I want to setup u2f-proxy after in-place upgrade to 4.2 but can’t figured it out how to do that and what exactly causing a problem. I have always problems with understanding which services where are necessary but on 4.1 I was able to setup it. Now I have problem that Qubes Global Config tool tells me that I havn’t qubes-u2f service installed in sys-usb. My sys-usb is dvm based on minimal fedora-38. I have installed in the template qubes-usb-proxy, qubes-input-proxy-sender and qubes-u2f that fallback to qubes-ctap. In som0 I have installed qubes-u2f-dom0 which fallback to qubes-ctap-dom0.
I have enabled qubes-u2f-proxy service for each vm I want to use with u2f proxy, and also for sys-usb, but I can’t do
I am trying to do the same thing, and I was looking forward to a talk on CTAP2 at the QubesOS summit today, but it seems that talk didn’t occur. It seems the documentation (here) is no longer functional on 4.2 and refers only to Qubes 4.1? I also want to know if there is anyone aware how to do this on Qubes 4.2.
I am happy to even write up brief documentation on it if anyone can tell us how it can be set up and used on the new CTAP2 protocol.
If you use a webauthn test site without that you’ll see a bunch of
notifications warning that a policy denial has happened. I worked out
the above by adding things until the denials disappeared.
Thanks @Jarrah ! So you are setting the policy manually then.
I was trying to go through the steps in the new Qubes Global Settings menu that has the U2F options and tells me that I need to install the service in my USB qube. Did you need to correctly set U2F in the menu alongside your policy update?
Not working for me. where do you add the policy? I added it to /etc/qubes/policy.d/50-config-u2f.policy.
There was already some stuff there:
# THIS IS AN AUTOMATICALLY GENERATED POLICY FILE.
# Any changes made manually may be overwritten by Qubes Configuration Tools.
policy.RegisterArgument +u2f.Authenticate sys-net @anyvm allow target=@adminvm
This looks promising, but the qubes-ctapproxy service on my sys-usb is not willing to run. It doesn’t give me an error, and lets me start it, but when I check the status, I get the following output:
Ah! Clearly I don’t understand something about the services. I thought that @sys-usb was denoting where to run the command. But when I ran it exactly as you wrote it in sys-usb terminal (with @sys-usb appended), I get a better response saying it is runnning.
I am not sure why then I can’t seem to use the proxy. I can plug my key into the machine and then attach it directly to the qube I want to use and it will work that way, but isn’t the point of the proxy that I shouldn’t directly connect the key to the AppVM where I want to use it? If I don’t connect it to any VM, then it simply doesn’t work.
I just verified all packages (as far as I know from Global Policy Gonfig Tool guidance) are installed. I had neglected to previously install qubes-u2f on one of my templates I was using.
So, I am now getting errors thrown saying that “u2f.authenticate” and “u2f.register” are denied from sys-usb to sys-usb. This sounds like a policy problem. But, I have copied the same policy as @beto above, and the Qubes Policy editor does not find errors, but still having denial issues. It is notable that the Qubes Global Config Tool does complain it can’t parse my new rules (it failed to create some of them itself so I had to add the last two lines myself), but it does say they are correct.
personally, I can 't do either one of these systemctl examples in dom0 ,
Unit qubes-ctapproxy@sys-usb.service could not be found.
I’ve both the U2F&Ctap packages in the template and the dom0 per the Q documentation. Also in the Global config → USB devices → USB qube says sys-usb , and “enable the Qubes U2F proxy service, list of Qubes that can use the U2F proxy” is checked. Also "enable registering new keys with the u2F proxy service " is checked. (all qubes).
allow some qubes access to all your keys stored on u2f device, added the appvm
tried in the fedora and debian 12 template based appvm/qubes, also in chromium/firefox.
I also get the 100 continuous box that rolling onto the screen in columns telling me