Hi @whoami. Thanks for the feedback. However, it looks like you may want to report this as a formal issue. Quoting from the from the support documentation on the website:
Report issues and submit changes in the right places
The mailing lists are a good place to ask questions and discuss bugs and feature requests. However, if you’re submitting a more formal report, we’d prefer that you submit it to our issue tracker so that it doesn’t get overlooked. Likewise, if you see that something in the documentation should be changed, don’t simply point it out in a discussion venue. Instead, submit the change.
I really hope to get it fixed if not I have to move back to “normal” Linux distro just because of the missing YubiKey support / issue.
… this USB Keyboard lock outs are very frustrating
Hi,
you don’t have a sys-usb, do you?
I do have a sys-usb and I am using a Yubikey for login and for U2F. This is working as it should. Disregarding any security implications by assigning a Yubikey to a certain VM I just tried and this is also working like it should. So I guess Challenge-Response should work as well with KeePassXC. At least with assigning the key.
I think I read something about that it isn’t recommended to assign a Yubikey to a VM but I will have to search for that again.
I wanted to make the most of my Yubikeys with Qubes as well. I’ve been using them on other distributions in the past with OTP and Keepass successfully.
If I find the time I will read a little more on how it should be done, try it and report back.
Hi Raphael,
thanks a lot for your message. I am looking for a (Qubes+Yubikey) user since a long time.
… google groups wasn’t a big help …
Yes, I have a sys-usb since I need to connect with a USB keyboard. So, Qubes’ installer do the USB-qubes automatically during the installation routine. Maybe this is the issue since Yubikey will be seen as keyboard and this could lead to a bug since two keyboards are detected. But on the other hand it is listed in dom0 and all works fine (just the Yubikey is not attachable to AppVM).
No problem!
The difference between your setup and mine is the USB keyboard and I think that must be why there’s trouble for you. Did you try attaching the Yubikey manually?
I haven’t been able to select ‘sys-usb’ during setup. I guess that’s because I have only 1 controller but I don’t know for sure. My keyboard isn’t USB so I don’t have to worry logging myself out even when none of the USB slots are working because I can still type my password.
I tried Challenge-Response and it looks like it is working because the Yubikey is detected. Unfortunately I seem to run into an old bug that has been associated with Windows, Dropbox and Google services in the past but looks like to be a thing on Linux as well. After adding the Yubikey I get the following error message:
writing the database failed: Database save is already in progress
Eventually I had to shut down the vaultVM because closing doesn’t work without saving. Unfortunately this corrupts the whole database. I tried a few things (even with the challenge-response secret) but that didn’t work either.
I have 2 Qubes setups on 2 SSDs in my laptop and I did that on my testing setup so even when something goes completely wrong it wouldn’t matter much. I did forget that I registered here on my testing setup before my last keepass backup so I guess the best thing is to always backup again before changing anything. But resetting password works fine on this forum…haha.
To cut a long story short, I think there is a bug with keepassXC because this error is mentioned for a few years now without a clear solution.
I think I will try and see if I do encounter this error on a standalone Linux distribution as well.
Hi ymy,
I just check the version: It is 2.3.4 ! Neither a template upgrade nor a dedicated program upgrade is doing an update to 2.6.1 that’s weird but as Raphael just posted this should not be the issue here since it is not seen by the AppVM at all.
Raphael, what do you exactly mean by manually ?
When I do a lsusb in dom0 it shows all devices (keyboard … Yubikey)
But like suggested in the docs when command qvm-usb it shows nothing. So, I cannot command any qvm-usb attach vault sys-usb:X:Y
My vaultVM is based on Fedora 32 and the latest version seems to be 2.6.1.
I meant the way it is described in the docs and like you tried.
Do you have more than 1 controller and if so which one is assigned to sys-usb?
Of course, it would matter where you plug your Yubikey in but I guess you know that already.
When I type in qvm-usb the Yubikey shows up.
Could you go to your sys-usb and take a look at: Qube Settings -> Devices
and take a look at the right column where the selected devices are listed.
It should look like:
00:12.0 USB Controller: …
I dont have a sys-usb in my VM list (clicking on the top left Q-icon). If I get the docs correct an usb-qube should have been auto installed / configured during installation since I use a USB keyboard only.
I just have the icon on the top right corner which allows me to attach usb storage and mic etc. to AppVMs and this works fine…
It would be best to read the documentation carefully, especially the part with the USB keyboard.
You should also read the docs on the use of Yubikey. Keepass isn’t included (yet).
An example:
If you decide to make use of sys-usb and only have 1 usb controller, all your usb-ports are assigned to sys-usb. This means that no matter what you plug into any of your usb-ports will be attached to sys-usb and not to dom0.
Your usb-keyboard will not work unless you take the necessary steps described in the docs.
Should there be more than 1 controller you could only assign 1 of them to your sys-usb.
There’s also this little remark:
“If you use USB keyboard, automatic USB qube creation during installation is disabled.”
Ok, I will do this again but could you than please explain why I can attach all USB devices, mics etc. to AppVM but not my Yubikey? Just because it is a keyboard and not mic or usb storage?
In the “USB-Devices” documentation that I linked to earlier you can find this remark:
Attaching USB devices to VMs requires a USB qube.
In the first sentence there is also a link to the block device page:
There you can find the answer:
Qubes OS supports the ability to attach a USB drive (or just its partitions) to any qube easily, no matter which qube handles the USB controller.
Attaching USB drives is integrated into the Devices Widget
So again the reminder to be careful because of your USB keyboard and to check the number of controllers. As you may have noticed I am not an expert myself but try to follow the documentation closely.
Backing up important stuff before trying these kind of things out would be best and if you have the time to install Qubes on another hard drive where you could test difficult configurations might be a way to go as well (?).
Thanks for your support. I tried this 1+ year ago already and it looked me out 3…4 time this is why I stopped using Qubes. I will give it one more (last) try if it kicks me out I will go back to Debian based OS.
So, crossing fingers!
if not I have to move back to “normal” Linux distro just because of the missing YubiKey support / issue.
