YubiKey not Detected in Device Manager (USB-keyboard enabled)

Hours of re-installation, reading and a lot of frustration and it is just done with an one-line command ?!

dom0 : sudo qubesctl state.sls qvm.usb-keyboard

Kicked off sys-usb and … 2 sec of shocking moments … and then all USB devices are detected and now attachable to AppVM !

One reboot to see if LUKS will let me in and sys-usb will auto-start on boot

1 Like

Damn. So in the end, the problem was you didn’t have the USB Qube?

Yes !
I always thought when I can use my USB keyboard / mouse and I can connect to any USB storage, mic etc. that I have this USB qube already setup. This was also what I understood during the installation process which auto-detects my USB keyboard.

I underestimated the complexity of USB and mixed sys-usb and Qubes Device Manager.

To summarize a final conclusion:
When you have a Qubes OS with a USB keyboard / mouse setup and you want to use a Yubikey you simply have to run:

https://www.qubes-os.org/doc/usb-qubes/#automatic-setup

sudo qubesctl state.sls qvm.usb-keyboard

Afterwards launch the sys-usb and your are done.

1 Like

You live and learn!
Congratulations and if you find the time you could try out Challenge-Response (C-R) with your keepassXC and report back. Expect the worst, so backup your database first.
After adding C-R to keepass the database greyed out and saving didn’t work anymore. I’d be interested if it works for you.

Glad it worked worked out! You see, you won’t have to be moving back to normal linux after all! :slight_smile:
And you also came across the all mighty qubesctl tool (saltstack wrapper)

Just to wrap up this all issue fixing process, maybe you can report back that you found the problem on the github issue? Maybe the solution can adding that as a note in the related documentation, perhaps?

Well, this solution is taken from the documentation and is regarding sys-usb or USB-Qubes and not Yubikey, don’t you think?

I didn’t want to quote you but now I think it appropriate:

It is know that users don’t like reading manuals. Most would like to jump straight into qubes without reading any documentation.

I think this has happened here, at least in part. When I started playing around with the early versions of Qubes I didn’t know much about what I was doing but with everything I tried I learned a little.

1 Like

Then I must have misunderstood. In this particular case I though the Yubikey documentation didn’t mention how do to things for the particular case of having a usb-keyboard setup.

Haha :stuck_out_tongue: Fair enough! But it’s still great to have accurate documentation so that we can simply point the users to, in case they haven’t checked before.

Regardless, I still stand behind that comment. In an ideal situation the software tries to understand what the user is attempting to do and helps them (discourse does that to a fantastic extent).

Okay, maybe you are right and some cross reference to USB Qube could be helpful but sometimes there are misunderstandings that a documentation cannot solve.

I do think that the documentation is excellent already but of course anything to improve or make it easier for users is welcome.
Maybe a “See also” section at the bottom with links to related subjects might be an idea (like seen in other wikis) but I am not sure. Some might think of this as overkill or complicating things.

Yup. That’s exactly one of the problems with documentation: the more edge-cases you add the less discoverable each one is.

Always a hit and miss with Yubikeys in Qubes. Check if they are genuine first see website or do a search.
Unrelated to this forum: Yubikeys do not work with VB Whonix Workstation but they do work with Whonixgateway.
I do use Yubikeys with HVMs by giving a USB port to the HVM. I do use Parrot which solves the next question mp4 play.
You won’t be sorry: qvm-create Parrot --class TemplateVM --label green do the standard advanced install to take advantage of btrf file system. Yubikeys work like a charm!

@whoami and everyone interested using Yubikey with keepassXC

There is a bug report:

Downgrading to version 2.5.3 of keepassXC might be a temporary solution until the problem is solved. I haven’t tried that yet but I will report back soon.

1 Like

Thanks for sharing this info!
To solve my Debian KeePassXC issue I moved to Fedora template but here the challenge response didn’t work. Switched back to Debain again and followed the Github AppImage suggestion this works fine now.

Next issue:
Before opening a new issue do you / or someone here have Yubico Authenticator?
Is it working?
I observed a known issue that I also had before on Ubuntu OS: The Yubikey is detected and disappears after one second, detected … disappearing … inf.

I tried:

$ sudo apt install pcscd
$ sudo systemctl restart pcscd

In the Qubes debian template.
source: https://github.com/Yubico/yubioath-desktop/issues/600
Does not work still the same issue.

2 Likes

Thanks! I will try with Debian.

I did not try Yubico Authenticator yet. I am using U2F when possible. Unfortunately there are still very few sites that are making use of U2F. The whole thing hasn’t taken off like I had hoped years ago.

Maybe I will try Authenticator some time in the future.

Just to close the talk here.

The commands above works for me.
Yubico Authenticator works smoothly in Qubes OS (vault AppVM)

You should definitively give it a try it is super simple and secrets are stored on the Yubikey. So you can also add this as an app on your smartphone and have all 2FA always available (with your Yubikey).

If you start using it, one recommendation: Always snapshot the QR and backup codes into your KeePassXC. With this you are save in case you are losing your Yubikey additionally, you can also copy the secrets to a 2nd Yubikey. I guess, you are also somehow forced to do this since it will scan the desktop screen when adding a new 2FA code and I guess it is only working in the some active AppVM tbc.

1 Like

Sorry for the late response and thanks for trying this out and for the encouragement.
In the past I’ve been using the following solution with some accounts because I hated giving my phone number away. It worked perfectly.

I don’t know if this still works because I stopped using this years ago.
To be honest, I don’t use my smartphone very often aside from phoning.

You do NOT need to trust your phone for Yubico Authenticator. It stores all secrets on your Yubikey! You just use the app to finally display the code and this can be done in Linux, Android, Windows, macOS, iOS or in any vault AppVM :stuck_out_tongue_winking_eye:. As usual with Yubikey you can safely use it on trustless systems.

i.e. one use case you may want to use it is SSH key + OTP to increase login security.

Just as a side note Nitrokey (as one Yubikey alternative) and KeePassXC itself could also be use for OTPs.

Then it looks like to be working like the Multifactor Authentication. (I haven’t taken a closer look yet).

The keepass-yubikey-login problem with Fedora might have something to do with U2F proxy being enabled. (?)
On another test setup that I freshly installed I tried again with Fedora thinking there might have been an update because the issue on github is closed. Adding and saving did work (I removed auto-saving and all other options just in case).

The thing is I couldn’t get U2F proxy to work anymore. I did the same like I did on another install but the Yubikey did only work when directly attached to a VM. With U2F proxy this shouldn’t be the case. In each VM that had the U2F proxy service enabled the Yubikey should blink when requesting to authenticate.

And back on my setup that I am using for now I cannot save the keepass database after adding the yubikey. It is greyed out but not frozen but cannot be closed without saving so I have to close the VM.

Of course, it could be something completely different because the two setups aren’t identical.

Do you use U2F proxy?

Just want to chime in, that creating an sys-usb worked for me.

sudo qubesctl state.sls qvm.usb-keyboard

2 Likes

Thanks @Aminaiton! This verifies the solution from post #21

@Aminaiton
Just to be sure, you do have a usb-keyboard, do you? Otherwise the command for creating a sys-usb would be:
sudo qubesctl state.sls qvm.sys-usb

1 Like