Asking my question in a fresh tread to try to get attention on the exact problem I’m having.
I have a pretty fresh install of Qubes OS 4.2.2 with the default Fedora 40 XFCE template. I am also using sys-usb as installed by default during the installation process, no modification.
For each qube (qube_name) that need to use ctap proxy (in dom0 as well)
$ qvm-service --enable qube_name qubes-ctap-proxy
then inside the related qube-template:
$ sudo dnf install qubes-ctap
Each time I try to use the key, I get my screen flooded with denied rights messages as followed:
Denied: u2f.Authenticate
Denied u2f.Authenticate+stringOfNumbersAndCharacters from qube_name to sys-usb
I have checked that the service “qubes-ctap-proxy” is checked in the qube manager and also checked if the qubes-ctap is installed. All seems good.
Anyone knows if “qubes-ctap-proxy” should also be installed in sys-usb? I would prefer not to mess with this qube if possible so I didn’t tried yet as it was not part of the documentation.
Anyone have successfully activated CTAP Proxy in 4.2.x / Fedora 40?
Nothing comes up when I enter that command, I also tested other policies to confirm I’m typing it properly and yes I do.
I was under the impression that using the command line was activating everything but now I see that “Enable the Qubes u2f proxy service” is not activated in the GUI (Qubes OS Global Config) and there, it’s stated that “qubes-u2f” package needs to be installed in the usb template in order to be activated.
I was also under the impression that the u2f options in the GUI where the old version and the new version was ctap.
Should I go ahead and install “qubes-u2f” in the usb template and then activate “Enable the Qubes u2f proxy” from there?
I have made some tests and found out that installing either qubes-ctap or qubes-u2f will install exactly the same 3 modules/versions.
So I installed it in sys-usb… no changes
Enabled the Qubes u2f proxy service with Auth and Reg for a specific qube in Qubes OS Global Config… no changes
Checked the qubes-ctap-proxy service in sys-usb… no changes
Reboot the whole system… no changes
Going back to your initial question, the grep command now return:
/etc/qubes/policy.d/50-config-u2f.policy:policy.RegisterArgument +u2f.Authenticate sys-usb @anyvm allow target=@adminvm
While I have some doubt about the mistakes that I could have made initially, I’m completely runing out of idea now.
Also, while I needed to add the ctap policies, the related interface throw an error message stating that thoses 2 lines are technically correct but too complicates and they are going to be removed after “saving” :-S
I really appreciate your help apparatus as I right now have a working CTAP Proxy
Hi all, I am having similar problems, but without the resolution.
I would like to use my Yubikey with its current “keys” registered on another computer without having to re-set them up. Right now I’m testing by trying to authenticate on brave browser, but I would like to be able to use the Yubico Authenticator app in an App qube currently that isn’t working.
I have done the following: sudo qubes-dom0-update qubes-ctap-dom0
and in each qvm: qvm-service --enable qube_name qubes-ctap-proxy
And inside the templates dnf install qubes-ctap
I have also tried setting it in the Qubes Global Config as well, and tried adding custom rules to allow all to a qvm.
I have also checked in the settings in the Qubes Manager for each qvm and template that ctap is enabled.
In /etc/qubes/policy.d/50-config-u2f.policy file I have added the following lines like above:
I fixed my problem:
I made a clone of sys-usb and in the clone configured the devices with strict reset. It was a thunderbolt problem.
I use the main sys-usb most of the time unless I need the thunderbolts.
I believe this happened because of a bios setting that turned thunderbolt off when installing Qubes. I also read somewhere that thunderbolt is less secure so best practice might be to just use the clone when needed. Not sure though.
I have been struggling mightily with this problem, described exactly as by the OP, except this is Q4.2.4 and Fedora-42-XFCE. I have followed the Qubes on-line docs, used the Qubes Global Config GUI, and tried the various suggestions in this and related threads, such as adding extra lines to the /etc/qubes/policy.d/50-config-u2f.policy file. No luck.
The Yubikey works fine if I connect it directly to the qube of interest, bypassing the proxy. I would prefer using the proxy, of course.
I have not tried @on-the-docs’s May 27 solution, mainly because I don’t understand in detail what needs to be done. (I also wonder about actually increasing security risks by changing the device treatment, at least without me knowing what I’m doing.)
Anyhow, if there is any other news on how to solve this, including “All my problems will be solved in Q4.3”, I would appreciate any ideas or new things to try.
Hi @shmooga,
My previous solution stopped working for me and I tried many different solutions.
The flatpak yubico authenticato application is the only solution that works.
To use flatpak, follow @solene’s guide to integrating it.
– Hope this helps!
