Git-Mirrors/qubes-doc
1
0
Fork 0
mirror of https://github.com/QubesOS/qubes-doc.git synced 2025-08-02 19:46:40 -04:00
Code Issues Projects Releases Packages Wiki Activity

Mass replace "TemplateVM" with "template"

Browse source 
QubesOS/qubes-issues#1015
This commit is contained in:
Andrew David Wong 2021-06-18 02:16:40 -07:00
parent c07ee61ed8
commit 63498a6c17
No known key found for this signature in database
GPG key ID: 8CE137352A019A17
41 changed files with 187 additions and 187 deletions
Download patch file Download diff file Expand all files Collapse all files

2
user/security-in-qubes/split-gpg.md
View file

@ -369,7 +369,7 @@ Rather, the master secret key remains in the `vault` VM, which is extremely unli
<sup>\*</sup> The attacker might nonetheless be able to leak the secret subkeys from the `work-gpg` VM in the manner described above, but even if this is successful, the secure master secret key can simply be used to revoke the compromised subkeys and to issue new subkeys in their place.
(This is significantly less devastating than having to create a new *master* keypair.)
<sup>\*</sup>In order to gain access to the `vault` VM, the attacker would require the use of, e.g., a general Xen VM escape exploit or a [signed, compromised package which is already installed in the TemplateVM](/doc/templates/#trusting-your-templatevms) upon which the `vault` VM is based.
<sup>\*</sup>In order to gain access to the `vault` VM, the attacker would require the use of, e.g., a general Xen VM escape exploit or a [signed, compromised package which is already installed in the template](/doc/templates/#trusting-your-templates) upon which the `vault` VM is based.
### Subkey Tutorials and Discussions

10
user/security-in-qubes/u2f-proxy.md
View file

@ -79,20 +79,20 @@ $ qvm-service --enable work qubes-u2f-proxy
The above assumes a `work` qube in which you would like to enable u2f. Repeat the `qvm-service` command for all qubes that should have the proxy enabled. Alternatively, you can add `qubes-u2f-proxy` in VM settings -> Services in the Qube Manager of each qube you would like to enable the service.
In Fedora TemplateVMs:
In Fedora templates:
```
$ sudo dnf install qubes-u2f
```
In Debian TemplateVMs:
In Debian templates:
```
$ sudo apt install qubes-u2f
```
As usual with software updates, shut down the templates after installation, then restart `sys-usb` and all qubes that use the proxy.
After that, you may use your U2F token (but see [Browser support](#templatevm-and-browser-support) below).
After that, you may use your U2F token (but see [Browser support](#template-and-browser-support) below).
## Advanced usage: per-qube key access
@ -125,9 +125,9 @@ systemctl disable qubes-u2fproxy@sys-usb.service
Replace `USB_QUBE` with the actual USB qube name.
## TemplateVM and browser support
## Template and browser support
The large number of possible combinations of TemplateVM (Fedora 27, 28; Debian 8, 9) and browser (multiple Google Chrome versions, multiple Chromium versions, multiple Firefox versions) made it impractical for us to test every combination that users are likely to attempt with the Qubes U2F Proxy.
The large number of possible combinations of template (Fedora 27, 28; Debian 8, 9) and browser (multiple Google Chrome versions, multiple Chromium versions, multiple Firefox versions) made it impractical for us to test every combination that users are likely to attempt with the Qubes U2F Proxy.
In some cases, you may be the first person to try a particular combination.
Consequently (and as with any new feature), users will inevitably encounter bugs.
We ask for your patience and understanding in this regard.

6
user/security-in-qubes/vm-sudo.md
View file

@ -118,9 +118,9 @@ Do not rely on this for extra security.**
>/etc/qubes-rpc/policy/qubes.VMAuth
```
(Note: any VMs you would like still to have passwordless root access (e.g. TemplateVMs) can be specified in the second file with "\<vmname\> dom0 allow")
(Note: any VMs you would like still to have passwordless root access (e.g. Templates) can be specified in the second file with "\<vmname\> dom0 allow")
2. Configuring Fedora TemplateVM to prompt Dom0 for any authorization request:
2. Configuring Fedora template to prompt Dom0 for any authorization request:
- In `/etc/pam.d/system-auth`, replace all lines beginning with "auth" with these lines:
```
@ -143,7 +143,7 @@ Do not rely on this for extra security.**
[root@fedora-20-x64]# rm /etc/polkit-1/localauthority/50-local.d/qubes-allow-all.pkla
```
3. Configuring Debian/Whonix TemplateVM to prompt Dom0 for any authorization request:
3. Configuring Debian/Whonix template to prompt Dom0 for any authorization request:
- In `/etc/pam.d/common-auth`, replace all lines beginning with "auth" with these lines:
```

6
user/security-in-qubes/yubi-key.md
View file

@ -24,7 +24,7 @@ Same as in the OTP case, you will need to set up your YubiKey, choose a separate
To use this mode you need to:
1. Install yubikey personalization the packages in your TemplateVM on which your USB VM is based.
1. Install yubikey personalization the packages in your template on which your USB VM is based.
For Fedora.
@ -38,8 +38,8 @@ To use this mode you need to:
sudo apt-get install yubikey-personalization yubikey-personalization-gui
```
Shut down your TemplateVM.
Then, either reboot your USB VM (so changes inside the TemplateVM take effect in your USB app qube) or install the packages inside your USB VM if you would like to avoid rebooting it.
Shut down your template.
Then, either reboot your USB VM (so changes inside the template take effect in your USB app qube) or install the packages inside your USB VM if you would like to avoid rebooting it.
2. Configure your YubiKey for challenge-response `HMAC-SHA1` mode, for example [following this tutorial](https://www.yubico.com/products/services-software/personalization-tools/challenge-response/).