Then I must have misunderstood. In this particular case I though the Yubikey documentation didn’t mention how do to things for the particular case of having a usb-keyboard setup.
Haha Fair enough! But it’s still great to have accurate documentation so that we can simply point the users to, in case they haven’t checked before.
Regardless, I still stand behind that comment. In an ideal situation the software tries to understand what the user is attempting to do and helps them (discourse does that to a fantastic extent).
Okay, maybe you are right and some cross reference to USB Qube could be helpful but sometimes there are misunderstandings that a documentation cannot solve.
I do think that the documentation is excellent already but of course anything to improve or make it easier for users is welcome.
Maybe a “See also” section at the bottom with links to related subjects might be an idea (like seen in other wikis) but I am not sure. Some might think of this as overkill or complicating things.
Always a hit and miss with Yubikeys in Qubes. Check if they are genuine first see website or do a search.
Unrelated to this forum: Yubikeys do not work with VB Whonix Workstation but they do work with Whonixgateway.
I do use Yubikeys with HVMs by giving a USB port to the HVM. I do use Parrot which solves the next question mp4 play.
You won’t be sorry: qvm-create Parrot --class TemplateVM --label green do the standard advanced install to take advantage of btrf file system. Yubikeys work like a charm!
@whoami and everyone interested using Yubikey with keepassXC
There is a bug report:
Downgrading to version 2.5.3 of keepassXC might be a temporary solution until the problem is solved. I haven’t tried that yet but I will report back soon.
Thanks for sharing this info!
To solve my Debian KeePassXC issue I moved to Fedora template but here the challenge response didn’t work. Switched back to Debain again and followed the Github AppImage suggestion this works fine now.
Next issue:
Before opening a new issue do you / or someone here have Yubico Authenticator?
Is it working?
I observed a known issue that I also had before on Ubuntu OS: The Yubikey is detected and disappears after one second, detected … disappearing … inf.
I did not try Yubico Authenticator yet. I am using U2F when possible. Unfortunately there are still very few sites that are making use of U2F. The whole thing hasn’t taken off like I had hoped years ago.
Maybe I will try Authenticator some time in the future.
The commands above works for me.
Yubico Authenticator works smoothly in Qubes OS (vault AppVM)
You should definitively give it a try it is super simple and secrets are stored on the Yubikey. So you can also add this as an app on your smartphone and have all 2FA always available (with your Yubikey).
If you start using it, one recommendation: Always snapshot the QR and backup codes into your KeePassXC. With this you are save in case you are losing your Yubikey additionally, you can also copy the secrets to a 2nd Yubikey. I guess, you are also somehow forced to do this since it will scan the desktop screen when adding a new 2FA code and I guess it is only working in the some active AppVM tbc.
Sorry for the late response and thanks for trying this out and for the encouragement.
In the past I’ve been using the following solution with some accounts because I hated giving my phone number away. It worked perfectly.
I don’t know if this still works because I stopped using this years ago.
To be honest, I don’t use my smartphone very often aside from phoning.
You do NOT need to trust your phone for Yubico Authenticator. It stores all secrets on your Yubikey! You just use the app to finally display the code and this can be done in Linux, Android, Windows, macOS, iOS or in any vault AppVM . As usual with Yubikey you can safely use it on trustless systems.
i.e. one use case you may want to use it is SSH key + OTP to increase login security.
Then it looks like to be working like the Multifactor Authentication. (I haven’t taken a closer look yet).
The keepass-yubikey-login problem with Fedora might have something to do with U2F proxy being enabled. (?)
On another test setup that I freshly installed I tried again with Fedora thinking there might have been an update because the issue on github is closed. Adding and saving did work (I removed auto-saving and all other options just in case).
The thing is I couldn’t get U2F proxy to work anymore. I did the same like I did on another install but the Yubikey did only work when directly attached to a VM. With U2F proxy this shouldn’t be the case. In each VM that had the U2F proxy service enabled the Yubikey should blink when requesting to authenticate.
And back on my setup that I am using for now I cannot save the keepass database after adding the yubikey. It is greyed out but not frozen but cannot be closed without saving so I have to close the VM.
Of course, it could be something completely different because the two setups aren’t identical.
@Aminaiton
Just to be sure, you do have a usb-keyboard, do you? Otherwise the command for creating a sys-usb would be: sudo qubesctl state.sls qvm.sys-usb
To answer my own question: at least in Qubes 4.0 both U2F proxy and keepass-yubikey-login in Fedora 32 are working.
The problem I had with U2F proxy was due to a simple mistake. I forgot to change my template my sys-usb was based on to my template-clone that I use for each template (and where I install software).
I imported the keypassXC database with yubikey login from my working setup to my keypassXC in Qubes 4.0 and it worked (with attaching the yubikey).
Edit I haven’t tested all that on my 4.1 test setup.
Both U2Fproxy and keepass-yubikey-login are working fine with Qubes 4.1 as well.
I am just wondering if anyone can synthesize why USB security keys are so hard to integrate into existing frameworks. Of course, with Qubes you need a usb qube controlling I/O just like a network qube. Another way in that needs to be controlled.
Can anyone here shed light on the following topics:
Fair enough! But it’s still great to have accurate documentation so that we can simply point the users to, in case they haven’t checked before.
. As usual with Yubikey you can safely use it on trustless systems.
