Open norespen opened 7 months ago
I'm able to reproduce this issue on R4.2.3, I actually can't use my Yubikey BIO at all.
I followed the same path as OP, and got the same result.
in dom0: sudo qubes-dom0-update qubes-ctap-dom0
in qubes: enabling the service qubes-ctap-proxy@sys-usb
(I verified, it's started correctly), this service is also started in sys-usb (the documentation is not clear about it)
The Qubes Global Config GUI is not working well in the "USB devices" tab when modifying U2F rules, when you apply and change tab, it tells you the changes were not saved, if you save it does something else, basically you can't trust what it's doing as most of the time it seems to not modify the file /etc/qubes/policy.d/50-config-u2f.policy
:woman_shrugging:
From various inputs on GH and discourse, I have no files u2f.Authenticate
or u2f.Register
or ctap.GetPin
or ctap.ClientInfo
(names from memory, I just spent 2 hours with this and I may mix names..) in /etc/qubes-rpc/policy/
, I don't know if it's normal or not.
The best I got was to have a qube triggering the yubikey LED and a lot of spam from sys-usb asking sys-usb in an infinite loop until I stopped trying to read the yubikey from the web browser in an allowed qube, exactly as OP.
I'm quite stuck as I really need this to work for my job :/
Where the qubes-ctap-proxy
(or qubes-u2f-proxy
) qvm-service is enabled? It should not be enabled in sys-usb itself.
It works after disabling and stopping the service qubes-ctap-proxy
in my usb qube :+1:
the documentation wasn't really clear about this one
It works after disabling and stopping the service
qubes-ctap-proxy
in my usb qube 👍
@norespen, does this also work for you?
Although I've been able to register a passkey on Vaultwarden web UI, Microsoft Teams and Keycloak aren't able to find the Yubikey, I guess it's a ctap proxy issue.
When using the yubikey, there are dom0 notification about access to ctap.ClientPin
and ctap.GetInfo
being refused. I added rules for them but it did not produce any functional change, except the notification are gone.
If that helps, I got this in the qube's log when trying to use the FIDO key in chromium, which was waiting indefinitely for the key.
sept. 30 10:04:59 QUBENAME qubes.StartApp+chromium-browser-dom0[15789]: [15793:15793:0930/100459.447285:ERROR:device_event_log_impl.cc(201)] [10:04:59.447] FIDO: auth_token_requester.cc:165 Ignoring status 20 from usb-f055:f1d0
sept. 30 10:04:59 QUBENAME qubes.StartApp+chromium-browser-dom0[15789]: [15793:15793:0930/100459.447329:ERROR:device_event_log_impl.cc(201)] [10:04:59.447] FIDO: make_credential_request_handler.cc:616 Ignoring MakeCredentialStatus=2 from hid:2cc5c195-4a18-47df-a5b4-dbe00206224f
@piotrbartman any ideas?
I see here 3 different issues:
ctap.GetInfo
and ctap.ClientPin
are absent in created policy file, it shouldn't, (QubesOS/qubes-issues/issues/8604).
Hi, 1st of all Great OS ! Thanks so much!
Qubes OS release
4.2.1 (upgraded from 4.1.2) latest stable.
Brief summary
just installed 4.1.2 stable a couple weeks ago, then upgraded to 4.2 when that got released yesterday, right about same time i recieved my new hw key. so im setup with a nitrokey 3, and i cannot seem to get the ctap/u2f proxy to work as expected, somehow it seems to forward requests to itself..
Logs for better understanding of the problem:
Steps to reproduce
Install u2f proxy per [https://www.qubes-os.org/doc/ctap-proxy/] on Qubes 4.2.1 (don't do any of the 'Advanced Usage' steps, just the Installation section).
Expected behavior
I would expect the sys-usb dispVM to respond to request from personal-web and register the hash, then allow login.
Actual behavior
sys-usb recieves the request, and starts forwarding the Register part to itself in an endless loop.