Issue with yubikey

I followed this guide and I can’t get my yubikey to attach to a qube and be recognized. I made sure qubes-u2f-proxy was enabled in the qube I was using and sys-usb and followed the proper steps to install qubes-u2f into the templates and restarted the qubes reliant on the templates. I tried using the yubikey in different ways, one of them being with keepass but it didn’t recognize that any hardware key was attached to the qube even though I attached the yubikey.

I would appreciate any help or guidance I’ve been struggling for a couple days with this.

I made a couple of mistakes in setting my Yubikey before I successfully did so. So I may be of some help. Here’s a write up I did some time ago detailing how I went about it:

I did not set up u2f and only did challenge-response so my help may be limited. Disclaimers made - what can you share in terms of practical steps taken or errors received?

It all depends on the type of Yubikey and the crypto protocol you need to use (FIDO2, HMAC-SHA1, chalresp, OTP, etc). I have a C Bio series 5. It works perfectly attaching usb qubes to a qube with chrome-based browser (Brave, Ungoogled Chrome) with FIDO2. But it cannot do HMAC or chalresp. A different type of key is required. Not all keys have all crypto protocols. KeyPass requires a key with protocols my key doesn’t have. I wish mine did too. But there are Nitro and other types of keys with HMAC that would work for KeyPass.

This works well for me:

In dom0:
sudo qubes-dom0-update qubes-u2f-dom0

Add qubes-u2f-proxy in Services of each qube it will use to enable the service.

In Fedora TemplateVMs:
sudo dnf install qubes-u2f

In Debian TemplateVMs:
sudo apt install qubes-u2f

Restart qubes

I have tried to get a HS_HyperFIDO running, but without success. Yubikey-personalization(-gui) won’t recognize it. Chromium does, but none of the function the HyperFIDO is supposed to be capable of, can be used by chromium.

Hmpf, or I should read the docs again. As I didn’t make any modifications inside dom0 - thought that is only for using the yubikey for dom0’s PAM stuff - that might be necessary, i.e.

 qvm-service --enable work qubes-u2f-proxy

could prove to be necessary.

I tried it on chromium and was able to get it to work but I am getting a message on the top right that repeatedly spams and fills up my screen says “Denied: u2f.authenticate from sys-usb to sys-usb” until I touch the hardware key and connect it then it works.

Do you have any idea how to fix this?

Did you check the box to, “Require user input (button press)”? I believe that’s turned on by default. You might need to do it again and uncheck that box if you don’t want press the button.

I’m a little confused are you talking about in the yubikey personalization tool?

I’m pretty certain this doesn’t have to do with the yubikey itself because If I go through the process of using the yubikey and then my browser begins searching for connected keys, whether the hardware key is connected or not I will start to have the message saying “Denied u2f.authenticate from sys-usb to sys-usb” also to add more context I would get a similair message before in the firefox browser but it would say “Denied usb.register from sys-usb to sys-usb”

You stated you followed the guide that included this step:

 sudo apt-get install yubikey-personalization

Was that not part of your steps?

I’m sorry I put the wrong link for the guide. That is what made it confusing I meant this guide. I was more so trying to get yubikey working for a few other things like keepass specifically but I would like to eventually use it to login as well.

Sorry to create confusion I meant this guide

I see. Well, I cannot help then. I’ll be following this thread though because I imagine I would like to try this one day. I wish you all the luck!