U2F proxy problems with fedora-33

Hi everyone!

I just recently moved all my fedora qubes to fedora-33, and there’s still some strange lingering issue, so was just wondering if anyone else has discovered the solution.

I’m using Yubikey 5 NFC for U2F and other things as well (OpenPGP etc.). With fedora-32 everything worked perfectly. So I could access my pgp keys, login with U2F (via proxy) etc.

After upgrading sys-usb to fedora-33 strange issues started happening. U2F proxy works, but it’s not reliable. If I access my pgp keys on the Yubikey, U2F proxy stops functioning. I’m not 100% what happens in which order, but anyways it’s not like fedora-32 which was solid.

I also tried to create debian-10-minimal -based template for sys-usb, but couldn’t make the U2F proxy to work at all. Everything else works with my template. I installed qubes-u2f, as explained in the U2F documentation.

If I change sys-usb back to fedora-32 (which I still have lying around because of this issue), everything works again! So it is not about my appvm’s either.

I’d be interested in hearing your experience with Yubikey, fedora-33 and U2F proxy, and especially what needs to be done in order to create sys-usb template based on debian-10-minimal. I’m not the biggest fan of Fedora upgrade cycle, so I’d like to switch all my sys qubes to debian.

Edit. I did some more testing, and found out that with fedora-33 and debian-10-minimal, the authentication works via U2F proxy only once.

1 Like

Hi, I am using a Yubikey 4 and I recently switched to fedora-33 as well. I also disabled my 2FA because of the forum moving to another home.

I just enabled 2FA again for this forum temporarily and tried logging in with U2F a couple of times: no problems here!

The only thing I experienced since I first enabled U2F proxy is that for me it takes a few seconds until my Yubikey blinks. I know that so I don’t have a problem with this but impatient people might think it’s broken.
I don’t know if this behaviour is related to my laptop being a little slow or some other things. (I recall reading somthing on github but I forgot what it was and I am too lazy to search for it at the moment).

Anyway, for me U2F is working with fedora33 and this forum. A shame that U2F hasn’t caught on.

May I ask how much do you have memory for your sys-usb? I think I’ll try tweaking that. I know it’s a bit hopeless since the device doesn’t require huge memory, but that’s all I can think of now.

What packages you installed to fedora-33? I guess at least qubes-u2f, but maybe I missed something. Again, probably that’s not the issue, because the authentication works at least once. And yes, it also takes few seconds for me to start blinking.

I am using Q 4.1 at the moment.

I am using the default setting of 300Mb of initial memory and it is not included in memory balancing.

In order for sys-usb to work with my laptop I had to add a few kernel opts (nopat iommu=soft swiotlb=8192) but I don’t know if this has anything to do with this matter.

I did install packages because I make a clone of every template to have a vanilla one. I just checked and yes, I installed qubes-u2f. Besides libreoffice I did not install anything else.

The strange thing is that it has worked for you with f32 and doesn’t (fully) work with f33. Maybe something to do with Yubikey5? Did you search for something in this regard?

Thanks for your answer!

Yes, it is strange. I’ve tried to search a lot, found nothing, so finally wanted to ask here because I’m sure Yubikey 5 is commonly used in QubesOS community, so for sure someone else should have spotted the same problem.

In the past I had some difficulties with my Yubikey but these were either a bug with keepass or a simple mistake like switching my template for sys-usb to another where I hadn’t installed the u2f package.

Did you compare your fedora-templates with regard to the installed software packages?
Did you try a debian-10 without the minimal?

Did more testing. Authentication works as many times I want after rebooting sys-usb (f33 or debian-10-minimal), but when I attach the device to another appvm (which I use for other things), authentication doesn’t work anymore. But with f32 it works! So with f32 I can attach the device to my service vm (not the one with browser!), and the U2F proxy still functions. Strange indeed.

I only have to attach the Yubikey to my vault where my keepass is located in order to unlock it. After unlocking I just remove/detach it.
It isn’t attached to another appvm when I log on to the forum.

My setup is a bit different because I use unix pass, which needs to use my pgp keys in the Yubikey every time I need a password. Thus in practice the Yubikey is connected all the time. It’s weird this worked perfectly in f32. There must be explanation to this.

I’ve started to think there’s something strange going on with the interaction of usb-proxy and u2f-proxy on fedora-33. It’s just hard to believe I’m the first one to notice this. Anyways, I did github issue on this. Let’s see if the developers find out something.

And the issue is related to use of u2f-proxy with u2f device attached to some other appvm than the browser appvm.

I have to admit U2F never worked for me as expected and I reverted to plugging my key into whatever VM it is needed. If you can advise how can I debug the issue it would be much appreciated.

Do you mean “never” as in fedora-32 times or even before that?

This is just silly, with F32, I can attach/detach the yubikey arbitrarily, and the U2F always just works. With F33, this breaks. From github I see no changes in the U2F proxy code.

It is not about kernel, because that stays the same. So maybe it is about the USB redirection working differently in F32/F33.

This is the github issue I made: qubes-u2f-proxy fails on fedora-33 and debian-10 when Yubikey 5 NFC is attached to (non-browser) appvm · Issue #24 · QubesOS/qubes-app-u2f · GitHub

Did you check the U2F Proxy documentation?

There is not much to do but for example if you forgot to enable u2f for a specific appVM via dom0 it won’t work.

I’d check all those small steps explained in the docs and if this doesn’t help I’d come back with a little more information on your system (Q 4.0 or 4.1; which template you are using, which (Yubi?-)key you are using etc.).

Thanks for linking the issue. Your issue is very specific, so I think github might be the best place to get an answer.
I never heard of unix pass and the use of pgp keys in connection with passwords. Sounds interesting.

Yeah, so basically every password is pgp-encrypted file, and I use the Yubikey’s OpenPGP functionality (secret keys are on the device) with the Qubes split pgp. So instead of normal split pgp where the secret keys are on some vault appvm, I have the Yubikey attached to my vault appvm. And I need passwords quite often, so that’s why it is attached all the time.

Ok, will give it a new spin. Yes, I did everything according to docs but I could not figure out is it client VM issue or anything else but apparently no API requests went through.

Ah, okay, thanks for the explanation. I might try this out myself…someday. I think the Yubikey 4 is capable of this already.
In the past I tried a few things with encrypted emails and even split gpg (like explained in the docs) but after some tests with strangers no contacts of mine wanted to try out encrypted mails (even after Snowden).

Most stuff like this which I do only occasionally I forget after a while so this might be a nice way of using on a daily basis (and thus learning a little more)

I also tried with the new fedora-34 template, no luck. Went back to fedora-32 and everything works again.

What the heck is the magic with fedora-32?? I mean all of the following stay the same:

  • AppVM using U2F
  • kernel of the sys-usb
  • qubes-u2f proxy software

Only the sys-usb template changes.

If someone is reading this, how big of a problem you think is using fedora-32 for sys-usb? I mean, it uses the latest kernel all the time, it has no network. So maybe I just forget about this and run fedora-32 happily for years to come… :smiley:

I just had to set up u2f again in a relatively new install and almost forgot to install a package in fedora:
sudo dnf install pcsc-lite-ccid
Do you have this one installed in your template?

Sorry for the late reply, I re-iterated through the install process and apparently the last time I just forgot to shut down the template VM so changes did not propagate. All works fine now with fc34.