QubesOS / qubes-issues

The Qubes OS Project issue tracker
https://www.qubes-os.org/doc/issue-tracking/
541 stars 48 forks source link

CTAP/U2F Proxy sending to itself? #9064

Open norespen opened 7 months ago

norespen commented 7 months ago

Hi, 1st of all Great OS ! Thanks so much!

Qubes OS release

4.2.1 (upgraded from 4.1.2) latest stable.

Brief summary

just installed 4.1.2 stable a couple weeks ago, then upgraded to 4.2 when that got released yesterday, right about same time i recieved my new hw key. so im setup with a nitrokey 3, and i cannot seem to get the ctap/u2f proxy to work as expected, somehow it seems to forward requests to itself..

Logs for better understanding of the problem:

Mar 28 12:12:47 dom0 qrexec-policy-daemon[2982]: qrexec: ctap.GetInfo+: personal-web -> sys-usb: allowed to sys-usb
Mar 28 12:12:48 dom0 qrexec-policy-daemon[2982]: qrexec: ctap.GetInfo+: sys-usb -> sys-usb: allowed to sys-usb
Mar 28 12:12:48 dom0 qrexec-policy-daemon[2982]: qrexec: ctap.GetInfo: sys-usb -> sys-usb: denied: loopback qrexec connection not supported
Mar 28 12:12:48 dom0 qrexec-policy-daemon[2982]: qrexec: ctap.ClientPin+: personal-web -> sys-usb: allowed to sys-usb
Mar 28 12:12:49 dom0 qrexec-policy-daemon[2982]: qrexec: ctap.GetInfo+: sys-usb -> sys-usb: allowed to sys-usb
Mar 28 12:12:49 dom0 qrexec-policy-daemon[2982]: qrexec: ctap.GetInfo: sys-usb -> sys-usb: denied: loopback qrexec connection not supported
Mar 28 12:12:49 dom0 qrexec-policy-daemon[2982]: qrexec: u2f.Authenticate+REDACTED---HASH--: personal-web -> sys-usb: allowed to sys-usb
Mar 28 12:12:49 dom0 qrexec-policy-daemon[2982]: qrexec: u2f.Authenticate+REDACTED---HASH--: sys-usb -> sys-usb: allowed to sys-usb
Mar 28 12:12:49 dom0 qrexec-policy-daemon[2982]: qrexec: u2f.Authenticate+REDACTED---HASH--: sys-usb -> sys-usb: denied: loopback qrexec connection not supported
Mar 28 12:12:49 dom0 qrexec-policy-daemon[2982]: qrexec: u2f.Register+: personal-web -> sys-usb: allowed to sys-usb
Mar 28 12:12:49 dom0 qrexec-policy-daemon[2982]: qrexec: u2f.Register+: sys-usb -> sys-usb: allowed to sys-usb
Mar 28 12:12:49 dom0 qrexec-policy-daemon[2982]: qrexec: u2f.Register: sys-usb -> sys-usb: denied: loopback qrexec connection not supported
Mar 28 12:12:50 dom0 qrexec-policy-daemon[2982]: qrexec: u2f.Register+: personal-web -> sys-usb: allowed to sys-usb
Mar 28 12:12:50 dom0 qrexec-policy-daemon[2982]: qrexec: u2f.Register+: sys-usb -> sys-usb: allowed to sys-usb
Mar 28 12:12:50 dom0 qrexec-policy-daemon[2982]: qrexec: u2f.Register: sys-usb -> sys-usb: denied: loopback qrexec connection not supported

Steps to reproduce

Install u2f proxy per [https://www.qubes-os.org/doc/ctap-proxy/] on Qubes 4.2.1 (don't do any of the 'Advanced Usage' steps, just the Installation section).

Expected behavior

I would expect the sys-usb dispVM to respond to request from personal-web and register the hash, then allow login.

Actual behavior

sys-usb recieves the request, and starts forwarding the Register part to itself in an endless loop.

rapenne-s commented 1 month ago

I'm able to reproduce this issue on R4.2.3, I actually can't use my Yubikey BIO at all.

I followed the same path as OP, and got the same result.

in dom0: sudo qubes-dom0-update qubes-ctap-dom0 in qubes: enabling the service qubes-ctap-proxy@sys-usb (I verified, it's started correctly), this service is also started in sys-usb (the documentation is not clear about it)

The Qubes Global Config GUI is not working well in the "USB devices" tab when modifying U2F rules, when you apply and change tab, it tells you the changes were not saved, if you save it does something else, basically you can't trust what it's doing as most of the time it seems to not modify the file /etc/qubes/policy.d/50-config-u2f.policy :woman_shrugging:

From various inputs on GH and discourse, I have no files u2f.Authenticate or u2f.Register or ctap.GetPin or ctap.ClientInfo (names from memory, I just spent 2 hours with this and I may mix names..) in /etc/qubes-rpc/policy/, I don't know if it's normal or not.

The best I got was to have a qube triggering the yubikey LED and a lot of spam from sys-usb asking sys-usb in an infinite loop until I stopped trying to read the yubikey from the web browser in an allowed qube, exactly as OP.

I'm quite stuck as I really need this to work for my job :/

marmarek commented 1 month ago

Where the qubes-ctap-proxy (or qubes-u2f-proxy) qvm-service is enabled? It should not be enabled in sys-usb itself.

rapenne-s commented 1 month ago

It works after disabling and stopping the service qubes-ctap-proxy in my usb qube :+1:

the documentation wasn't really clear about this one

andrewdavidwong commented 1 month ago

It works after disabling and stopping the service qubes-ctap-proxy in my usb qube 👍

@norespen, does this also work for you?

rapenne-s commented 1 month ago

Although I've been able to register a passkey on Vaultwarden web UI, Microsoft Teams and Keycloak aren't able to find the Yubikey, I guess it's a ctap proxy issue.

When using the yubikey, there are dom0 notification about access to ctap.ClientPin and ctap.GetInfo being refused. I added rules for them but it did not produce any functional change, except the notification are gone.

rapenne-s commented 1 month ago

If that helps, I got this in the qube's log when trying to use the FIDO key in chromium, which was waiting indefinitely for the key.

sept. 30 10:04:59 QUBENAME qubes.StartApp+chromium-browser-dom0[15789]: [15793:15793:0930/100459.447285:ERROR:device_event_log_impl.cc(201)] [10:04:59.447] FIDO: auth_token_requester.cc:165 Ignoring status 20 from usb-f055:f1d0
sept. 30 10:04:59 QUBENAME qubes.StartApp+chromium-browser-dom0[15789]: [15793:15793:0930/100459.447329:ERROR:device_event_log_impl.cc(201)] [10:04:59.447] FIDO: make_credential_request_handler.cc:616 Ignoring MakeCredentialStatus=2 from hid:2cc5c195-4a18-47df-a5b4-dbe00206224f
marmarek commented 1 month ago

@piotrbartman any ideas?

piotrbartman commented 1 month ago

I see here 3 different issues:

  1. Docs should be update to remove confusing and to include new way of policy managing (to solve original issue).
  2. In global config ctap2 is disabled by default: ctap.GetInfo and ctap.ClientPin are absent in created policy file, it shouldn't, (QubesOS/qubes-issues/issues/8604).
  3. I managed to register my key to Microsoft account but I failed to authenticate: after providing PIN communication is peacefully ended (?) (and this is yet another issue).