On 12/26/18 4:49 AM, [email protected] wrote: > On Tuesday, December 25, 2018 at 9:56:40 PM UTC-5, John Smiley wrote: >> U2F Proxy is not so cool. So far no joy getting it to work. Someone on reddit >> had similar issues and questions and resolved by installing USB keyboard >> support. That’s not mentioned in the Qubes docs and I hope we don’t have to >> resort to that. > > I haven't yet tried the U2F proxy, it is on my todo list. > > I'm also not quite so happy about the complexity of getting a security > focused device (yubikey) working with a security focused OS (QubesOS). > > I believe I understand the nature of the yubikey problem, though: Qubes is > engineered to protect you from untrusted peripherals...and this somewhat > conflicts with the design of yubikeys on multiple fronts: we want to use > yubikeys across multiple VMs (using devices across VMs increases risk); > yubikeys are composite USB devices, which means they often have multiple > endpoints for different functions (HID keyboard plus, CCID > smartcard/javacard, U2F) which makes securely proxying them more complex; and > for those who have serious safety risks, a fake yubikey could destroy one's > opsec in multiple ways...even a real one could if you are not careful with > your usage. > > In my case, I have decided to somewhat compromise QubesOS security a bit and > disable the USB/HID keyboard protections in Qubes dom0 for now so that I > could log into LastPass with my yubikey OTP in a couple of my VMs without too > much fiddling. I have kept notes on the changes and how to reverse them. > > So, as I said above, I haven't addressed the U2F compatibility on my current > R4 build (but neither do I have a multipmedia VM set up with Chrome yet :) ). > So, I use my backup method of yubico authenticator on another device and type > in six-digit TOTP codes instead of using the U2F functionality. > > Anyway, I suggest keeping a running log of modifications/configurations (both > TODO and done) somewhere easily accessible across devices (I use a google > doc) to speed future configurations/rebuilds. I don't keep anything that > needs to be secure there, just notes, simple scripts, etc. > >> If that were a requirement, surely the docs would have >> mentioned it. > > Haha. Er, I mean, that *should* be the case... :) > > Brendan >
I'd like to see your "notes" on the yubikey and lastpass, as I long ago gave up on using my Yubikey in OTP mode, despite many trials .... I have the U2F proxy working it seems but just use it for 2FA for gmail and such , lastpass I'm stuck using the Authenticator on a Mobile phone ..... because I can't use the OTP my qubes system has a USB -> PS/2 converter, I might run qubes on another computer but it has no PS/2 port and I fear botching the sys-usb and getting locked out of the install again ..... so I don't try -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c85ee45a-b685-c6d3-0fc4-f4a6a9120af0%40riseup.net. For more options, visit https://groups.google.com/d/optout.
