CTAP Proxy not working, Qubes OS 4.2.2, Fedora 40 XFCE

Hi all,

Asking my question in a fresh tread to try to get attention on the exact problem I’m having.

I have a pretty fresh install of Qubes OS 4.2.2 with the default Fedora 40 XFCE template. I am also using sys-usb as installed by default during the installation process, no modification.

I have followed this guide which is simple: CTAP proxy | Qubes OS

In dom0

$ sudo qubes-dom0-update qubes-ctap-dom0

For each qube (qube_name) that need to use ctap proxy (in dom0 as well)

$ qvm-service --enable qube_name qubes-ctap-proxy

then inside the related qube-template:

$ sudo dnf install qubes-ctap

Each time I try to use the key, I get my screen flooded with denied rights messages as followed:

Denied: u2f.Authenticate
Denied u2f.Authenticate+stringOfNumbersAndCharacters from qube_name to sys-usb

I have checked that the service “qubes-ctap-proxy” is checked in the qube manager and also checked if the qubes-ctap is installed. All seems good.

Anyone knows if “qubes-ctap-proxy” should also be installed in sys-usb? I would prefer not to mess with this qube if possible so I didn’t tried yet as it was not part of the documentation.

Anyone have successfully activated CTAP Proxy in 4.2.x / Fedora 40?

Thanks!

What do you have in your /etc/qubes/policy.d/50-config-u2f.policy in dom0?
What’s the output of this command in dom0?

grep "u2f.Authenticate" /etc/qubes/policy.d/*

Thanks apparatus,

Nothing comes up when I enter that command, I also tested other policies to confirm I’m typing it properly and yes I do.

I was under the impression that using the command line was activating everything but now I see that “Enable the Qubes u2f proxy service” is not activated in the GUI (Qubes OS Global Config) and there, it’s stated that “qubes-u2f” package needs to be installed in the usb template in order to be activated.

I was also under the impression that the u2f options in the GUI where the old version and the new version was ctap.

Should I go ahead and install “qubes-u2f” in the usb template and then activate “Enable the Qubes u2f proxy” from there?

Thanks for your help!

Yes, the u2f was just renamed to ctap:

I guess the info in Qubes Global Config just wasn’t updated.

I guess you need to install qubes-ctap package in sys-usb template as well.

1 Like

Thank you for your help apparatus,

I have made some tests and found out that installing either qubes-ctap or qubes-u2f will install exactly the same 3 modules/versions.

So I installed it in sys-usb… no changes
Enabled the Qubes u2f proxy service with Auth and Reg for a specific qube in Qubes OS Global Config… no changes
Checked the qubes-ctap-proxy service in sys-usb… no changes
Reboot the whole system… no changes

Going back to your initial question, the grep command now return:
/etc/qubes/policy.d/50-config-u2f.policy:policy.RegisterArgument +u2f.Authenticate sys-usb @anyvm allow target=@adminvm

While I have some doubt about the mistakes that I could have made initially, I’m completely runing out of idea now.

Let me know if you have any ideas!

Thanks!

What’s the content of this file in dom0?

/etc/qubes-rpc/policy/u2f.Authenticate
1 Like

Hi apparatus,

It seems like that file does not exist there or anywhere else in my system.

However, I made more research on u2f.Authenticate and find that post here:

And added the missing lines found in Jarrah’s reply to /etc/qubes/policy.d/50-config-u2f.policy as follow and it worked:

u2f.Register * @anyvm sys-usb allow
u2f.Authenticate * @anyvm sys-usb allow
ctap.GetInfo * @anyvm sys-usb allow
ctap.ClientPin * @anyvm sys-usb allow

I guess I should re-open a new issue because this one has been closed: Qubes R4.2.0-rc2 Qubes OS Global Config tool not see qubes-u2f installed in sys-usb · Issue #8463 · QubesOS/qubes-issues · GitHub

Also, while I needed to add the ctap policies, the related interface throw an error message stating that thoses 2 lines are technically correct but too complicates and they are going to be removed after “saving” :-S

I really appreciate your help apparatus as I right now have a working CTAP Proxy :slight_smile:

Thanks!

1 Like