YubiKey as 2FA for Qubes Login

Hello all!

I have been a Qubes user for the past eight years, and decided to beef up my security with MFA using a YubiKey 5 series to log into my Qubes system. Initially, I was set up to use Debian as my default template, and all of my service AppVMs were disposable.

What I am seeking is for the login prompt to require the use of my YubiKey to log in. I also do not want to have a separate password just for the YubiKey and I would prefer to enforce use of my YubiKey for login.

I started out using the guide from the qubes web site and attempted to set up MFA with no success. I was initially unable to install the yubikey-personalization-gui tool because the debian-12 repo no longer offers it. Also, I had to figure out a way to paste my AESKEY into the yk-secret-key hex file in dom0, as pasting isn’t allowed in the dom0 terminal. Ultimately, I found a workaround to read the global clipboard file in dom0 and grabbed the value from there. I was a little unclear on which services I should add the “auth include yubikey” line to the top of.

After failing to get MFA working the first time, I decided perhaps it was a problem with the disposable service AppVMs, so I decided to start with a fresh install of the latest version of Qubes (4.2.4) to experiment with, using Fedora as my default template instead of Debian, and chose not to make any of my service AppVMs disposable.

Unfortunately, I was unable to get MFA set up properly (after making several more attempts) and I even managed to crash the GUI on bootup once or twice - (lightdm service failed to start). In those cases I had no login prompt and had to reinstall again. I can only assume it was because I added the “auth include yubikey” line to the wrong service files.

In each failed setup (where I didn’t crash the GUI), I encountered the lockout issue after I set up the yubikey file in the pam-d directory to remove the default=ignore line.

I decided to look for another guide, and found one here: https://medium.com/@corbeaucrypto/a-small-adventure-with-yubikey-and-qubesos-63e5820ddf96

According to this guide I was able to determine which files I need to add the line to in the service files within the pam.d directory, (lightdm and xscreensaver) and that I should not have installed ykpers into the fedora template. I reinstalled Qubes again, then installed the ykpers tool directly into sys-usb as directed. This time, I was able to get the YubiKey login working during the existing session, but as soon as I rebooted the system, my YubiKey was no longer recognized. When I plugged in my YubiKey to a USB slot and entered my login password, my YubiKey no longer blinked, and my login failed.

I did notice that the medium guide does not mention anything about adding the password to the login-pass file like the qubes-os guide does, so I thought maybe that was what I did wrong. So again I reinstalled Qubes and started over, intending to add the password to this file as suggested by the qubes-os.org guide. Unfortunately, that did not fix the problem, and once again after rebooting, my YubiKey failed to function properly (it would not blink) and I found myself locked out of my Qubes system.

Before I make another attempt, I wanted to ask for assistance as to what I am doing wrong.

I wrote a guide for myself and I would love it if someone could help steer me in the right direction. That guide is below:

SETTING UP LOGIN WITH YUBIKEY

 1. In the sys-usb appVM open a command shell and type in the following command to install the YubiKey software necessary for multi-factor authentication
    (a) “sudo dnf install ykpers”
 2. Open a dom0 terminal and install the necessary software with the following command:
    (a) “sudo qubes-dom0-update qubes-yubikey-dom0”
 3. Use a disposable AppVM to open a command shell and install the YubiKey personalization tool with the following command:
    (a) “sudo dnf install yubikey-personalization-gui”
    (b) Set the NetworkVM for the disposable to none (to take the disposable offline)
 4. After installing, type the following command to launch the app:
    (a) “yubikey-personalization-gui”
 5. In the popup that appears:
    (a) Select Challenge-Response
    (b) Select HMAC-SHA1
    (c) Choose configuration slot #2
    (d) Enable Require User Input (button press)
    (e) Use fixed 64-bit input for HMAC-SHA1 mode
    (f) Click the “Generate” button to generate the code
    (g) Insert the YubiKey (if not done already) and make sure it is attached to the disposable VM
    (h) Press “Write Configuration” and select a location to save the file containing your AESKEY
    (i) Open a terminal in the disposable AppVM and access the AESKEY file generated in step 5h
    (j) Copy the hex code secret (CTRL-C) and put it in the global template (CTRL+SHIFT+C) so that we can get it in the global clipboard in dom0
 6. Paste the AESKEY secret (only the hex code part) into the appropriate file in dom0
    (a) Open a command shell in dom0
    (b) Look at the contents of the qubes-clipboard.bin file
    (c) Copy the AESKEY secret hex code and press the “q” key to quit
    (d) Back in the dom0 terminal, edit the yk-secret-key hex file (using nano)
    (e) Paste the AESKEY secret hex code into a new line
    (f) Press CTRL+O then ENTER to write out the changes and CTRL+X to exit

Continued guide below (apologies, as the original post was broken):

 7. Set password associated with the Yubikey (section 5 of the Qubes-OS.org guide)
    (a) NOTE: This is not in the guide on the medium.com website
    (b) Open a command shell in dom0
    (c) Type “sudo nano /etc/qubes/yk-keys/login-pass”
    (d) Enter your password in plain text into this file
    (e) Press CTRL+O then ENTER to write out the changes and CTRL+X to exit
 8. Enable YubiKey auth on the appropriate services
    (a) sudo nano /etc/pam.d/xscreensaver
    (b) Add the line “auth	include		yubikey” at the top of the file
    (c) Press CTRL+O then ENTER to write out the changes and CTRL+X to exit
    (d) sudo nano /etc/pam.d/lightdm
    (e) Add the line “auth	include		yubikey” at the top of the file
    (f) Press CTRL+O then ENTER to write out the changes and CTRL+X to exit
 9. Ensure the correct USB AppVM is being referenced 
    (a) This should be sys-usb unless you changed it to something else
    (b) In a dom0 terminal, type “sudo nano /etc/qubes/yk-keys/vm” and press enter
    (c) Ensure the VM referenced in that file is the one you are using for USB (aka sys-usb)
    (d) If it is not, change it and save the file (CTRL-O, ENTER) then exit (CTRL-X)

TESTING
1. Log Out
2. Plug your Yubikey into a USB slot
3. Enter the password you associated with your Yubikey (in the login-pass file) and press ENTER
4. The Yubikey should be flashing – press the button
5. You should be logged in

ENFORCING YUBIKEY LOGIN
1. Open a dom0 terminal
2. Edit the yubikey file in the pam.d directory
4. Remove the default=ignore from the file
5. Press CTRL+O then ENTER to write out the changes, and CTRL+X to exit
6. Log out of Qubes and try logging back in. You should not be able to do so without the YubiKey.
7. Reboot Qubes.
8. Verify you are able to log in with the YubiKey (I have as yet been unable to get this to function)

I apologize for not including paths and having to adjust the name of files, As the forum software would not allow me to post this thread as originally written, and displayed an error message that “new users may only add 2 URLs”.

Hello All!

I tried one more time, but did two things different.

1. I installed ykpers into the template and the sys-usb appvm
2. I decided to skip removal of the default=ignore option in the /etc/pam.d/yubikey file

This time, when I rebooted, inserted the YubiKey and entered my password, it did flash, and I was able to press the button and log in.

After that I deleted the default=ignore option in the /etc/pam.d/yubikey file and rebooted again.

Huzzah! It works, and I can’t log in without the YubiKey - exactly what I was looking for.

Next step - setting up YubiKey to decrypt the drive for bootup. Wish me luck!

As an aside, this guide can be modified a little bit to use slot 1 on your YubiKey (if you never plan to use it for anything other than this, and want to use slot 2 for other things). There’s a file within the /etc/qubes/yk-keys/yk-slot file in dom0 - the default value is 2. If you change that to 1, it will target slot 1 on your YubiKey.

When you program slot 1 on your key using the GUI tool, it will display a warning that is safe to ignore if you want to do things this way.