Yubikey Setup

User Support
#1

Hello all,

sorry if this is a totally noobish question, but I am having problems setting up my Yubikey with Qubes OS 4.1

I followed this doc:

and set up sys-usb and installed the required packages in my fedora34-dvm template.
However I don’t know how to run the Yubikey Personalization Tool
(the link for the HMAC-SHA1 Creation on the yubikey homepage given in the Qubes Doc linked earlier is old, and only links to the download page of the YK Personalization Tool)
And when I installed a mac os version on my macbook it doesn’t recognize my Yubikey.

So I used Yubikey Manager on my macbook instead, and configurated a challenge response on Slot 2.
Then it generates a key.

How do I convert it to Hex to do the following step of the documentation?:

Paste your AESKEY from step 2 into /etc/qubes/yk-keys/yk-secret-key.hex in dom0.

(If I use the ykpersonalization command line tool instead of Yubikey Manager I still get a key which is not in hex-format)

And I am also having problems with this step:

You can calculate your hashed password using the following two commands. First run the following command to store your password in a temporary variable password. (This way your password will not leak to the terminal command history file.)

 read -r password

Now run the following command to calculate your hashed password.

 echo -n "$password" | openssl dgst -sha1

Which password is this?
If I just type
read -r password nothing happens.

Sorry for this basic question, but I would really appreciate some help!

Thanks in advance!

#2

So I got the personalization tool working,
pasted the hex in yk-secret-key.hex
and hashed a password and copied it in the yk-login-pass-hashed.hex
then edited the required files as instructed in the documentation.

I still cannot login using my yubikey.
It blinks when I have entered my password, but then both the login manager and xscreensaver (which ever is appropriate) say bad password.

Any ideas?

Thanks in advance!

#3

Working now, sorry for the inconvenience!

user error

One last thing though:

Using Qubes 4.1 sys-usb is a disposable VM by default.
I am trying to implement the Locking Screen when Yubikey is removed function from the documentation.

However when I restart my laptop the changes written to the files in /rw/config in my usb VM are gone.
Also when I pull out my Yubikey without restarting, I get an error on the top right:

Failed: custom.LockScreen
Failed to execute custom.LockScreen (from sys-usb to dom0)

Any ideas?
Thanks!

#4

Hi @zamli, we don’t delete posts around here (even if no one else has answered them yet). It would be greatly appreciated if you could describe briefly what your mistake was, that way you are adding value for others that come later and might have made the same mistake.

#5

Sure, no problem!
I couldn’t get yubikey-personalization-gui to work on a fedora template, so I installed a disposable debian template. Then the gui worked, I was able to create the hex and figure out a new password.

What I still cannot figure out is how I can make the custom.LockScreen script work.
I have a feeling it has something to do with sysusb being a disposable VM, since the contents I write in the /rw/config/ folder are gone after reboot.

#6

Write into the /rw/config of the DispVM template sys-usb is based on.

#7

Thanks! Working!