On Monday, August 13, 2018 at 5:47:06 PM UTC-4, [email protected] wrote: > Are you sure they are using Yubikey's "Static Password" slot? That is the > only component that enumerates as a USB keyboard. The normal yubikey setup > enumerates as a Smartcard, which is how the challenge/response works. With > this, there is no keyboard to attach as an input device and no keystrokes to > manage. You attach the USB to the AppVM, and that's it.
Yubikeys are USB "composite" devices that can have one or more interfaces enabled. [Note that while a USB *compound* device is a USB device with a built in USB hub that has multiple USB devices attached, a USB *composite* device does not incorporate a USB hub but instead presents as a single device with multiple interface endpoints.] A stock contemporary Yubikey NEO or Yubikey 4 may be shipped with the following interfaces enabled all on the same single USB device: HID (with superset of keyboard functionality to support a variety of OTP functions), CCID (smartcard running multiple javacard applets), and U2F. Yubikeys are also configurable such that each interface can been disabled as necessary (for corporate roll out, compatibility with older software* that doesn't handle multiple interfaces well, prevention of inadvertent OTP generation, etc.). One cannot assume that a Yubikey that presents a CCID interface will also provide a HID interface Therefore "Normal Yubikey setup" is a moving target. :) Brendan * if you guessed OpenPGP, you get a star...though my experience with multiple smartcards in use with Microsoft AD products tells me OpenPGP isn't the only badly behaved smartcard client out there... -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/56682592-e1e1-4bb2-a6a8-b392cb86ebbd%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
