Asking my question in a fresh tread to try to get attention on the exact problem I’m having.
I have a pretty fresh install of Qubes OS 4.2.2 with the default Fedora 40 XFCE template. I am also using sys-usb as installed by default during the installation process, no modification.
For each qube (qube_name) that need to use ctap proxy (in dom0 as well)
$ qvm-service --enable qube_name qubes-ctap-proxy
then inside the related qube-template:
$ sudo dnf install qubes-ctap
Each time I try to use the key, I get my screen flooded with denied rights messages as followed:
Denied: u2f.Authenticate
Denied u2f.Authenticate+stringOfNumbersAndCharacters from qube_name to sys-usb
I have checked that the service “qubes-ctap-proxy” is checked in the qube manager and also checked if the qubes-ctap is installed. All seems good.
Anyone knows if “qubes-ctap-proxy” should also be installed in sys-usb? I would prefer not to mess with this qube if possible so I didn’t tried yet as it was not part of the documentation.
Anyone have successfully activated CTAP Proxy in 4.2.x / Fedora 40?
Nothing comes up when I enter that command, I also tested other policies to confirm I’m typing it properly and yes I do.
I was under the impression that using the command line was activating everything but now I see that “Enable the Qubes u2f proxy service” is not activated in the GUI (Qubes OS Global Config) and there, it’s stated that “qubes-u2f” package needs to be installed in the usb template in order to be activated.
I was also under the impression that the u2f options in the GUI where the old version and the new version was ctap.
Should I go ahead and install “qubes-u2f” in the usb template and then activate “Enable the Qubes u2f proxy” from there?
I have made some tests and found out that installing either qubes-ctap or qubes-u2f will install exactly the same 3 modules/versions.
So I installed it in sys-usb… no changes
Enabled the Qubes u2f proxy service with Auth and Reg for a specific qube in Qubes OS Global Config… no changes
Checked the qubes-ctap-proxy service in sys-usb… no changes
Reboot the whole system… no changes
Going back to your initial question, the grep command now return:
/etc/qubes/policy.d/50-config-u2f.policy:policy.RegisterArgument +u2f.Authenticate sys-usb @anyvm allow target=@adminvm
While I have some doubt about the mistakes that I could have made initially, I’m completely runing out of idea now.
Also, while I needed to add the ctap policies, the related interface throw an error message stating that thoses 2 lines are technically correct but too complicates and they are going to be removed after “saving” :-S
I really appreciate your help apparatus as I right now have a working CTAP Proxy