sorry if this is a totally noobish question, but I am having problems setting up my Yubikey with Qubes OS 4.1
I followed this doc:
and set up sys-usb and installed the required packages in my fedora34-dvm template.
However I don’t know how to run the Yubikey Personalization Tool
(the link for the HMAC-SHA1 Creation on the yubikey homepage given in the Qubes Doc linked earlier is old, and only links to the download page of the YK Personalization Tool)
And when I installed a mac os version on my macbook it doesn’t recognize my Yubikey.
So I used Yubikey Manager on my macbook instead, and configurated a challenge response on Slot 2.
Then it generates a key.
How do I convert it to Hex to do the following step of the documentation?:
Paste your AESKEY from step 2 into /etc/qubes/yk-keys/yk-secret-key.hex in dom0.
(If I use the ykpersonalization command line tool instead of Yubikey Manager I still get a key which is not in hex-format)
And I am also having problems with this step:
You can calculate your hashed password using the following two commands. First run the following command to store your password in a temporary variable password. (This way your password will not leak to the terminal command history file.)
read -r password
Now run the following command to calculate your hashed password.
echo -n "$password" | openssl dgst -sha1
Which password is this?
If I just type read -r password nothing happens.
Sorry for this basic question, but I would really appreciate some help!
So I got the personalization tool working,
pasted the hex in yk-secret-key.hex
and hashed a password and copied it in the yk-login-pass-hashed.hex
then edited the required files as instructed in the documentation.
I still cannot login using my yubikey.
It blinks when I have entered my password, but then both the login manager and xscreensaver (which ever is appropriate) say bad password.
Using Qubes 4.1 sys-usb is a disposable VM by default.
I am trying to implement the Locking Screen when Yubikey is removed function from the documentation.
However when I restart my laptop the changes written to the files in /rw/config in my usb VM are gone.
Also when I pull out my Yubikey without restarting, I get an error on the top right:
Failed: custom.LockScreen
Failed to execute custom.LockScreen (from sys-usb to dom0)
Hi @zamli, we don’t delete posts around here (even if no one else has answered them yet). It would be greatly appreciated if you could describe briefly what your mistake was, that way you are adding value for others that come later and might have made the same mistake.
Sure, no problem!
I couldn’t get yubikey-personalization-gui to work on a fedora template, so I installed a disposable debian template. Then the gui worked, I was able to create the hex and figure out a new password.
What I still cannot figure out is how I can make the custom.LockScreen script work.
I have a feeling it has something to do with sysusb being a disposable VM, since the contents I write in the /rw/config/ folder are gone after reboot.
Seem to hit an similar snag to OP, and I’m not understanding the solution here. I guess my brain cell needs it spelling out.
So, I get to step 4:
Paste your AESKEY into /etc/qubes/yk-keys/yk-secret-key.hex in dom0.
Yeah, right! Paste anything into dom0, and the Qubes gods will hex (!) me forever. So, question 1: Is that for sure? I’m not permitted to write to dom0 file (for obvious reasons)
I open the AESKEY I’ve backed up. Question 2: Is this for pasting in it’s entirety? Doesn’t seem right, so I gotta check.
Then we get to step 5. Oh my, more paste into dom0. Question 3: How is that happening by the way? I’ve never been required to paste into dom0 before.
Could someone help me out and clarify steps 4 and 5?
@sven gave the solution, but it’s place in this thread is also unclear to me.
I guess I’m at the too-much-caffine point and my brain is beginning to fry lol.
I think you misunderstood Qubes concept. You can paste anything into dom0, you don’t install and you run there as less as possible. Run, type, do whatever you can (or want) out of dom0 then transfer it to dom0.
When the devs says to install and to paste in dom0, then you have no other choice if you want the feature.
For that, there’s a beautiful xfce4-terminal option “Show unsafe paste dialog”, but can’t focus when that is related at all to the subject while I meant on pasting files created somewhere else. It looks I need some coffee