Try adding the hardware key to an account somewhere
Expected behavior
The U2F/CTAP proxy should forward the registration/authentication to disp-sys-usb
Actual behavior
Nothing happens.
More questions:
In the Installation section, it says to install qubes-ctap in Fedora and/or Debian templates, then to restart sys-usb and any qubes that use the proxy. Do we install qubes-ctap in the USB qube's template too? It's unclear. If so, do we also have to enable the qubes-ctap-proxy service?
The the Advanced usage: per-qube key access section, it says to clear /etc/qubes-rpc/policy/u2f.Authenticate but makes no mention of /etc/qubes-rpc/policy/u2f.Register (which I see on dom0). It also makes no mention of the u2f.Register policy anywhere, including in the advised 30-user-ctapproxy.policy file. Is that intentional?
The the Advanced usage: per-qube key access section, the custom policy described for allowing the example twitter qube to access the CTAP token in sys-usb is:
In the Non-default USB qube name section, the service name is now qubes-ctapproxy whereas earlier the service enabled via qvm-service is qubes-ctap-proxy. This is confusing.
Do not forget to change the sys-usb qube name in the policy /etc/qubes/policy.d/30-user-ctapproxy.policy.
But this assumes that you followed the steps in Advanced usage: per-qube key access. If you didn't, presumably you have to edit both u2f.Authenticate and u2f.Register in the default policies? I am once again confused by no mention of u2f.Register
Let me rephrase the previous questions to be more concise:
In which qubes and/or templates must we enable qubes-ctap-proxy from Qube Manager?
In which qubes and/or templates must we enable the qubes-ctapproxy service (with or without the @USB_QUBE suffix)?
How do we handle the u2f.Register policy?
For disposable VMs, do we do anything differently?
Qubes OS release
R4.1.2
Brief summary
I'm following the documentation to set up the CTAP proxy, but they're either incomplete or the proxy isn't working.
I have a non-default USB qube.
Steps to reproduce
(The following steps assume that
disp-sys-usb
is the USB qube)Follow the steps in the CTAP Proxy documentation, including Advanced usage: per-qube key access and Non-default USB qube name
qubes-ctap-dom0
in dom0qubes-ctap
in the templates for both the USB qube and the client qube/etc/qubes-rpc/policy/u2f.Authenticate
disp-sys-usb
Expected behavior
The U2F/CTAP proxy should forward the registration/authentication to
disp-sys-usb
Actual behavior
Nothing happens.
More questions:
In the Installation section, it says to install
qubes-ctap
in Fedora and/or Debian templates, then to restartsys-usb
and any qubes that use the proxy. Do we installqubes-ctap
in the USB qube's template too? It's unclear. If so, do we also have to enable thequbes-ctap-proxy
service?The the Advanced usage: per-qube key access section, it says to clear
/etc/qubes-rpc/policy/u2f.Authenticate
but makes no mention of/etc/qubes-rpc/policy/u2f.Register
(which I see on dom0). It also makes no mention of theu2f.Register
policy anywhere, including in the advised30-user-ctapproxy.policy
file. Is that intentional?The the Advanced usage: per-qube key access section, the custom policy described for allowing the example
twitter
qube to access the CTAP token insys-usb
is:Is this correct? This seems to allow to any VM.
In the Non-default USB qube name section, the service name is now
qubes-ctapproxy
whereas earlier the service enabled viaqvm-service
isqubes-ctap-proxy
. This is confusing.In the Non-default USB qube name section, it says
But this assumes that you followed the steps in Advanced usage: per-qube key access. If you didn't, presumably you have to edit both
u2f.Authenticate
andu2f.Register
in the default policies? I am once again confused by no mention ofu2f.Register
Let me rephrase the previous questions to be more concise:
qubes-ctap-proxy
from Qube Manager?qubes-ctapproxy
service (with or without the@USB_QUBE
suffix)?u2f.Register
policy?