I wanted to try out if a Hypersec HyperFIDO and a Feitian Tech ePass FIDO device work at all.
So I installed chromium and yubikey-personalization-gui in an AppVM temporarily. After attaching the aforementioned usb-sticks to the AppVM I was not able to get them to work. yubikey-personalization-gui can’t find a yubikey - I thought that is a standard and other vendors products would be recognized as well. chromium does recognize the devices but can’t erase or write to them.
Does anyone have experience with alternative vendors? Do I have to take further steps like rebooting (which makes installation in the template a must) to work with U2F, OTP and challenge-response?
@arkenoi: you wrote in another thread, OTP and challenge-response are proprietary… @sven: you wrote in another thread to write to /rw/config of the sys-usb-template. Why does one want to run yubikey-personalization-gui in sys-usb, anyway? I believe I understand why one wants to create keys in a disposableVM, but why in sys-usb?
That was about getting a custom.LockScreen script persitent. I’m wondering why sys-usb is the preferred VM to install and use the tools in.
I’m planning to use Hypersec HyperFIDO for unlocking a KeePassXC-database in a vaultVM. U2F (or OTP) for webapps and Challenge-Response for screen locking might be nice to have, too, but is secondary at the moment.
I don’t think that’s the case. Obviously you don’t want anything of value in sys-usb. I don’t use my Nitrokey for anything except GPG, which I run in vault and I assign the Nitrokey to vault using the USD device tray icon.
Maybe the Nitrokey-App is easier to run in sys-usb and one could make the case that the secrets are stored in the key. But then again some of them would be accessible then in a compromised sys-usb.
I got it too to work in vault with the key assigned via tray icon / qvm-usb. However I stopped using it all-together a while ago.
My quoted response was merely about how to have something persists for use in a disposable. Not about the larger use case.
@ckN6QwSZ I just don’t know enough about Yubikey and what you are trying to do to be helpful. I only answered because you called me by name. My use case is a Nitrokey and I only use it as a GPG ‘smart card’ … and that works great / out of the box.
Most threads in this forum regarding yubikeys-problems yield to the solution
enable sys-usb
which I have been using from the beginning.
My use case is to use at least one of the mentioned FIDO-devices for additional protection of my KeePassXC database. As a first step. Screen locking (easy) or LUKS encryption (probably too much hassle) might be future use cases. So far KeePassXC has not detected my hardware keys for Challenge-Response. Chromium detects my FIDO devices but can not apply any changes.
I do have a GPG-Smartcard, a Hyperfido key and a Feitian ePass FIDO. All three devices are attachable to my vaultVM or testing appVM. And listable with qvm-usb in dom0 and lsusb in the respective appVM.
I installed libfido2, psclite (that’s on my testing appVM which is based on my arch linux template) and added a “CAC Module” to NSS database.
To what I have read I don’t need special drivers for FIDO-devices. Obviously I haven’t installed the correct driver or I have a permission problem (see udev rules).