search

QubesOS / qubes-issues

The Qubes OS Project issue tracker
https://www.qubes-os.org/doc/issue-tracking/
529 stars 46 forks source link

Either the docs for Qubes CTAP proxy are incomplete/wrong or qubes-ctap-proxy doesn't work. #9074

Open xyhhx opened 4 months ago

xyhhx commented 4 months ago

Qubes OS release

R4.1.2

Brief summary

I'm following the documentation to set up the CTAP proxy, but they're either incomplete or the proxy isn't working.

I have a non-default USB qube.

Steps to reproduce

(The following steps assume that disp-sys-usb is the USB qube)

  1. Follow the steps in the CTAP Proxy documentation, including Advanced usage: per-qube key access and Non-default USB qube name

    1. Install qubes-ctap-dom0 in dom0
    2. Install qubes-ctap in the templates for both the USB qube and the client qube
    3. Clear /etc/qubes-rpc/policy/u2f.Authenticate
    4. Add a custom policy according to the per-qube access section
    policy.RegisterArgument +u2f.Authenticate disp-sys-usb @anyvm allow target=dom0
    1. In the client qube's template, disable the default CTAP proxy service and enable one specifying disp-sys-usb
    sudo systemctl disable qubes-ctapproxy
sudo systemctl enable qubes-ctapproxy@disp-sys-usb.service
    1. Shutdown templates and restart all relevant qubes
    2. Try adding the hardware key to an account somewhere

Expected behavior

The U2F/CTAP proxy should forward the registration/authentication to disp-sys-usb

Actual behavior

Nothing happens.

More questions:

  1. In the Installation section, it says to install qubes-ctap in Fedora and/or Debian templates, then to restart sys-usb and any qubes that use the proxy. Do we install qubes-ctap in the USB qube's template too? It's unclear. If so, do we also have to enable the qubes-ctap-proxy service?

  2. The the Advanced usage: per-qube key access section, it says to clear /etc/qubes-rpc/policy/u2f.Authenticate but makes no mention of /etc/qubes-rpc/policy/u2f.Register (which I see on dom0). It also makes no mention of the u2f.Register policy anywhere, including in the advised 30-user-ctapproxy.policy file. Is that intentional?

  3. The the Advanced usage: per-qube key access section, the custom policy described for allowing the example twitter qube to access the CTAP token in sys-usb is:

    policy.RegisterArgument +u2f.Authenticate sys-usb @anyvm allow target=dom0

    Is this correct? This seems to allow to any VM.

  4. In the Non-default USB qube name section, the service name is now qubes-ctapproxy whereas earlier the service enabled via qvm-service is qubes-ctap-proxy. This is confusing.

  5. In the Non-default USB qube name section, it says

    Do not forget to change the sys-usb qube name in the policy /etc/qubes/policy.d/30-user-ctapproxy.policy.

    But this assumes that you followed the steps in Advanced usage: per-qube key access. If you didn't, presumably you have to edit both u2f.Authenticate and u2f.Register in the default policies? I am once again confused by no mention of u2f.Register

Let me rephrase the previous questions to be more concise:

  1. In which qubes and/or templates must we enable qubes-ctap-proxy from Qube Manager?
  2. In which qubes and/or templates must we enable the qubes-ctapproxy service (with or without the @USB_QUBE suffix)?
  3. How do we handle the u2f.Register policy?
  4. For disposable VMs, do we do anything differently?
xyhhx commented 4 months ago

There are another two policy files that aren't mentioned in the docs anywhere: