search

QubesOS / qubes-issues

The Qubes OS Project issue tracker
https://www.qubes-os.org/doc/issue-tracking/
526 stars 46 forks source link

CTAP proxy: libfido2 cannot detect Qubes CTAP proxy #9001

Open zpc0 opened 4 months ago

zpc0 commented 4 months ago

Qubes OS release

R4.2 with latest testing update

Brief summary

Software using libfido2 cannot detect CTAP proxy device.

Steps to reproduce

  1. Install Qubes CTAP proxy and fido2-tools
  2. Activate CTAP proxy service
  3. fido2-token -L

Expected behavior

fido2-token detects CTAP proxy.

Actual behavior

nothing detected.

zpc0 commented 4 months ago

When I changed This line to the following, fido2-token detects the device. bus = BUS.USB But I don't understand why...

DemiMarie commented 4 months ago

@zpc0 is that enough to make OpenSSH work?

DemiMarie commented 4 months ago

Also this might be because Bluetooth is not considered sufficiently secure.

zpc0 commented 4 months ago

@zpc0 is that enough to make OpenSSH work?

Sadly, no. After the bus = BUS.USB change,

[user@disp1293 ~]$ fido2-token -L
/dev/hidraw0: vendor=0xf055, product=0xf1d0 ( )
[user@disp1293 ~]$ fido2-token -I /dev/hidraw0
proto: 0x02
major: 0x02
minor: 0x00
build: 0x05
caps: 0x00 (nowink, nocbor, msg)
[user@disp1293 ~]$ ssh-keygen -t ecdsa-sk
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
Key enrollment failed: invalid format
[user@disp1293 ~]$ ssh-keygen -t ecdsa-sk -O resident
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
Key enrollment failed: requested feature not supported
[user@disp1293 ~]$