Closed enboig closed 5 years ago
Until public key auth is implemented: Does keepass2android currently check whether the SFTP server's host key changed? If not, passwords might be sent to the wrong host
If passwords end in wrong server, it shouldn't be a problem as long as they are encrypted. Am I wrong?
@enboig Yes. Not only could your database wind up on a server owned by an attacker, they'll also have the password you use to log in to your personal server. This will enable them to log in and have access to all your files, if they want. SSH host keys ensure the server you're connecting to is the correct one and there's not a man-in-the-middle; to ignore the SSH host keys is a huge oversight, even if the file being transferred is encrypted.
I am planning the implementation of this feature. However, I am not sure how the workflow should look like. Suggestion:
Do you know other Android apps implementing something like this? What's their workflow?
Mercury-SSH does not allow importing private keys - instead, it just generates one, and only allows EXPORTING of the public key. I guess this has the following advantages:
Mercury-SSH can either export the public key to a file, or it can act like ssh-copy-id
, using password authentication to append the key to the server's ~/.ssh/authorized_keys
.
I can also think of a "share" button, using an intention to allow the user to send it via it's favourite app (mail client, messenger...)
You can take a look at Mercury-SSH source here: https://github.com/Skarafaz/mercury
Thank you very much for the efforts!
Don't forget some way to type/check SSH host key ;-)
Hi there, not sure of this is the right place but I also wanted to add my request for this feature. Adding the key at the login stage from the sd card would be preferred.
@usuallymatt please switch to beta (https://play.google.com/apps/testing/keepass2android.keepass2android) to get this feature.
Got it! Trying to figure it out. I use a private key for my SFTP server. This new screen looks like it's trying to save a public key.
KP2A tries to avoid that you have to transfer your private key to your device. Instead, it creates a key pair and exports the public key. Please add this key to your server config!
@PhilippC I just joined the beta program and installed the pre version (I have the dropdown for selection of the auhentication mode). Now I'm trying to find the keypair that KP2A has created on my android device (OnePlus 5T, LineageOS 16). When does KP2A create the keypair? Where is it stored?
Aaaahhhh, now I got it, I don't need to know that. With this "export public key button" I can export the public key to e.g. Whatsapp (there I have a group where the only member is me...), access that with WhatsApp Web. Now I have it on my Laptop and can transfer it to the machine in the cloud. Awesome. It works perfectly!
T&R MP
@PhilippC Thanks Philipp, for the update and the many new features. I have just configured an sftp-server with chroot jail and no password authentication to store the *.kdbx database. I did so to increase security so I really appreciate the new ssh-keypair feature. I works very well too. I emailed the public key from Keepass2Android to myself and pasted the key into ~/.ssh/authorized_keys on the server and it works nicely. If anyone wants to know how to configure an sftp-server with chroot jail on a Linux box, this is the guide I followed.
Just noticed the update and it works great, thank you very much, PhilippC!
Is there a way to use sftp without password and using public key?