Passing through a YubiKey to a Windows VM for physical touch activation
I have a need to pass through a YubiKey to a Windows (10) VM guest such that Windows in the guest will let me use it with physical touch activation for 2FA. For those times, I am physically at the VM host, so I don't need _remote_ redirection into the guest, and I'm fine with plugging and unplugging the YubiKey physically on an as-needed basis. If I simply redirect the USB device through the virt-manager GUI, my experience is that it has at best worked very much unreliably, and often not at all. Searching the web hasn't helped. Does anyone have a recipe for that to work _reliably_? -- Michael Kjörling 🔗 https://michael.kjorling.se “Remember when, on the Internet, nobody cared that you were a dog?”
When I have had to do something similar I passed the pci device that had the usb ports attached to it which worked very well. On Fri, 3 Nov 2023 at 13:30, Michael Kjörling <7d1340278307@ewoof.net> wrote:
I have a need to pass through a YubiKey to a Windows (10) VM guest such that Windows in the guest will let me use it with physical touch activation for 2FA.
For those times, I am physically at the VM host, so I don't need _remote_ redirection into the guest, and I'm fine with plugging and unplugging the YubiKey physically on an as-needed basis.
If I simply redirect the USB device through the virt-manager GUI, my experience is that it has at best worked very much unreliably, and often not at all.
Searching the web hasn't helped.
Does anyone have a recipe for that to work _reliably_?
-- Michael Kjörling 🔗 https://michael.kjorling.se “Remember when, on the Internet, nobody cared that you were a dog?” _______________________________________________ Users mailing list -- users@lists.libvirt.org To unsubscribe send an email to users-leave@lists.libvirt.org
On Fri, 2023-11-03 at 12:28 +0000, Michael Kjörling wrote:
I have a need to pass through a YubiKey to a Windows (10) VM guest such that Windows in the guest will let me use it with physical touch activation for 2FA.
For those times, I am physically at the VM host, so I don't need _remote_ redirection into the guest, and I'm fine with plugging and unplugging the YubiKey physically on an as-needed basis.
If I simply redirect the USB device through the virt-manager GUI, my experience is that it has at best worked very much unreliably, and often not at all.
Searching the web hasn't helped.
Does anyone have a recipe for that to work _reliably_?
I had 2 smartcard readers for 10 years connected to different virtual machines. This worked for me all these years: <hostdev mode='subsystem' type='usb' managed='yes'> <source> <vendor id='0x08e6'/> <product id='0x3478'/> </source> <address type='usb' bus='0' port='4'/> </hostdev> kind regards Björn Lässig
On 3 Nov 2023 14:13 +0100, from b.laessig@pengutronix.de (Björn Lässig):
I had 2 smartcard readers for 10 years connected to different virtual machines. This worked for me all these years:
<hostdev mode='subsystem' type='usb' managed='yes'> <source> <vendor id='0x08e6'/> <product id='0x3478'/> </source> <address type='usb' bus='0' port='4'/> </hostdev>
Thank you! This looks _very_ promising, although I'm not really in a position to fully test it right now, and I might not be able to do that until some time next week. Reading at [1] I eventually ended up with: <domain> <devices> <hostdev mode='subsystem' type='usb' managed='no'> <source startupPolicy='optional'> <vendor id='0x0000'/> <product id='0x0000'/> </source> <address type='usb' bus='0' port='N'/> </hostdev> </devices> </domain> plus of course everything else to describe the VM and with actual values for vendor and product ID and port number, to match the setup of the VM in which I was able to briefly test this. At the very least, as far as I could tell with a quick test, this lets me hot plug and hot unplug the YubiKey without virt-manager yelling at me; makes starting the VM not dependent on the YubiKey being plugged in; and makes the guest OS recognize it for what it is rather than as a generic HID keyboard device. Icing on the cake would have been if I could also restrict redirection based on USB device serial number as well, but it looks like that's not possible, or at least not readily so. [1] https://libvirt.org/formatdomain.html#usb-pci-scsi-devices -- Michael Kjörling 🔗 https://michael.kjorling.se “Remember when, on the Internet, nobody cared that you were a dog?”
On 3 Nov 2023 14:44 +0000, from 7d1340278307@ewoof.net (Michael Kjörling):
<domain> <devices> <hostdev mode='subsystem' type='usb' managed='no'> <source startupPolicy='optional'> <vendor id='0x0000'/> <product id='0x0000'/> </source> <address type='usb' bus='0' port='N'/> </hostdev> </devices> </domain>
It looks like the above works. Thanks a lot Björn for pointing me in the right direction! -- Michael Kjörling 🔗 https://michael.kjorling.se “Remember when, on the Internet, nobody cared that you were a dog?”
participants (3)
-
Björn Lässig -
Michael Kjörling -
Tim Fletcher