Asking my question in a fresh tread to try to get attention on the exact problem I’m having.
I have a pretty fresh install of Qubes OS 4.2.2 with the default Fedora 40 XFCE template. I am also using sys-usb as installed by default during the installation process, no modification.
For each qube (qube_name) that need to use ctap proxy (in dom0 as well)
$ qvm-service --enable qube_name qubes-ctap-proxy
then inside the related qube-template:
$ sudo dnf install qubes-ctap
Each time I try to use the key, I get my screen flooded with denied rights messages as followed:
Denied: u2f.Authenticate
Denied u2f.Authenticate+stringOfNumbersAndCharacters from qube_name to sys-usb
I have checked that the service “qubes-ctap-proxy” is checked in the qube manager and also checked if the qubes-ctap is installed. All seems good.
Anyone knows if “qubes-ctap-proxy” should also be installed in sys-usb? I would prefer not to mess with this qube if possible so I didn’t tried yet as it was not part of the documentation.
Anyone have successfully activated CTAP Proxy in 4.2.x / Fedora 40?
Nothing comes up when I enter that command, I also tested other policies to confirm I’m typing it properly and yes I do.
I was under the impression that using the command line was activating everything but now I see that “Enable the Qubes u2f proxy service” is not activated in the GUI (Qubes OS Global Config) and there, it’s stated that “qubes-u2f” package needs to be installed in the usb template in order to be activated.
I was also under the impression that the u2f options in the GUI where the old version and the new version was ctap.
Should I go ahead and install “qubes-u2f” in the usb template and then activate “Enable the Qubes u2f proxy” from there?
I have made some tests and found out that installing either qubes-ctap or qubes-u2f will install exactly the same 3 modules/versions.
So I installed it in sys-usb… no changes
Enabled the Qubes u2f proxy service with Auth and Reg for a specific qube in Qubes OS Global Config… no changes
Checked the qubes-ctap-proxy service in sys-usb… no changes
Reboot the whole system… no changes
Going back to your initial question, the grep command now return:
/etc/qubes/policy.d/50-config-u2f.policy:policy.RegisterArgument +u2f.Authenticate sys-usb @anyvm allow target=@adminvm
While I have some doubt about the mistakes that I could have made initially, I’m completely runing out of idea now.
Also, while I needed to add the ctap policies, the related interface throw an error message stating that thoses 2 lines are technically correct but too complicates and they are going to be removed after “saving” :-S
I really appreciate your help apparatus as I right now have a working CTAP Proxy
Hi all, I am having similar problems, but without the resolution.
I would like to use my Yubikey with its current “keys” registered on another computer without having to re-set them up. Right now I’m testing by trying to authenticate on brave browser, but I would like to be able to use the Yubico Authenticator app in an App qube currently that isn’t working.
I have done the following: sudo qubes-dom0-update qubes-ctap-dom0
and in each qvm: qvm-service --enable qube_name qubes-ctap-proxy
And inside the templates dnf install qubes-ctap
I have also tried setting it in the Qubes Global Config as well, and tried adding custom rules to allow all to a qvm.
I have also checked in the settings in the Qubes Manager for each qvm and template that ctap is enabled.
In /etc/qubes/policy.d/50-config-u2f.policy file I have added the following lines like above: