Hi
Please help how to put yubikey
The first thing I did in the debian template was sudo apt install scdaemon yubikey-manager libpam-yubico libpam-u2f libu2f-udev
After that I reloaded the template
gpg: selecting card failed: No such device
gpg: OpenPGP card not available: No such device
After reading the manual a little on how to do this in cubes, I added
During Qubes installation installer asked you if you want to create sys-usb (USB VM). Check if you have sys-usb qube.
If you don’t have one then create it using guide above.
Unless you’re planning to use the static password mode of the YK in dom0, this is not needed and could actually pose a security risk (a malicious yk could inject arbitrary code since it’s seen as a keyboard device).
If all you need the yubikey for is logging onto websites, and using gpg, you just need to install the required software in a template (you already did) and then use the USB widget at the top to connect the yubikey to the qube based on the yk-template.
It’s very straight forward and you don’t need any extra policy in dom0 (just make sure you have a sys-usb qube):
Of course, only for this, and I already put the software in the debian template. But cubes does not see YK
Thank you good man suggested. And then I would do business now.
If you don’t use a usb mouse or usb keyboard to interact with your machine, you should be fine by just following the steps listed in the “How to create a usb qube” paragraph to create a sys-usb qube: https://www.qubes-os.org/doc/usb-qubes/#how-to-create-a-usb-qube.
If you require usb mouse/keyboard there are instructions for those as well.
Once you have sys-usb you should be able to attach the yubikey to your system and have it working.
However, if it’s connected through a thunderbolt port you will need some workaround or a usb c to usb a adapter.
I do not know what happened in the process of creating ys-usb. After restarting cubes-os, I can’t login to the cube. Keyboard and mouse not responding, what should I do?
Critical moment.
I guess you are using a usb keyboard and you didn’t set up the qube accordingly.
If you have a PS/2 keyboard that you can attach temporarily, that’ll probably be the quickest route, otherwise I’m afraid you may have to chroot into qubes from a live system and fix it from there, perhaps with one of the salt formulas. Or without chrooting, you can decrypt and mount the dom0 lvm, and create a temporary policy to get you back in.
If that’s the route you want/need to pursue, decrypt the partition with the usual cryptsetup open /dev/xxxxx luks, then mount the root parition: mount /dev/mapper/qubes_dom0-root /mnt (or similar name, depending on if you changed it), and add sys-usb dom0 allow to /etc/qubes-rpc/policy/qubes.InputKeyboard.
Once you’re back in, you can work on the appropriate setup.
You can’t fix it from grub. You need to boot from some other system (LiveUSB or from Qubes installation ISO for example) then mount there your Qubes drive and change config file on dom0 disk.
If you don’t have encryption then when you boot from LiveUSB you need to execute:
sudo vgchange -ay
sudo mount /dev/mapper/qubes_dom0-root /mnt
sudo nano /mnt/etc/qubes-rpc/policy/qubes.InputKeyboard