Installing Yubi Key

Hello, I’m having some trouble installing Yubikey into QubesOs.

I’m following this guide: YubiKey | Qubes OS

I went through all the steps and performed them correctly (to the best of my knowledge. Spent hours looking things up. Not very well versed in terminal).

So after I thought it was set up and locked the screen to try it, I type the password, and then Yubikey blinnks, I press it, and it says authentication failed. But then I type my normal password, it blinks, I touch it, then it opens. It wont open until I press the Yubikey when flashing after I type my normal password.

So I decided to uninstall everything and reinstall it. It does the same thing, except the Yubikey is for some reason not required when I type in my regular password. I also noticed if I type in a wrong password, yubikey does nothing. But if I type in the correct password, it blinks. So I think that shows I have the Yubikey password set properly, but maybe I don’t have the AESKEY properly? Not sure.

Also when I come in, I get an error message in the top right corner saying " Denied: qubes.InputKeyboard Denied qubes.InputKeyboard from sys-usb to dom0.

Does anyone have an idea about how to fix it so the password I created for Yubikey unlocks it too?

Well I think I’ve made a mistake. I set up Mandatory YubiKey Login and now I can’t get in. Anyway to fix this? Thankfully I keep everything backed up regularly on a physical hard drive so if I have to reinstall qubes os it’s not a killer, but I would rather not to.

Well I got in. Very weird. It wouldn’t work for my password I have set for qubes. But when I typed in the yubikey password and just let it keep blinking and not touch it like I’m supposed to, it got me in. Very strange. Well I’m turning off Mandatory YubiKey Login for now, until I hear from some people who have more knowledge in this.

1 Like

I was able to figure it out. I got the Yubikey to work as a user login, and also got it to work for for locking when removed. That was the most difficult. When I restarted it wouldn’t work, so I realized sys-usb was a disposablevm and I had to put the config in the template it was based on. But that still would not work. So I ran the log files in domo, and the only thing I was seeing was input keyboard denied. So I went in and put input keyboard in for sys-usb and it works now.

My question now though, is that okay? I’ve heard some things about how that might not be safe?

Also, how safe is it to run Yubikey out of sys-usb? I read one post on here about how someone runs it out of their vault, which sounds like a good idea. I’m not sure how that would work on booting up though? Has anyone tried that before?