search

keepassxreboot / keepassxc

KeePassXC is a cross-platform community-driven port of the Windows application “Keepass Password Safe”.
https://keepassxc.org/
Other
20.94k stars 1.45k forks source link

Removing Challenge-Response Falsely Claims no Password Has Been Set #11032

Closed b0ssi closed 3 months ago

b0ssi commented 3 months ago

Overview

Firstly, great work on KeepassXC, many (ongoing) thanks!

With a password and challenge-response set to a database, the latter can no longer be removed any longer. This seems like a reression in 2.7.9.

Steps to Reproduce

  1. Both, a password and a challenge-response have been set on a database.
  2. When the removal of the challenge-response (Database -> Database Security) is attempted (Remove Challenge-Response button clicked, then proceeded by a click on OK), the application blocks with a modal dialog saying:

    WARNING! You have not set a password. Using a database without a password is strongly discouraged!

    Are you sure you want to continue without a password?

    Cancel Continue without password

This is wrong as a password had been set (and the buttons in the Password section above also do say Change Password and Remove Password). Further more, attempting to proceed by clicking Continue without password the application does believe there is no password set, blocking any way to commit the changes by saying:

You must add at least one encryption key to secure your database! only offering an OK option that keeps the user in the settings page.

I'm confident this is a regression in 2.7.9 as I'm certain I've tested this use case in all past versions for a fair amount of time.

Expected Behavior

The user should be able to remove the challenge-response (with a password set) without any issues.

Actual Behavior

The user is prevented from removing the challenge-response as the application claims no password has been set. Assumption is that at least one type of secret is required.

Context

No specific context other than a database that has a password and challenge-response set.

KeePassXC - Version 2.7.9 Revision: 8f6dd13

Qt 5.15.14 Debugging mode is disabled.

Operating system: Arch Linux CPU architecture: x86_64 Kernel: linux 6.6.36-1-lts

Enabled extensions:

Cryptographic libraries:

Desktop Env: Mate Windowing System: X11/Wayland

droidmonkey commented 3 months ago

Duplicate report. Unfortunately you will have to re enter your password to avoid having a database without a password set.

b0ssi commented 3 months ago

Thanks @droidmonkey, I must have missed previous reports of the issue. If you happen to have it handy it'd be great to have a link for me to read up on possible discussion around it; mostly out of curiosity. From what you say it sounds like this being either a technical reason or policy decision. If it's the former it'd be interesting to hear what has changed as this used to be possible without retyping the password.

I'd argue that this is mostly an aesthetic remark: As it currently stands it's not stupid obvious that a new password has to be set up (as it all looks like the current one is still in effect). But I'll stop here, these thoughts have surely been raised in the other issues already. Thanks for ticking this off.

droidmonkey commented 3 months ago

It's a bug, fix will be released soon. https://github.com/keepassxreboot/keepassxc/pull/11001

b0ssi commented 3 months ago

Gotcha, great to hear a fix is already on the way. It didn't seem like a top critical bug as I wasn't able to proceed without explicitly creating a new password (or adding a challenge-response back in).