7:28 a.m.
I have a need to pass through a YubiKey to a Windows (10) VM guest
such that Windows in the guest will let me use it with physical touch
activation for 2FA.
For those times, I am physically at the VM host, so I don't need
_remote_ redirection into the guest, and I'm fine with plugging and
unplugging the YubiKey physically on an as-needed basis.
If I simply redirect the USB device through the virt-manager GUI, my
experience is that it has at best worked very much unreliably, and
often not at all.
Searching the web hasn't helped.
Does anyone have a recipe for that to work _reliably_?
--
Michael Kjörling 🔗 https://michael.kjorling.se
“Remember when, on the Internet, nobody cared that you were a dog?”
7:38 a.m.
New subject: Passing through a YubiKey to a Windows VM for physical touch activation
When I have had to do something similar I passed the pci device that had
the usb ports attached to it which worked very well.
On Fri, 3 Nov 2023 at 13:30, Michael Kjörling <7d1340278307(a)ewoof.net>
wrote:
I have a need to pass through a YubiKey to a Windows (10) VM guest
such that Windows in the guest will let me use it with physical touch
activation for 2FA.
For those times, I am physically at the VM host, so I don't need
_remote_ redirection into the guest, and I'm fine with plugging and
unplugging the YubiKey physically on an as-needed basis.
If I simply redirect the USB device through the virt-manager GUI, my
experience is that it has at best worked very much unreliably, and
often not at all.
Searching the web hasn't helped.
Does anyone have a recipe for that to work _reliably_?
--
Michael Kjörling 🔗 https://michael.kjorling.se
“Remember when, on the Internet, nobody cared that you were a dog?”
_______________________________________________
Users mailing list -- users(a)lists.libvirt.org
To unsubscribe send an email to users-leave(a)lists.libvirt.org
8:13 a.m.
On Fri, 2023-11-03 at 12:28 +0000, Michael Kjörling wrote:
I have a need to pass through a YubiKey to a Windows (10) VM guest
such that Windows in the guest will let me use it with physical touch
activation for 2FA.
For those times, I am physically at the VM host, so I don't need
_remote_ redirection into the guest, and I'm fine with plugging and
unplugging the YubiKey physically on an as-needed basis.
If I simply redirect the USB device through the virt-manager GUI, my
experience is that it has at best worked very much unreliably, and
often not at all.
Searching the web hasn't helped.
Does anyone have a recipe for that to work _reliably_?
I had 2 smartcard readers for 10 years connected to different virtual
machines. This worked for me all these years:
<hostdev mode='subsystem' type='usb' managed='yes'>
<source>
<vendor id='0x08e6'/>
<product id='0x3478'/>
</source>
<address type='usb' bus='0' port='4'/>
</hostdev>
kind regards
Björn Lässig
9:44 a.m.
On 3 Nov 2023 14:13 +0100, from b.laessig(a)pengutronix.de (Björn Lässig):
I had 2 smartcard readers for 10 years connected to different
virtual
machines. This worked for me all these years:
<hostdev mode='subsystem' type='usb' managed='yes'>
<source>
<vendor id='0x08e6'/>
<product id='0x3478'/>
</source>
<address type='usb' bus='0' port='4'/>
</hostdev>
Thank you! This looks _very_ promising, although I'm not really in a
position to fully test it right now, and I might not be able to do
that until some time next week. Reading at [1] I eventually ended up
with:
<domain>
<devices>
<hostdev mode='subsystem' type='usb' managed='no'>
<source startupPolicy='optional'>
<vendor id='0x0000'/>
<product id='0x0000'/>
</source>
<address type='usb' bus='0' port='N'/>
</hostdev>
</devices>
</domain>
plus of course everything else to describe the VM and with actual
values for vendor and product ID and port number, to match the setup
of the VM in which I was able to briefly test this.
At the very least, as far as I could tell with a quick test, this lets
me hot plug and hot unplug the YubiKey without virt-manager yelling at
me; makes starting the VM not dependent on the YubiKey being plugged
in; and makes the guest OS recognize it for what it is rather than as
a generic HID keyboard device. Icing on the cake would have been if I
could also restrict redirection based on USB device serial number as
well, but it looks like that's not possible, or at least not readily
so.
[1] https://libvirt.org/formatdomain.html#usb-pci-scsi-devices
--
Michael Kjörling 🔗 https://michael.kjorling.se
“Remember when, on the Internet, nobody cared that you were a dog?”
4:11 a.m.
New subject: Passing through a YubiKey to a Windows VM for physical touch
activation - SOLVED
On 3 Nov 2023 14:44 +0000, from 7d1340278307(a)ewoof.net (Michael Kjörling):
<domain>
<devices>
<hostdev mode='subsystem' type='usb' managed='no'>
<source startupPolicy='optional'>
<vendor id='0x0000'/>
<product id='0x0000'/>
</source>
<address type='usb' bus='0' port='N'/>
</hostdev>
</devices>
</domain>
It looks like the above works. Thanks a lot Björn for pointing me in
the right direction!
--
Michael Kjörling 🔗 https://michael.kjorling.se
“Remember when, on the Internet, nobody cared that you were a dog?”
626
days inactive
629
days old
4 comments
3 participants
participants (3)
-
Björn Lässig -
Michael Kjörling -
Tim Fletcher