Missing package: Yubikey/USB keyboard not proxied to minimal template qubes

I’ve been trying, with no luck, to connect a Yubikey (which acts as a keyboard) to a debian-11-minimal-based qube. I have also tried with a proper USB keyboard and it doesn’t work either.

Everything else works normally, including usb block devices.

Installing the following packages in the minimal template did not help:
qubes-u2f, qubes-usb-proxy, qubes-input-proxy-sender AND qubes-input-proxy-receiver.

It is not a problem of sys-usb since any qube running the default debian-11 works properly with the yubikey, so I believe I’m most likely missing a package but I cannot figure out which one.

I would greatly appreciate any input
(sorry for the pun)

To add to the above:
if I attach the Yubikey to a qube through the sys-usb widget, and run the gpg --card-status command, it correctly shows the pgp key information. So it’s just the input that is not processed.

Anyone with ideas?

I sit in the same Boat atm…i got a keepassxc file that needs a yubikey with hmac-sha1 challenge response.
Works in the Appvm with the debian-11 default template but not with debian-11-minimal custom template i made. Maybe some missing packages or a running service. Had no time to check yet…did you figured it out already or does someone has the minimum required dependencies for getting this to work? i never had such problem before with yubikey setup.

Which version of Qubes are you running. I run 4.1 (had to run it from the start because of CPU support). I use my Yubikey for both Yubikey’s proprietary keyboard-based keys and FIDO 2.

When I connect my Yubikey, I get a warning that USB keyboards are denied (totally expected). I then use the taskbar widget to connect my Yubikey to the desired Qube, and both modes work normally. I can even use the taskbar to transfer the Yubikey from one Qube to another, and it works fine.

Jepp i am on 4.1 here too. i added usermod -aG plugdev user to the /rw/config/rc.local file and that fixed it for me in my custom template but i am still curios why this is working fine in the default debian-11 template? user is not part of plugdev group there…?
@aholden did you use minimal templates aswell because with default templates i have no such problem

Glad this thread has picked up viewers because I’m still fairly desperately looking for a solution.

I’m also on 4.1 and the exact same behavior happens to me. The only difference is that while on the pre-installed debian 11 template everything works, with a custom minimal template the yubikey simply doesn’t work after being attached to the qube.

Unfortunately that does not solve it for me. Would you be willing to send me, even privately, the list of additional packages you have installed ?

install ykinfo in template and check in the appVM (where you will use the yubikey) if ykinfo -a does not work while sudo ykinfo -a does work to make sure its realy a permission problem.

if thats the case u need to add the following udev rule to /etc/udev/rules.d/99-yubikey.rules
in the template

# YubiKey 4 OTP+U2F+CCID
SUBSYSTEMS=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0407", GROUP="plugdev", TAG+="uaccess"

and add the user in appvm to the plugdev group like i formerly mentioned

installed packages for my yubikey template vm are
ykinfo libyubikey-udev yubikey-personalization-qui qubes-usb-proxy yubioath-desktop

Ahh I get it. That part of the Yubikey I had already got it to work, as mentioned in comment #2 with gpg --card-status, that was likely due to the passwordless-root package.
But I still can’t get the static password to work, even though ykinfo shows the yubikey

I missed the significance of the minimal template. I use the standard templates. My best guess is that you need a udev rule for USB keyboards in your minimal template. That shouldn’t create too big a security hole because Qubes won’t attach devices unless you request them. Could be a problem if you plan to attach untrusted USB devices to your qube though.

I was just thinking, your minimal template might also be missing the USB keyboard module. It’s possible the template authors might have left it out or disabled it, thinking that Qubes emulates a PS/2 keyboard.
However, because the Yubikey presents itself as a USB keyboard for its standard auth, you need to ensure your minimal template has everything needed for USB keyboards.

I believe I’m having the same problem. Did you ever resolve this?

Update: I found the solution.

sudo apt-get install xserver-xorg-input-all 
1 Like

@BEBF738VD @n1ete same here:
minimal Debian 11, KeePassXC, Yubikey Challenge-Response does not work.
original Debian 11, KeePassXC, Yubikey Challenge-Response does work.

I guess this:

did not fix your Challenge-Response (CR) issue, am I right?

What is your status on on this issue?

Update: Yes, I have it working on a a mini-deb :blush:
But I did some stuff in the template, I need to redo a few steps to verify what was actually the missing thing. Keep you posted.

Solved and documented here:

This package was the solution for me. The Yubico 4 acts like a virtual USB keyboard and that package includes xserver-xorg-input-libinput and xserver-xorg-input-wacom. I’m guessing libinput is the required package. After I installed it in a minimal template 2fa worked.