[SOLVED] YubiKey Passthrough to Windows Guest

Mar 28, 2020
11
1
23
57
I've a YubiKey 5 NFC which I'm trying to USB pass-through to a Windows (tried 10 & 11) guest on my Proxmox VE 7.1-7 instance. The device shows up in Windows' Device Manager, but the Windows YubiKey configuration tool (YubiKey Manager) tells me that it "Failed connecting to the YubiKey. Make sure the application has the required permissions." when I attempt to configure the PIV element of the YubiKey (OTP and FIDO2 elements work). There is a YubiKey help site which says this can be resolved by running the tool as an administrator, which I've tried but to no avail.

What's odd, is that if I run an Ubuntu guest instead, the YubiKey Manager tool works. This to me suggests that USB passthrough is working fine in Proxmox.

I'm asking here as I've already asked YubiKey who told me that the device needs to be physically connected to the host and not through a hypervisor. I'm not sure if I was being fobbed off there or not, so I thought I'd ask the experts.

My question therefore are:

Has anyone successfully passed through a YubiKey to a Windows guest?

Is it possible that Linux guests would work, while Proxmox USB pass-through somehow interferes with Windows guests (even if it shows in Device Manager)? This sounds a bit far fetched to me, but I'm no expert.
 
Have you tried passing through the whole USB controller it is attached to?
Maybe this would help.
 
Finally got to the bottom of this... Microsoft Remote Desktop Protocol's smartcard redirection.

I was accessing the VMs over RDP, which interferes with the guest as it tries to redirect the client smartcard to the guest (regardless of whether it's enabled on the client or not).

By accessing the VM either over VNC or SPICE, I was able to successfully access the YubiKey PIV.
 
  • Like
Reactions: mira
Finally got to the bottom of this... Microsoft Remote Desktop Protocol's smartcard redirection.

I was accessing the VMs over RDP, which interferes with the guest as it tries to redirect the client smartcard to the guest (regardless of whether it's enabled on the client or not).

By accessing the VM either over VNC or SPICE, I was able to successfully access the YubiKey PIV.

I was having exactly the same problem as you, so thank you for figuring this out. I was able to successfully sign code through Spice using your workaround.

However, your comment about RDP redirecting the smartcard to the guest inspired me to try removing the Yubikey from my Proxmox server and plugging it directly into my local machine (the one I'm RDPing from) to see what happens. Surprisingly, it works. I guess that redirection is doing what it's supposed to, because now I'm able to remotely sign code on my development VM over an RDP connection. With this there's no longer a need to map a host USB port to the VM for the Yubikey.

Also when I run Yubikey Manager on the VM during the RDP session it allows me to manage the key that's plugged in to my local machine, which sounds like what you were trying to achieve. All the PIV functionality is available.

Yubikey Manager and the Smart Card Minidriver are installed on both machines (local and VM) so I assume that figures into the solution somehow. Also I'm running Windows on both ends. Your post didn't make it clear if you were remoting in from a Windows or Linux machine, so if the latter that may complicate things.

Good luck to anyone else who stumbles on this post while fighting with the same issue.
 
Last edited:

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!