4

I am unable to get my YubiKey Neo U2F working in VMWare Workstation Pro 12.5. Testing it against Yubico's test site or against Akisec's test site both fail in the guest operating system (running Debian Linux 9), but both work in the host operating system (running Windows 10).

A search of google indicates I want to add the following to my VMWare guest .vmx file:

usb.generic.allowHID = "TRUE"
usb.generic.allowLastHID = "TRUE"

However, this makes no difference. Spoiler: I speculate this is because my virtual machine is encrypted.

Improve this question

2 Answers 2

Reset to default
9

After talking to a solutions architect at Yubico, we determined that VMWare Workstation .vmx configuration files cannot be directly edited if the virtual machine is encrypted.

In order to make the yubikey work inside the virtual machine, you should follow these steps:

  1. Decrypt the virtual machine if it is encrypted. Edit the virtual machine settings, select the Options tab, select Access Control, then click the Remove Encryption button.

  2. Now, edit the .vmx file. This is the configuration file for your virtual machine. Navigate to the directory containing your virtual machine, find the .vmx file (there should be exactly one), then open it in notepad. Search for a line that says usb.present = "TRUE" and insert the following two lines:

    usb.generic.allowHID = "TRUE"
usb.generic.allowLastHID = "TRUE"

  3. Note that Yubico recommended also adding:

    usb.generic.autoconnect = "FALSE"

    They also recommended removing any instance of:

    usb.autoConnect.device0 = ...

  4. Save your .vmx file.

  5. Shut down and restart VMWare Workstation.
  6. Start up your virtual machine.
  7. Plug in your yubikey. On the VMWare menu, pull down the VM option, then Removable Devices. Select the Yubico.com Yubikey NEO OTP+U2F+CCID. Connect it to your virtual machine. Note! You may see a second option for a "Shared Yubikey". This is not the option you want.
  8. When challenged for your u2f authentication, your token should flash. Press it to authenticate.
  9. If you decrypted your virtual machine, don't forget to reencrypt it. Edit the virtual machine settings, select the Options tab, select Access Control, then click the Encrypt button.
Improve this answer
1

With VMware Fusion 11.0 (and presumably other product releases from the same timeframe), there's not just HID emulation (and an according block on direct passthrough), but also smartcard emulation and an additional block for that.

To disable this, some additional flags are needed:

usb.ccid.disable = "TRUE"
usb.generic.allowCCID = "TRUE"

...making the full set of options which need to be changed to successfully pass through a YubiKey:

usb.ccid.disable = "TRUE"
usb.generic.allowCCID = "TRUE"
usb.generic.allowHID = "TRUE"
usb.generic.allowLastHID = "TRUE"
Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .