Hi all,
I am unable to find documentation on how to configure the Nitrokey U2F outside of use with a browser.
My intention is to configure the Nitrokey U2F’s challenge-response mode, similar to how one can use Yubico’s personalization GUI.
I am trying to use the Nitrokey U2F rather than Yubikey U2F for this set-up (U2F login into OS): Redirecting…
any guidance or help appreciated - thanks and keep up the good work!
Hi @michael!
Sorry for delay. Unfortunately Nitrokey U2F does not support challenge-response mode (which needs HMAC-SHA1 implementation). This is not a part of FIDO U2F standard, but rather more like HOTP/TOTP, but with own challenge.
There is surely a possibility to log in to the OS via the pam_u2f module. I do not know though is it available for QubesOS. See following for details:
thanks for the response! it looks like there are some PAM-based ways of implementing this functionality in Qubes OS:
I’ll explore this strategy, thanks for the guidance.
@szszszsz Does the Nitrokey3A Mini support HMAC-SHA1 challenge response?
@michael did you ever get this to work with a Nitrokey on QubesOS? IIUC the linked articles are both about using a Yubikey in challenge response mode…
Don’t know but give it a try…
It shouldn’t matter. Challenge Response is challenge Response… It’s documented on the nk webpage. I wrote about how to set it up on nk3 and a onlykey here: Using Challenge-Response (HMACSHA1) with the same Secret on a Nitrokey 3 and on a Onlykey to unlock a KeepassXC Database maybe it helps… Spoiler: the nk3 wants to have the secret base32 encoded.
Yes. All NK3’s should support HMAC-SHA1.
Thanks, I see the option now under nitropy nk3 secrets --help; what I still can’t figure out is how to interact with the NK3 using this mechanism…basically I need some program to issue the challenge and get the response from the NK3, but nitropy itself doesn’t have that kind of function, it seems, and ykchalresp doesn’t recognize my NK3. Is there a simple command line program available somewhere that can do this?
My use case is to set up the NK3 as a login authenticator on QubesOS4.2, so I need to qvm-run -p sys-usb someprogram from dom0 to sys-usb to interact with the NK3…I’m looking for “someprogram”.
Edit: I think openssl might do…
Edit: found a different way using passwords
This PR for the qubes-dom0-yubikey app works for the QubesOS screen lock (xscreensaver) in case anyone is reading this later…it uses HOTP for NitroKey3 devices.
