Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CTAP/U2F Proxy sending to itself? #9064

Open
norespen opened this issue Mar 28, 2024 · 8 comments
Open

CTAP/U2F Proxy sending to itself? #9064

norespen opened this issue Mar 28, 2024 · 8 comments
Assignees
@piotrbartman
Labels
affects-4.2 This issue affects Qubes OS 4.2. C: CTAP/U2F proxy Client to Authenticator Protocol (CTAP) / Universal 2nd Factor (U2F) proxy diagnosed Technical diagnosis has been performed (see issue comments). P: major Priority: major. Between "default" and "critical" in severity. T: bug Type: bug report. A problem or defect resulting in unintended behavior in something that exists.

Comments

@norespen
Copy link

norespen commented Mar 28, 2024
edited
Loading

Hi, 1st of all Great OS ! Thanks so much!

Qubes OS release

4.2.1 (upgraded from 4.1.2) latest stable.

Brief summary

just installed 4.1.2 stable a couple weeks ago, then upgraded to 4.2 when that got released yesterday, right about same time i recieved my new hw key. so im setup with a nitrokey 3, and i cannot seem to get the ctap/u2f proxy to work as expected, somehow it seems to forward requests to itself..

Logs for better understanding of the problem:

Mar 28 12:12:47 dom0 qrexec-policy-daemon[2982]: qrexec: ctap.GetInfo+: personal-web -> sys-usb: allowed to sys-usb
Mar 28 12:12:48 dom0 qrexec-policy-daemon[2982]: qrexec: ctap.GetInfo+: sys-usb -> sys-usb: allowed to sys-usb
Mar 28 12:12:48 dom0 qrexec-policy-daemon[2982]: qrexec: ctap.GetInfo: sys-usb -> sys-usb: denied: loopback qrexec connection not supported
Mar 28 12:12:48 dom0 qrexec-policy-daemon[2982]: qrexec: ctap.ClientPin+: personal-web -> sys-usb: allowed to sys-usb
Mar 28 12:12:49 dom0 qrexec-policy-daemon[2982]: qrexec: ctap.GetInfo+: sys-usb -> sys-usb: allowed to sys-usb
Mar 28 12:12:49 dom0 qrexec-policy-daemon[2982]: qrexec: ctap.GetInfo: sys-usb -> sys-usb: denied: loopback qrexec connection not supported
Mar 28 12:12:49 dom0 qrexec-policy-daemon[2982]: qrexec: u2f.Authenticate+REDACTED---HASH--: personal-web -> sys-usb: allowed to sys-usb
Mar 28 12:12:49 dom0 qrexec-policy-daemon[2982]: qrexec: u2f.Authenticate+REDACTED---HASH--: sys-usb -> sys-usb: allowed to sys-usb
Mar 28 12:12:49 dom0 qrexec-policy-daemon[2982]: qrexec: u2f.Authenticate+REDACTED---HASH--: sys-usb -> sys-usb: denied: loopback qrexec connection not supported
Mar 28 12:12:49 dom0 qrexec-policy-daemon[2982]: qrexec: u2f.Register+: personal-web -> sys-usb: allowed to sys-usb
Mar 28 12:12:49 dom0 qrexec-policy-daemon[2982]: qrexec: u2f.Register+: sys-usb -> sys-usb: allowed to sys-usb
Mar 28 12:12:49 dom0 qrexec-policy-daemon[2982]: qrexec: u2f.Register: sys-usb -> sys-usb: denied: loopback qrexec connection not supported
Mar 28 12:12:50 dom0 qrexec-policy-daemon[2982]: qrexec: u2f.Register+: personal-web -> sys-usb: allowed to sys-usb
Mar 28 12:12:50 dom0 qrexec-policy-daemon[2982]: qrexec: u2f.Register+: sys-usb -> sys-usb: allowed to sys-usb
Mar 28 12:12:50 dom0 qrexec-policy-daemon[2982]: qrexec: u2f.Register: sys-usb -> sys-usb: denied: loopback qrexec connection not supported

Steps to reproduce

Install u2f proxy per [https://www.qubes-os.org/doc/ctap-proxy/] on Qubes 4.2.1 (don't do any of the 'Advanced Usage' steps, just the Installation section).

Expected behavior

I would expect the sys-usb dispVM to respond to request from personal-web and register the hash, then allow login.

Actual behavior

sys-usb recieves the request, and starts forwarding the Register part to itself in an endless loop.
@norespen norespen added P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. T: bug Type: bug report. A problem or defect resulting in unintended behavior in something that exists. labels Mar 28, 2024
@andrewdavidwong andrewdavidwong added needs diagnosis Requires technical diagnosis from developer. Replace with "diagnosed" or remove if otherwise closed. affects-4.2 This issue affects Qubes OS 4.2. C: CTAP/U2F proxy Client to Authenticator Protocol (CTAP) / Universal 2nd Factor (U2F) proxy labels Mar 29, 2024
@rapenne-s
Copy link

rapenne-s commented Sep 25, 2024
edited
Loading

I'm able to reproduce this issue on R4.2.3, I actually can't use my Yubikey BIO at all.

I followed the same path as OP, and got the same result.

in dom0: sudo qubes-dom0-update qubes-ctap-dom0
in qubes: enabling the service qubes-ctap-proxy@sys-usb (I verified, it's started correctly), this service is also started in sys-usb (the documentation is not clear about it)

The Qubes Global Config GUI is not working well in the "USB devices" tab when modifying U2F rules, when you apply and change tab, it tells you the changes were not saved, if you save it does something else, basically you can't trust what it's doing as most of the time it seems to not modify the file /etc/qubes/policy.d/50-config-u2f.policy 🤷‍♀️

From various inputs on GH and discourse, I have no files u2f.Authenticate or u2f.Register or ctap.GetPin or ctap.ClientInfo (names from memory, I just spent 2 hours with this and I may mix names..) in /etc/qubes-rpc/policy/, I don't know if it's normal or not.

The best I got was to have a qube triggering the yubikey LED and a lot of spam from sys-usb asking sys-usb in an infinite loop until I stopped trying to read the yubikey from the web browser in an allowed qube, exactly as OP.

I'm quite stuck as I really need this to work for my job :/

@andrewdavidwong andrewdavidwong added P: major Priority: major. Between "default" and "critical" in severity. and removed P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. labels Sep 25, 2024
@marmarek
Copy link
Member

Where the qubes-ctap-proxy (or qubes-u2f-proxy) qvm-service is enabled? It should not be enabled in sys-usb itself.

@rapenne-s
Copy link

It works after disabling and stopping the service qubes-ctap-proxy in my usb qube 👍

the documentation wasn't really clear about this one

@andrewdavidwong
Copy link
Member

It works after disabling and stopping the service qubes-ctap-proxy in my usb qube 👍

@norespen, does this also work for you?

@rapenne-s
Copy link

Although I've been able to register a passkey on Vaultwarden web UI, Microsoft Teams and Keycloak aren't able to find the Yubikey, I guess it's a ctap proxy issue.

When using the yubikey, there are dom0 notification about access to ctap.ClientPin and ctap.GetInfo being refused. I added rules for them but it did not produce any functional change, except the notification are gone.

@rapenne-s
Copy link

If that helps, I got this in the qube's log when trying to use the FIDO key in chromium, which was waiting indefinitely for the key.

sept. 30 10:04:59 QUBENAME qubes.StartApp+chromium-browser-dom0[15789]: [15793:15793:0930/100459.447285:ERROR:device_event_log_impl.cc(201)] [10:04:59.447] FIDO: auth_token_requester.cc:165 Ignoring status 20 from usb-f055:f1d0
sept. 30 10:04:59 QUBENAME qubes.StartApp+chromium-browser-dom0[15789]: [15793:15793:0930/100459.447329:ERROR:device_event_log_impl.cc(201)] [10:04:59.447] FIDO: make_credential_request_handler.cc:616 Ignoring MakeCredentialStatus=2 from hid:2cc5c195-4a18-47df-a5b4-dbe00206224f

@marmarek
Copy link
Member

@piotrbartman any ideas?

@piotrbartman
Copy link
Member

piotrbartman commented Oct 1, 2024
edited
Loading

I see here 3 different issues:

  1. Docs should be update to remove confusing and to include new way of policy managing (to solve original issue).
  2. In global config ctap2 is disabled by default: ctap.GetInfo and ctap.ClientPin are absent in created policy file, it shouldn't, (Add ctap.ClientPin and ctap.getInfo policies when enabling U2F in "qubes global config" #8604).
  3. I managed to register my key to Microsoft account but I failed to authenticate: after providing PIN communication is peacefully ended (?) (and this is yet another issue).

@piotrbartman piotrbartman removed the needs diagnosis Requires technical diagnosis from developer. Replace with "diagnosed" or remove if otherwise closed. label Oct 1, 2024
@andrewdavidwong andrewdavidwong added the diagnosed Technical diagnosis has been performed (see issue comments). label Oct 2, 2024
piotrbartman added a commit to piotrbartman/qubes-doc that referenced this issue Nov 12, 2024
@piotrbartman
migration to fido2: proxy setup clarification to avoid confusing errors
eea342b 
solves QubesOS/qubes-issues/issues/9064
piotrbartman added a commit to piotrbartman/qubes-app-u2f that referenced this issue Nov 12, 2024
@piotrbartman
forbid circular proxying
e228831 
solves QubesOS/qubes-issues/issues/9064
This was referenced Nov 12, 2024
Open
Open
@piotrbartman piotrbartman self-assigned this Nov 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@piotrbartman piotrbartman

Labels
affects-4.2 This issue affects Qubes OS 4.2. C: CTAP/U2F proxy Client to Authenticator Protocol (CTAP) / Universal 2nd Factor (U2F) proxy diagnosed Technical diagnosis has been performed (see issue comments). P: major Priority: major. Between "default" and "critical" in severity. T: bug Type: bug report. A problem or defect resulting in unintended behavior in something that exists.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@rapenne-s @marmarek @andrewdavidwong @piotrbartman @norespen