either the OnlyKey app (standalone or Chrome extension) or 
> > navigating to https://apps.crp.to, after the OnlyKey is inserted into a USB 
> > port, need to be available. In Qubes, I discovered that inserting the 
> > OnlyKey (and unlocking it with the PIN) and attaching it to the appVM where 
> > I want to use it resulted in the OnlyKey not functioning as a keyboard, 
> > which is needed to do its job. In dom0, adding this line to the top of 
> > /etc/qubes-rpc/policy/qubes.InputKeyboard (see 
> > https://www.qubes-os.org/doc/usb/#how-to-use-a-usb-keyboard) allowed the 
> > OnlyKey to operate as a keyboard in all VMs (without attaching the OnlyKey 
> > to a VM):
> > 
> >   sys-usb dom0 allow,user=root
> > 
> > However, to use TOTP it still needed access to the app or to 
> > https://apps.crp.to. But, again, when I attached the OnlyKey to an appVM, 
> > the OnlyKey stopped functioning as a keyboard, even when I detached it from 
> > the appVM.
> > 
> > So, I did the following:
> > 
> > 1. Temporarily provided Internet access to sys-usb.
> > 2. Opened Chrome and installed the OnlyKey extension.
> > 3. Disabled the sys-usb VM's Internet access.
> > 
> > Now, after inserting the OnlyKey and entering its PIN, I can open the 
> > OnlyKey Chrome app (which does not need Internet access to function), 
> > resulting in the OnlyKey getting its time set. Because of the previous edit 
> > of "qubes.InputKeyboard", the OnlyKey functions as a keyboard and all is 
> > well.
> > 
> > I'm happy to hear comments or cautions regarding this.
> > 
> > John
> 
> John, 
> 
> As I understood your setup for OnlyKey consists of two parts: first - make it 
> work as a keyboard, second - m

Re: [qubes-users] Using an OnlyKey

[pkraskov]

> So the way mine works is actually consistent with using it on non-Qubes 
> systems. I insert the onlykey, and it blinks a little, and then no lights 
> display. I can then enter my PIN and the green light will go on. At that 
> point the onlykey will output info from any of the buttons, but TOTP won't 
> work. Then I open the onlykey app and then TOTP will work as well.

>I used info from this page 
>https://www.qubes-os.org/doc/usb/#how-to-use-a-usb-keyboard to get the OnlyKey 
>to operate as a USB keyboard.

What kernel version do you have? Did LED start working after you modified 
/etc/qubes-rpc/policy/qubes.InputKeyboard or it was working even before?

Mine OnlyKey still works with other OSes but doesn't work in Qubes for some 
reason.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b11f6bd8-f496-4828-9911-197b5f575f4e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Using an OnlyKey

[John Maher]

On Friday, November 9, 2018 at 10:01:29 AM UTC-5, pkra...@gmail.com wrote:
> > So the way mine works is actually consistent with using it on non-Qubes 
> > systems. I insert the onlykey, and it blinks a little, and then no lights 
> > display. I can then enter my PIN and the green light will go on. At that 
> > point the onlykey will output info from any of the buttons, but TOTP won't 
> > work. Then I open the onlykey app and then TOTP will work as well.
> 
> >I used info from this page 
> >https://www.qubes-os.org/doc/usb/#how-to-use-a-usb-keyboard to get the 
> >OnlyKey to operate as a USB keyboard.
> 
> What kernel version do you have? Did LED start working after you modified 
> /etc/qubes-rpc/policy/qubes.InputKeyboard or it was working even before?
> 
> Mine OnlyKey still works with other OSes but doesn't work in Qubes for some 
> reason.

I'm sorry but I don't remember exactly when the OnlyKey started working 
(immediately or after those modifications you mentioned).

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a3043e5b-e06d-4fd8-832a-83f896697a50%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Using an OnlyKey

[pkraskov]

> As I understood your setup for OnlyKey consists of two parts: first - make it 
> work as a keyboard, second - make TOTP work. I think I stuck on the first 
> one. I modified the file from Qubes docs and I able to attach a regular USB 
> keyboard - it works in any qubes. But when I insert the OnlyKey stick I see 
> it is discovered as a Teensyduino_Keyboard_RawHID_xxx but the LED indicator 
> on the stick doesn't work and it looks like it doesn't accept the PIN (or 
> even do anything). Does you LED work well for you? Any thoughts?

When I was seeing no LED response I thought device is not working, but it 
turned out that OnlyKey itself works but just without LED indication. Here 
(https://groups.google.com/forum/#!topic/onlykey/-93A-9_SjAM) I found that the 
reason for not working LED might be a bit higher voltage (I'm on lenovo x1c6 
btw). 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/30451b29-9461-48a9-914f-e36e2287fc05%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.