[qubes-users] Re: Yubico FIDO U2F Security Key and Qubes
On Wednesday, May 16, 2018 at 12:15:08 AM UTC-4, qube...@gmail.com wrote: > On Wednesday, February 21, 2018 at 5:30:14 PM UTC, William Bormann wrote: > > On Tuesday, February 20, 2018 at 2:58:18 PM UTC-5, Yuraeitha wrote: > > > > > > wait hold on, just to be sure we're on the same page here. > > > Why would you bring up sys-usb? Putting a USB controller in sys-usb is > > > normally for the purpose to use qvm-usb/widget to virtually pass it to > > > multiple of other VM's, or just a place to hold it for keyboard/mouse. > > > Since the Yubi key didn't work for me by passing it away from the > > > sys-usb, but worked in the sys-usb itself. > > > > > > If you have a controller to spare, you'd want to put it directly into the > > > AppVM. It's less secure than a sys-usb, but nonetheless, if you really > > > need an USB application working, which doesn't work in the > > > widget/qvm-USB, then you need to pass the USB controller directly into > > > the very VM where you need the Yubi key. This can also cause problems if > > > you need to switch the controller from one VM to another, for example you > > > can't run both VM's at the same time if they both try to claim the > > > controller, and if the USB controller has no pci-reset functionality, > > > then you need to restart the whole computer to be able to move it to a > > > new VM. > > > > > > Just to be sure we're on the same page here? > > > > We are. I identified two approaches: direct assignment of the hub to a > > particular VM, or, bring up sys-usb so I could easily assign the U2F key to > > any VM. The latter seemed more flexible, but also more of a heavyweight > > solution. > > > > In the end, I decided to simply assign the spare hub to the VM I would be > > using for most U2F logins. If it turns out that I frequently need to use > > U2F on other VMs I'll revisit the sys-usb solution, especially since I know > > both work. > > Could you detail the steps to make it work? I am using the sys-usb in the way > it came by default in QubeOS R4.0 , and attaching it to the needed AppVM > doesn't do anything for me. > I am using a Yubikey NEO btw. > > Normal storage USBs such as pendrives and such I have no problems in > assigning a AppVM from the sys-usb. I am only having problems with the > Yubikey NEO. > > Regards Has anyone gotten this working well with Firefox? I'm using a laptop with sys-usb and the qubes-u2f packages setup and installed (followed the u2f instructions in the qubes docs). Chromium works fine, however, I'm seeing odd behavior with Firefox. When I try to use it (the yubikey) it causes partial non-responsiveness and I have to restart FFx. I have security.webauth.u2f (in about:config) enabled. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8d60e5f5-3346-44ed-824e-d292f57b1581%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Yubico FIDO U2F Security Key and Qubes
On Wednesday, February 21, 2018 at 5:30:14 PM UTC, William Bormann wrote: > On Tuesday, February 20, 2018 at 2:58:18 PM UTC-5, Yuraeitha wrote: > > > > wait hold on, just to be sure we're on the same page here. > > Why would you bring up sys-usb? Putting a USB controller in sys-usb is > > normally for the purpose to use qvm-usb/widget to virtually pass it to > > multiple of other VM's, or just a place to hold it for keyboard/mouse. > > Since the Yubi key didn't work for me by passing it away from the sys-usb, > > but worked in the sys-usb itself. > > > > If you have a controller to spare, you'd want to put it directly into the > > AppVM. It's less secure than a sys-usb, but nonetheless, if you really need > > an USB application working, which doesn't work in the widget/qvm-USB, then > > you need to pass the USB controller directly into the very VM where you > > need the Yubi key. This can also cause problems if you need to switch the > > controller from one VM to another, for example you can't run both VM's at > > the same time if they both try to claim the controller, and if the USB > > controller has no pci-reset functionality, then you need to restart the > > whole computer to be able to move it to a new VM. > > > > Just to be sure we're on the same page here? > > We are. I identified two approaches: direct assignment of the hub to a > particular VM, or, bring up sys-usb so I could easily assign the U2F key to > any VM. The latter seemed more flexible, but also more of a heavyweight > solution. > > In the end, I decided to simply assign the spare hub to the VM I would be > using for most U2F logins. If it turns out that I frequently need to use U2F > on other VMs I'll revisit the sys-usb solution, especially since I know both > work. Could you detail the steps to make it work? I am using the sys-usb in the way it came by default in QubeOS R4.0 , and attaching it to the needed AppVM doesn't do anything for me. I am using a Yubikey NEO btw. Normal storage USBs such as pendrives and such I have no problems in assigning a AppVM from the sys-usb. I am only having problems with the Yubikey NEO. Regards -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/cdcbb4c1-79be-4397-89da-de2d008ff2fb%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Yubico FIDO U2F Security Key and Qubes
On Tuesday, February 20, 2018 at 2:58:18 PM UTC-5, Yuraeitha wrote: > wait hold on, just to be sure we're on the same page here. > Why would you bring up sys-usb? Putting a USB controller in sys-usb is > normally for the purpose to use qvm-usb/widget to virtually pass it to > multiple of other VM's, or just a place to hold it for keyboard/mouse. Since > the Yubi key didn't work for me by passing it away from the sys-usb, but > worked in the sys-usb itself. My recollection is that contemporary Yubikeys (other than the U2F-only one) present multiple interfaces/endpoints (I am probably not getting the terminology right). In addition, the multiple interfaces/endpoints can be changes by configuration tools. Is the issue that the ability to re-assign USB devices works well only with "single-interface" devices but the workaround for those is to keep such on their own USB bus/root? Brendan -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ee3c23f7-228e-4376-928a-ad3160ebaa65%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Yubico FIDO U2F Security Key and Qubes
On Tuesday, February 20, 2018 at 8:44:36 PM UTC+1, William Bormann wrote: > > oh, you make a good point. I indeed made an assumption that it was about > > lock-out by the "reading guides" line, and I somehow missed the line > > regarding Google and Facebook services. I must then have misunderstood, I > > apologize. > > > > I just tested the Yubi key I got laying around, it works in sys-usb, or > > whereever the controller is located, be it dom0 or another AppVM with a > > working USB controller. But it doesn't seem like either the qvm-usb (or its > > GUI counterpart in the menu-widget introduced in Qubes 4, works. At least > > it doesn't appear on my system. > > > > But it works wherever the USB controller is located, just not in the VM's > > that are virtually linked with qvm-USB and the GUI-widget counterpart. > > > > As such, one can probably estimate the Yubi key working, if one has a > > working USB controller to spare, and that USB controller can feasibly be > > passed directly to the AppVM. But it can be tricky to find hardware that > > allows passthrough, especially considering the drivers are often not made > > for it, as well as there aren't terribly many products with multiple > > controllers on them to pick between. On laptops, it's hard to know in > > advance how many controllers there are, as it's not a marketing > > information, nor something frequently found in product reviews, quite > > frustrating. But if determined, can probably get extra USB controllers to > > spare, but it might be on the expensive side if making a mistake, like > > buying a computer that only had one controller, or the extra controller > > can't be passed through. > > > > But if one has a system with extra USB controllers, and it works to pass an > > USB controller directly into the AppVM (test other USB applications work), > > then the Yubi key should naturally work too. > > > > Perhaps there are easier work-arounds, or maybe the qvm-usb/GUI-widget it > > works on other systems. > > This is exactly what I was hoping. I'm not planning to use it for luks or > Qubes user login, but as a second authentication factor when I log into Gmail > or (shudder) or decide to catch up on Facebook. > > It turns out I do have a spare controller. Time to bring up sys-usb. Glad it worked out good in the end:) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b0a9b701-233d-4b35-bd93-72fa778f2280%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Yubico FIDO U2F Security Key and Qubes
> oh, you make a good point. I indeed made an assumption that it was about > lock-out by the "reading guides" line, and I somehow missed the line > regarding Google and Facebook services. I must then have misunderstood, I > apologize. > > I just tested the Yubi key I got laying around, it works in sys-usb, or > whereever the controller is located, be it dom0 or another AppVM with a > working USB controller. But it doesn't seem like either the qvm-usb (or its > GUI counterpart in the menu-widget introduced in Qubes 4, works. At least it > doesn't appear on my system. > > But it works wherever the USB controller is located, just not in the VM's > that are virtually linked with qvm-USB and the GUI-widget counterpart. > > As such, one can probably estimate the Yubi key working, if one has a working > USB controller to spare, and that USB controller can feasibly be passed > directly to the AppVM. But it can be tricky to find hardware that allows > passthrough, especially considering the drivers are often not made for it, as > well as there aren't terribly many products with multiple controllers on them > to pick between. On laptops, it's hard to know in advance how many > controllers there are, as it's not a marketing information, nor something > frequently found in product reviews, quite frustrating. But if determined, > can probably get extra USB controllers to spare, but it might be on the > expensive side if making a mistake, like buying a computer that only had one > controller, or the extra controller can't be passed through. > > But if one has a system with extra USB controllers, and it works to pass an > USB controller directly into the AppVM (test other USB applications work), > then the Yubi key should naturally work too. > > Perhaps there are easier work-arounds, or maybe the qvm-usb/GUI-widget it > works on other systems. This is exactly what I was hoping. I'm not planning to use it for luks or Qubes user login, but as a second authentication factor when I log into Gmail or (shudder) or decide to catch up on Facebook. It turns out I do have a spare controller. Time to bring up sys-usb. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/66ea85e2-440c-4e2b-8ad8-87cdeb9b3f64%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Yubico FIDO U2F Security Key and Qubes
On Tuesday, February 20, 2018 at 10:30:45 AM UTC+1, Tim W wrote: > On Sunday, February 18, 2018 at 3:17:39 PM UTC-5, Yuraeitha wrote: > > On Sunday, February 18, 2018 at 3:51:00 AM UTC+1, William Bormann wrote: > > > On a lark, I purchased a Yubico FIDO U2F Security key. It's an > > > inexpensive USB token that can be used for two-factor authentication for > > > Gmail and Facebook, among others. I'd like to use it on my Qubes RC4 > > > system. > > > > > > I've read the USB documentation, but thought I'd see if somebody else > > > running Qubes has managed to get this working as advertised on their > > > system. The current path that seems most promising is to bring up > > > SYS-USB, but I have some concerns about doing this since my keyboard and > > > mouse are both usb devices. > > > > > > Can anyone reply with a "hand waving" set of steps I should follow? I > > > would greatly appreciate hearing your solution. > > > > I did not yet get around to testing it out for locking down Qubes my self > > just yet, but there should be quite a lot of people who managed to. > > Consider that there are at least a good amount of people wanting this, and > > generally you see people posting about whether to do it or not (like your > > post), over people who somehow messed it up and are locked out of their > > system. > > > > From that, I'd deduce that it is probably safe. But you may want to do > > backup first, at least of your most important AppVM's, just in case > > something should go south. You never know, whatever can go wrong, will > > eventually go wrong, as the saying goes. > > > > Also for what purposes? LUKS disk decryption? Qubes password login/logout > > when insert/retracting the Yubi-key? Third-party services in AppVM's? > > > > But having said that, I doubt it's a big issue, especially not if you > > backup first. Also from what I can read, your old password still works, in > > case the key isn't working anymore, or is lost/stolen. This isn't a measure > > against cracking, but a measure against people looking over a persons > > shoulder, or if sitting under a camera, stuff like that where the password > > can be stolen. Although of course, it can also servee as a means to > > memorize a crazy long strong password with high entropy, which makes > > cracking your drive even harder. > > > > Whatever the case, you should probably have a means to remember a long > > random password with strong entropy, in case you loose your hardware key, > > for example write it on a piece of paper and hide it inside a wall (or > > something crazy like that). You can alaos backup the hardware key's seed, > > which is recommended in case you loose the key and need a new key with same > > 2nd factoring credentials. > > > > Essentially, it likely more boils down to how you handle your key, and how > > you prevent loosing it, or exposing it to potential attackers in the > > physical world. Just search these google mails, you probably won't find > > many having issues, and instead find people asking questions before they > > start using it > > > I do not think he wants this for qubes luks login or even Qubes user login > but for 2 factor auth pin such as google auth or better yet oathtool. This > should be much easier. oh, you make a good point. I indeed made an assumption that it was about lock-out by the "reading guides" line, and I somehow missed the line regarding Google and Facebook services. I must then have misunderstood, I apologize. I just tested the Yubi key I got laying around, it works in sys-usb, or whereever the controller is located, be it dom0 or another AppVM with a working USB controller. But it doesn't seem like either the qvm-usb (or its GUI counterpart in the menu-widget introduced in Qubes 4, works. At least it doesn't appear on my system. But it works wherever the USB controller is located, just not in the VM's that are virtually linked with qvm-USB and the GUI-widget counterpart. As such, one can probably estimate the Yubi key working, if one has a working USB controller to spare, and that USB controller can feasibly be passed directly to the AppVM. But it can be tricky to find hardware that allows passthrough, especially considering the drivers are often not made for it, as well as there aren't terribly many products with multiple controllers on them to pick between. On laptops, it's hard to know in advance how many controllers there are, as it's not a marketing information, nor something frequently found in product reviews, quite frustrating. But if determined, can probably get extra USB controllers to spare, but it might be on the expensive side if making a mistake, like buying a computer that only had one controller, or the extra controller can't be passed through. But if one has a system with extra USB controllers, and it works to pass an USB controller directly into the AppVM (test other USB applications work), then the Yubi
[qubes-users] Re: Yubico FIDO U2F Security Key and Qubes
On Sunday, February 18, 2018 at 3:17:39 PM UTC-5, Yuraeitha wrote: > On Sunday, February 18, 2018 at 3:51:00 AM UTC+1, William Bormann wrote: > > On a lark, I purchased a Yubico FIDO U2F Security key. It's an inexpensive > > USB token that can be used for two-factor authentication for Gmail and > > Facebook, among others. I'd like to use it on my Qubes RC4 system. > > > > I've read the USB documentation, but thought I'd see if somebody else > > running Qubes has managed to get this working as advertised on their > > system. The current path that seems most promising is to bring up SYS-USB, > > but I have some concerns about doing this since my keyboard and mouse are > > both usb devices. > > > > Can anyone reply with a "hand waving" set of steps I should follow? I > > would greatly appreciate hearing your solution. > > I did not yet get around to testing it out for locking down Qubes my self > just yet, but there should be quite a lot of people who managed to. Consider > that there are at least a good amount of people wanting this, and generally > you see people posting about whether to do it or not (like your post), over > people who somehow messed it up and are locked out of their system. > > From that, I'd deduce that it is probably safe. But you may want to do backup > first, at least of your most important AppVM's, just in case something should > go south. You never know, whatever can go wrong, will eventually go wrong, as > the saying goes. > > Also for what purposes? LUKS disk decryption? Qubes password login/logout > when insert/retracting the Yubi-key? Third-party services in AppVM's? > > But having said that, I doubt it's a big issue, especially not if you backup > first. Also from what I can read, your old password still works, in case the > key isn't working anymore, or is lost/stolen. This isn't a measure against > cracking, but a measure against people looking over a persons shoulder, or if > sitting under a camera, stuff like that where the password can be stolen. > Although of course, it can also servee as a means to memorize a crazy long > strong password with high entropy, which makes cracking your drive even > harder. > > Whatever the case, you should probably have a means to remember a long random > password with strong entropy, in case you loose your hardware key, for > example write it on a piece of paper and hide it inside a wall (or something > crazy like that). You can alaos backup the hardware key's seed, which is > recommended in case you loose the key and need a new key with same 2nd > factoring credentials. > > Essentially, it likely more boils down to how you handle your key, and how > you prevent loosing it, or exposing it to potential attackers in the physical > world. Just search these google mails, you probably won't find many having > issues, and instead find people asking questions before they start using it I do not think he wants this for qubes luks login or even Qubes user login but for 2 factor auth pin such as google auth or better yet oathtool. This should be much easier. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/0fcdabba-283b-471c-95ea-9d870ea1f0a0%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Yubico FIDO U2F Security Key and Qubes
On Sunday, February 18, 2018 at 3:51:00 AM UTC+1, William Bormann wrote: > On a lark, I purchased a Yubico FIDO U2F Security key. It's an inexpensive > USB token that can be used for two-factor authentication for Gmail and > Facebook, among others. I'd like to use it on my Qubes RC4 system. > > I've read the USB documentation, but thought I'd see if somebody else running > Qubes has managed to get this working as advertised on their system. The > current path that seems most promising is to bring up SYS-USB, but I have > some concerns about doing this since my keyboard and mouse are both usb > devices. > > Can anyone reply with a "hand waving" set of steps I should follow? I would > greatly appreciate hearing your solution. I did not yet get around to testing it out for locking down Qubes my self just yet, but there should be quite a lot of people who managed to. Consider that there are at least a good amount of people wanting this, and generally you see people posting about whether to do it or not (like your post), over people who somehow messed it up and are locked out of their system. >From that, I'd deduce that it is probably safe. But you may want to do backup >first, at least of your most important AppVM's, just in case something should >go south. You never know, whatever can go wrong, will eventually go wrong, as >the saying goes. Also for what purposes? LUKS disk decryption? Qubes password login/logout when insert/retracting the Yubi-key? Third-party services in AppVM's? But having said that, I doubt it's a big issue, especially not if you backup first. Also from what I can read, your old password still works, in case the key isn't working anymore, or is lost/stolen. This isn't a measure against cracking, but a measure against people looking over a persons shoulder, or if sitting under a camera, stuff like that where the password can be stolen. Although of course, it can also servee as a means to memorize a crazy long strong password with high entropy, which makes cracking your drive even harder. Whatever the case, you should probably have a means to remember a long random password with strong entropy, in case you loose your hardware key, for example write it on a piece of paper and hide it inside a wall (or something crazy like that). You can alaos backup the hardware key's seed, which is recommended in case you loose the key and need a new key with same 2nd factoring credentials. Essentially, it likely more boils down to how you handle your key, and how you prevent loosing it, or exposing it to potential attackers in the physical world. Just search these google mails, you probably won't find many having issues, and instead find people asking questions before they start using it. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/f73f119e-24ca-4e16-a78d-0128c87ceddb%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
