From a debian-11-minimal I created the following templates:
ks-16-firefox
:
debian-11-minimal ---> ks-16-minimal ---> ks-16-firefox
debian-11-firefox
:
debian-11-minimal ---> debian-11-firefox
The only difference between these two templates are the following packages:
hardened-malloc
haveged
jitterentropy-rngd
kicksecure-qubes-cli
security-misc
The other packages, including qubes-u2f
, have been installed in both templates.
For practicality, I then created a DispVM Template for debian-11-firefox
and another for ks-16-firefox
.
The problem is that if I launch firefox-esr
in a DispVM based off of ks-16-firefox
, u2f authentication with a yubikey doesn’t work. However, with the same settings and website, everything works fine in the DispVM based off of debian-11-firefox
.
Still made zero progress on this.
Could something in security-misc
prevent qubes-u2f
policies from working correctly?
Or maybe it’s preventing the browser from accessing it?
The yubikey is never actually attached to the dispvm and is instead attached to sys-usb, which uses a template based on kicksecure. And just to be very specific, everything works fine with firefox in normal debian-minimal dispvm.
Please advise, I really need this to work, any help welcome!
This is a good question. Tor-based applications (browser) tend for some reason to be incompatible with security key authentication. Now why is that any different from some onion sites requiring passwords and identification? There are onionsites that shibboleth, so the user and the site are not entirely unacquainted but the path to the site is still as anonymous as possible.
OTP requires third servers so there is the possibility of leak but a shared secret through an anonymized connection should not present any design obstacles. Why cant FIDO in theory remain anonymous and rigidly designate at the same time? Do you really even need to trust the integrity of the onionsite? It just appears as this random rigid designation coming from could be anywhere.