keepassxreboot / keepassxc

KeePassXC is a cross-platform community-driven port of the Windows application “Keepass Password Safe”.
https://keepassxc.org/
Other
21.49k stars 1.48k forks source link

Remote database support [$276] #1775

Closed leethax666 closed 5 months ago

leethax666 commented 6 years ago

Issuehunt badges

It would be great to have support for WebDav, SFTP, or other protocols to load and save a database. I have a webdav folder on xubuntu, but it doesn't show up on the Open File window.


IssueHunt Summary ### Backers (Total: $276.00) - [kfdcompiled kfdcompiled](https://issuehunt.io/u/kfdcompiled) ($20.00) - [ppmathis ppmathis](https://issuehunt.io/u/ppmathis) ($68.00) - [haizaar haizaar](https://issuehunt.io/u/haizaar) ($20.00) - [altendky altendky](https://issuehunt.io/u/altendky) ($50.00) - [mikescher mikescher](https://issuehunt.io/u/mikescher) ($6.00) - [zeezeeeff zeezeeeff](https://issuehunt.io/u/zeezeeeff) ($20.00) - $92.00 have been anonymously funded. #### [Become a backer now!](https://issuehunt.io/r/keepassxreboot/keepassxc/issues/1775) #### [Or submit a pull request to get the deposits!](https://issuehunt.io/r/keepassxreboot/keepassxc/issues/1775) ### Tips - Checkout the [Issuehunt explorer](https://issuehunt.io/r/keepassxreboot/keepassxc/) to discover more funded issues. - Need some help from other developers? [Add your repositories](https://issuehunt.io/r/new) on IssueHunt to raise funds.
bmelman commented 6 years ago

Exctly what i am missing: something like the IOProtocolExt from keepass, this enables simple access to a securely stored keepass database.

jazz-it commented 5 years ago

I fully support the idea... just installed KepassXC for one reason only - to use it as an interface for my shared database on NAS, but unfortunately it's not supported yet.

droidmonkey commented 5 years ago

It is not likely this will be supported in the near future. Every modern OS can mount a WebDAV folder to be made accessible to KeePassXC. Likewise, SMB and NFS folders can be mounted as well. There is really no practical reason to spend significant effort embedding this capability in KeePassXC itself.

@leethax666 I missed this original issue. It is likely you are using the snap version of KeePassXC which is sandboxed and does not let you see some folders. Try mounting your WebDav within your home directory and try again.

marcbone commented 5 years ago

Yes every computer can mount webdav, but this requires that there is a permanent internet connection. People also want to use their database when there is no internet available. This is no problem when you use dropbox or nextcloud since they have sync clients which download your files, make them available offline and then taking care of changes.

However I couldnt find any good webdav client for linux. So what I do is the following:

The problem is that when you have no internet, keepassxc opens with an error (database not found or something like that) and I have to manually select my backup database. However, I have to remember to change again to the webdav database when I have Internet otherwise my changes would be overwritten by the cron task.

Thats why it would be convenient if I could just connect to webdav in keepassxc and keepassxc takes care of downloading my database (or use a cached one if there is no internet) and notifying me if there are any conflicts (database changed remotely) when i want to save my database.

I agree that it is a bit out of scope for a password manager to take care of syncing issues with webdav. But it would make using a password manager easier for a lot of people who simply put their database on the cloud storage from their mail provider.

droidmonkey commented 5 years ago

Why not just use a cloud service provider, even syncthing or owncloud? You own all the technical challenges when you use webdav.

marcbone commented 5 years ago

The problem with syncthing is that all my devices are located in my apartment if I am at home. If my apartment burns down, my database is lost. So the proper way to deal with this is rent a vps-server and set up a nextcloud. However it takes some effort and maintenance work to keep everything running and secure (and money :wink: ). I already manage all other things (cardDav, calDav) with my email provider (They use open-Xchange which is really cool, but sadly they dont offer a sync client), so it is just easier and cheaper for me to also let them handle my database.

I guess that is true for many people and thats why it is an often requested feature. So please dont close it with a "wont fix", so someday somebody can come up with a merge request.

droidmonkey commented 5 years ago

Oh it'll remain open, I'm not entirely against this feature. I think it is best paired with plugin/scripting/trigger support though.

datenwolf commented 5 years ago

I'd like to point out another reason for having some form of remote access: Limiting the surface area for brainfart fuckups: Accidently overwriting or deleting a password DB file and the latest backup snapshot didn't yet catch the latest changes.

The other reason might be managing read/write permissions, e.g. for shared access. (Why would you want to share access to a password file you ask: Think organization wide logins to supplier web order systems or similar, where the vendor is incapable of providing sub-accounts for individual persons).

pandruszkow commented 5 years ago

I sympathise with @marcbone, and also found WebDAV very fragile and dependent on connectivity. I experienced some data loss when using mounted WebDAV, which makes me understandably reluctant to entrust it with my password database.

At one point, I mounted my Nextcloud WebDAV share on my Linux box, then moved (admittedly a fairly large, 2GB) file to the share directory. The file disappeared from the source directory and never appeared at the destination, even though I have a fast connection. I no longer trust WebDAV to not lose my data, unless the application supports WebDAV access/mounting natively.

I've evaluated KeepassXC before, and the main reason I didn't switch from Keepass2 was lack of native WebDAV support. I would switch in a heartbeat if this was implemented. IIRC KeepassXC has much better and usable Firefox integration, and it would be worth switching for that reason alone.

droidmonkey commented 5 years ago

Using WebDAV through an application does nothing to resolve reliability issues with the WebDAV protocol itself. If you are concerned with reliability, versioning, and other modern concerns.... don't use WebDAV!

pandruszkow commented 5 years ago

It's easier to know when you failed a password DB upload with native DAV support, and you are able to retry the upload explicitly until you confirm you succeeded for sure. A mounted davfs will simulate a POSIX filesystem, which has different assumptions about the underlying layers of the system, and will tell you everything's fine when it's not.

You get no feedback about failures, delays, timeouts, hanged uploads, writes which are only present in the local /tmp cache and which haven't reached the cloud yet (and which may be lost if you happen to shut down the computer right now), and the like. You're basically relying on the davfs layer to recover from the errors and behave well, which is just not guaranteed.

pandruszkow commented 5 years ago

Another benefit of supporting WebDAV is that it's quite ubiquitous, and it's easier to set up a DAV server compared to alternatives. It comes with NextCloud/OwnCloud which is one of the most popular self-hosted "cloud in a box" software packages.

NFS and SMB only work reliably on their respective native platforms, and they are both insecure to expose on the public Internet. FTP is quite mature, but less secure and it's actually older than both Unix and TCP/IP. S3 compatible servers like Minio and some others seem like the future, but you can't just put them on a cheap shared PHP host, and they need a special client.

Please don't get see what I'm saying as ranting. I've have searched a lot around the Internet to find a good way to expose my files over the Internet with read-write capability, and DAV and FTP are the only two that will work everywhere. It's frustrating, but that seems to be the current state of support.

droidmonkey commented 5 years ago

Please check out syncthing. It is far superior to webdav.

t00 commented 5 years ago

It should not be too difficult to implement HTTP(S) GET/PUT with basic authentication. For saving the operations would be:

  1. GET
  2. Decrypt with the current database key
  3. Check for remote changes (diff from loaded)
  4. If changed: Confirm -> Merge
  5. PUT

When configuring a connection, cloud provider api configurations can be included (endpoint, auth type, request type) so with small modifications i.e. Amazon S3 can be used as well, without any plugins. Rest of the logic will be identical. Please consider adding this feature as for me as well lack of this feature is stopping me from using KeePassXC.

ilsergente1993 commented 5 years ago

+1

omaidb commented 5 years ago

+1

omaidb commented 5 years ago

请支持webdav,好让我的ubuntu不再依赖其他的网盘程序

reetp commented 5 years ago

Keepass2Android has stfp support......

Great cos it works with my ssh keys.

Would be perfect to do likewise on the desktop.

sla-te commented 5 years ago

+1

processor286 commented 5 years ago

I've just moved from dropbox and g-drive with sync, to direct webdav on a private cloud server (nextcloud). The clients on Android and Windows support DAV directly, and clearly can tell if the WEBDAV save has completed successfully or not.

I did this because I've had data-destroying problems with synchronizing software (mostly insync) , so direct DAV seemed the best solution for this. And is the reason why I don't really want to use a sync solution on Linux, nor do I feel happy trusting davfs really.

Anywyay, wanted to lend some weight to exactly why I think that native webdav support would be a good thing.

aksdb commented 5 years ago

Just leaving another thought here on what would be an advantage of an integrated sync solution like WebDAV: security of the credentials. When KeePassXC manages the connection, I can unlock my local database, it sees the configured WebDAV, connects to it, pulls the database from there, merges, uploads and I can continue to work on the synchronized database. If another tool is required, I would have to permanently store my credentials there for a convenient workflow - so now either the OS or some other layer has Username/Password of my WebDAV share.

So for that reason alone I think the transport layer for the synchronization should reside within KeePassXC as well.

(Btw. I would also not mind having some dedicated sync protocol. That would make some aspects easier, but is all in all probably a lot more effort than "just" using WebDAV which has a ton of different possible backends.)

altendky commented 5 years ago

Just having a file on a locally mounted webdav connection doesn't address synchronization of data inside the database. In KeePass2 I just hit save and it syncs and merges etc up to the server. If I have to manually keep two files and 'merge from file' and so on... that's a lot of overhead vs. ctrl+s.

I understand it's a pile of added complexity so no judgement on it not being implemented presently but I think it does bring important value.

reetp commented 5 years ago

Yup. Local mounting via webdav/nfs/smb for users is just a no no when the database needs to be hosted centrally/cloud so they can easily access via mobile too. Needs to be a simple one click connect to database across desktop & mobile app. Sftp/Scp is simple to setup and use and works easily on mobile. It could be that easy on desktop. Anything more complicated for normal users is just a roadblock. Damn shame as this prevents us from using it. My guess is this will go the way of email+PGP. Just too damn difficult, driven round, and distrupted by chat.

droidmonkey commented 4 years ago

The bounty will be satisfied if minimally WebDAV, NFS, and SMB are supported natively within KeePassXC. SSH/SFTP is a bonus, but certainly not a requirement since it requires a significant amount of additional dependencies.

altendky commented 4 years ago

Is that including a content-of-file synchronization feature to handle when data has been changed from two clients at once? Or, just that a file can be opened from the listed sources? For me, the content-of-file synchronization is a significantly interesting part to have.

droidmonkey commented 4 years ago

Synchronization is another feature request. I am looking at working on that in the near future.

giox069 commented 4 years ago

Remote database via an external sync application is complex to setup on the client side: I can setup all the stuff for my devices without problems, but it's very difficult to explain to a remote user (your customer, your friend, your brother) how to setup all this stuff on its PC and android phone.

And if possible, sync to gmail account should be the 1st choice, due to the fact that most users on earth have a gmail account. What I would like to see for KeePassXC is a local copy of DB (accessible when internet is not available) copied to google drive periodically when modified. All done with a very simple setup procedure for an end user.

ghost commented 4 years ago

Is there any status on this?

kir4h commented 4 years ago

Synchronization is indeed a key feature (ability of resolve conflicts per entry, that's the main difference to me vs. the approach of having an external client do the sync job and what blocks my migration to keepassxc). But before having sync we need this one to be implemented, so upvoting it =)!

haizaar commented 4 years ago

I'll be happy to contribute another $20 to the bounty for this feature and another $30 for synchronization feature. @droidmonkey do you want to setup https://issuehunt.io/ account to manage it? I'm sure that even small amount of users donate a bit it will put some smile on developers face.

IssueHuntBot commented 4 years ago

@kfdcompiled has funded $20.00 to this issue.


KFDCompiled commented 4 years ago

Thanks @droidmonkey for setting up the issuehunt account. Lets add those contributions! @haizaar @leethax666

IssueHuntBot commented 4 years ago

@johanricher has funded $20.00 to this issue.


IssueHuntBot commented 4 years ago

@ppmathis has funded $20.00 to this issue.


issuehunt-oss[bot] commented 4 years ago

@haizaar has funded $20.00 to this issue.


KFDCompiled commented 4 years ago

Just $70 more to fund this bounty! @bmelman @madjoe @marcbone @TheEquity @kir4h @giox069 @altendky @reetp @aksdb @harpingon @t00 @ilsergente1993 @pandruszkow

issuehunt-oss[bot] commented 4 years ago

An anonymous user has funded $20.00 to this issue.


t00 commented 4 years ago

Above was myself, just forgot to log in - hope it helps.

issuehunt-oss[bot] commented 4 years ago

@altendky has funded $50.00 to this issue.


KFDCompiled commented 4 years ago

@droidmonkey I was going to start adapting c++ webdav from other projects like WebdavClient and webdav-client-cpp. I doubt you need it but I'd like to help if possible (I'm not at all interested in the bounty).

droidmonkey commented 4 years ago

I wouldn't use a library I would just create a small shim that speaks the WebDav protocol through Qt5. It is not too terribly complicated and you eliminate issues with SSL and socket handling by using standard Qt5 interfaces.

KFDCompiled commented 4 years ago

I can certainly try :) In addition to adding core functionality, other required changes include UI and database file operations, e.g., KeePass2Writer & KeePass2Reader. Is that approximately right?

droidmonkey commented 4 years ago

You don't need to do any database read/write operations, that is all handled through the Database class. You would use the shim to download/upload to/from a temporary storage location and operate off the temporary file. Apply a file watcher so that when changes occur (database finishes writing) the file is uploaded to the webdav. You can even put in a sync operation in between there.

KFDCompiled commented 4 years ago

I wouldn't wait on me for this... :(

issuehunt-oss[bot] commented 4 years ago

An anonymous user has funded $2.00 to this issue.


issuehunt-oss[bot] commented 4 years ago

An anonymous user has funded $50.00 to this issue.


huggenknubbel commented 4 years ago

SFTP would be perfect. Otherwise i need to keep Keepass.

gmarco commented 4 years ago

please integrate Webdav also, since this will only work for some company networks (so sftp/ssh allowed). Also syncing is a often used feature.

until this is not implemented in keypassxc, it is no alternative to keypass :(

issuehunt-oss[bot] commented 4 years ago

@ppmathis has funded $48.00 to this issue.


issuehunt-oss[bot] commented 4 years ago

@mikescher has funded $6.00 to this issue.