Skip to content

feat(2fa): Enable 2FA token request proxying#1681

Merged
brianmcgillion merged 2 commits intotiiuae:mainfrom
slakkala:dev/ctap
Jan 27, 2026
Merged

feat(2fa): Enable 2FA token request proxying#1681
brianmcgillion merged 2 commits intotiiuae:mainfrom
slakkala:dev/ctap

Conversation

@slakkala
Copy link
Copy Markdown
Contributor

@slakkala slakkala commented Jan 14, 2026
edited
Loading

Enables qctap-proxy in chrome VM, using givc to forward requests to gui VM which owns the authentication tokens.

Description of Changes

Implement security token (yubikey) proxying, allowing app vms to use security tokens for authentication.

Type of Change

  • New Feature
  • Bug Fix
  • Improvement / Refactor

Related Issues / Tickets

https://jira.tii.ae/browse/SSRCSP-7636

Checklist

  • Clear summary in PR description
  • Detailed and meaningful commit message(s)
  • Commits are logically organized and squashed if appropriate
  • Contribution guidelines followed
  • Ghaf documentation updated with the commit - https://tiiuae.github.io/ghaf/
  • Author has run make-checks and it passes
  • All automatic GitHub Action checks pass - see actions
  • Author has added reviewers and removed PR draft status

Testing Instructions

Applicable Targets

  • Orin AGX aarch64
  • Orin NX aarch64
  • Lenovo X1 x86_64
  • Dell Latitude x86_64
  • System 76 x86_64

Installation Method

  • Requires full re-installation
  • Can be updated with nixos-rebuild ... switch
  • Other:

Test Steps To Verify:

  1. Insert a security token (devtested with Yubikey 5C)
  2. use chrome to browse to https://demo.yubico.com/
  3. do the webauthn demo, pressing yubikey whenever it blinks

@slakkala slakkala marked this pull request as draft January 14, 2026 14:20
@slakkala slakkala marked this pull request as ready for review January 23, 2026 10:41
@slakkala slakkala changed the title WIP: feat(2fa): Enable 2FA token request proxying feat(2fa): Enable 2FA token request proxying Jan 23, 2026
@slakkala
feat(2fa): Enable 2FA token request proxying
03a105f 
Enables qctap-proxy in chrome VM, using givc to forward requests to
gui VM which owns the authentication tokens.

Signed-off-by: Santtu Lakkala <santtu.lakkala@unikie.com>
@slakkala
fix laptop-hw-scan build
16cfa04 
Signed-off-by: Santtu Lakkala <santtu.lakkala@unikie.com>
@slakkala slakkala added the Needs Testing CI Team to pre-verify label Jan 26, 2026
@milva-unikie
Copy link
Copy Markdown

milva-unikie commented Jan 27, 2026

Tested on Darter Pro

Notes

  • The laptop is locked when the Yubikey is removed. This also happens when the Yubikey has not been enrolled as a login device. Not sure if this is intentional?

@milva-unikie milva-unikie added Tested on System76 and removed Needs Testing CI Team to pre-verify labels Jan 27, 2026
@slakkala
Copy link
Copy Markdown
Contributor Author

slakkala commented Jan 27, 2026 

* The laptop is locked when the Yubikey is removed. This also happens when the Yubikey has not been enrolled as a login device. Not sure if this is intentional?

This is probably not intentional. but due to implementation is not an easy fix. This is an pre-existing issue, does not block this PR.

@brianmcgillion brianmcgillion merged commit 4535be8 into tiiuae:main Jan 27, 2026
32 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@brianmcgillion brianmcgillion brianmcgillion approved these changes

@mbssrc mbssrc Awaiting requested review from mbssrc

@vadika vadika Awaiting requested review from vadika

Assignees

No one assigned

Labels

Tested on System76

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@slakkala @milva-unikie @brianmcgillion