Sorry for delay. Unfortunately Nitrokey U2F does not support challenge-response mode (which needs HMAC-SHA1 implementation). This is not a part of FIDO U2F standard, but rather more like HOTP/TOTP, but with own challenge.
There is surely a possibility to log in to the OS via the pam_u2f module. I do not know though is it available for QubesOS. See following for details:
Thanks, I see the option now under nitropy nk3 secrets --help; what I still can’t figure out is how to interact with the NK3 using this mechanism…basically I need some program to issue the challenge and get the response from the NK3, but nitropy itself doesn’t have that kind of function, it seems, and ykchalresp doesn’t recognize my NK3. Is there a simple command line program available somewhere that can do this?
My use case is to set up the NK3 as a login authenticator on QubesOS4.2, so I need to qvm-run -p sys-usb someprogram from dom0 to sys-usb to interact with the NK3…I’m looking for “someprogram”.
Edit: I think openssl might do…
Edit: found a different way using passwords
This PR for the qubes-dom0-yubikey app works for the QubesOS screen lock (xscreensaver) in case anyone is reading this later…it uses HOTP for NitroKey3 devices.