On Tuesday, February 20, 2018 at 10:30:45 AM UTC+1, Tim W wrote: > On Sunday, February 18, 2018 at 3:17:39 PM UTC-5, Yuraeitha wrote: > > On Sunday, February 18, 2018 at 3:51:00 AM UTC+1, William Bormann wrote: > > > On a lark, I purchased a Yubico FIDO U2F Security key. It's an > > > inexpensive USB token that can be used for two-factor authentication for > > > Gmail and Facebook, among others. I'd like to use it on my Qubes RC4 > > > system. > > > > > > I've read the USB documentation, but thought I'd see if somebody else > > > running Qubes has managed to get this working as advertised on their > > > system. The current path that seems most promising is to bring up > > > SYS-USB, but I have some concerns about doing this since my keyboard and > > > mouse are both usb devices. > > > > > > Can anyone reply with a "hand waving" set of steps I should follow? I > > > would greatly appreciate hearing your solution. > > > > I did not yet get around to testing it out for locking down Qubes my self > > just yet, but there should be quite a lot of people who managed to. > > Consider that there are at least a good amount of people wanting this, and > > generally you see people posting about whether to do it or not (like your > > post), over people who somehow messed it up and are locked out of their > > system. > > > > From that, I'd deduce that it is probably safe. But you may want to do > > backup first, at least of your most important AppVM's, just in case > > something should go south. You never know, whatever can go wrong, will > > eventually go wrong, as the saying goes. > > > > Also for what purposes? LUKS disk decryption? Qubes password login/logout > > when insert/retracting the Yubi-key? Third-party services in AppVM's? > > > > But having said that, I doubt it's a big issue, especially not if you > > backup first. Also from what I can read, your old password still works, in > > case the key isn't working anymore, or is lost/stolen. This isn't a measure > > against cracking, but a measure against people looking over a persons > > shoulder, or if sitting under a camera, stuff like that where the password > > can be stolen. Although of course, it can also servee as a means to > > memorize a crazy long strong password with high entropy, which makes > > cracking your drive even harder. > > > > Whatever the case, you should probably have a means to remember a long > > random password with strong entropy, in case you loose your hardware key, > > for example write it on a piece of paper and hide it inside a wall (or > > something crazy like that). You can alaos backup the hardware key's seed, > > which is recommended in case you loose the key and need a new key with same > > 2nd factoring credentials. > > > > Essentially, it likely more boils down to how you handle your key, and how > > you prevent loosing it, or exposing it to potential attackers in the > > physical world. Just search these google mails, you probably won't find > > many having issues, and instead find people asking questions before they > > start using it > > > I do not think he wants this for qubes luks login or even Qubes user login > but for 2 factor auth pin such as google auth or better yet oathtool. This > should be much easier.
oh, you make a good point. I indeed made an assumption that it was about lock-out by the "reading guides" line, and I somehow missed the line regarding Google and Facebook services. I must then have misunderstood, I apologize. I just tested the Yubi key I got laying around, it works in sys-usb, or whereever the controller is located, be it dom0 or another AppVM with a working USB controller. But it doesn't seem like either the qvm-usb (or its GUI counterpart in the menu-widget introduced in Qubes 4, works. At least it doesn't appear on my system. But it works wherever the USB controller is located, just not in the VM's that are virtually linked with qvm-USB and the GUI-widget counterpart. As such, one can probably estimate the Yubi key working, if one has a working USB controller to spare, and that USB controller can feasibly be passed directly to the AppVM. But it can be tricky to find hardware that allows passthrough, especially considering the drivers are often not made for it, as well as there aren't terribly many products with multiple controllers on them to pick between. On laptops, it's hard to know in advance how many controllers there are, as it's not a marketing information, nor something frequently found in product reviews, quite frustrating. But if determined, can probably get extra USB controllers to spare, but it might be on the expensive side if making a mistake, like buying a computer that only had one controller, or the extra controller can't be passed through. But if one has a system with extra USB controllers, and it works to pass an USB controller directly into the AppVM (test other USB applications work), then the Yubi key should naturally work too. Perhaps there are easier work-arounds, or maybe the qvm-usb/GUI-widget it works on other systems. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/030d0740-9f29-4c8c-9b5f-44472394c90e%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.