add a '--yubikey <slot>' option to KeepassXC program [25$]

keepassxreboot / keepassxc

KeePassXC is a cross-platform community-driven port of the Windows application “Keepass Password Safe”.

https://keepassxc.org/

Other

21.22k stars 1.47k forks source link

add a '--yubikey <slot>' option to KeepassXC program [25$] #6018

Open apfelchips opened 3 years ago

apfelchips commented 3 years ago

Summary

The KeepassXC binary is missing a --yubikey flag to autoselect the token / slot for autounlock.

Examples

"%ProgramFiles%\KeePassXC\KeePassXC.exe" --yubikey 1 --keyfile "%UserProfile%\secrets\YubikeyDBUnlock.key" "%UserProfile%\secrets\YubikeyDB.kdbx"

Context

Currently I can't use my yubikey to autounlock my database. It defaults to no Hardware key when using the cli-options.

This would work great in conjunction with AutoOpening other Databases secured by strong passwords. I would also be able to set the key to active mode, requiring me to touch it once to start the unlock, but not on every entry change on the nested DBs.

The --yubikey flag is already implemented on keepassxc-cli, so it should also be available on the main executable.

apfelchips commented 3 years ago

Also please don't warn the user when using an empty password, what's this warning even good for in the first place? Just try it and fail if unsuccessful.

There should also be the option to just lock the database with a yubikey alone, this way users could be handed security tokens like physical house keys.

Admittedly loosing the second factor, but still better than a super weak/reused/shared password.

droidmonkey commented 3 years ago

It's not a warning it's confirmation of user intent. If you have at least one credential present that works you won't see the question.

apfelchips commented 3 years ago

It's not much, but if someone would like to earn a quick 25$. https://www.bountysource.com/issues/96303028-add-a-yubikey-slot-option-to-keepassxc-program

droidmonkey commented 3 years ago

This will take a fair amount of work due to the way we handle unlocking from the command line. It's probably righteous work though since the current method takes multiple hops around the code base and relies on the GUI behavior too much.

JayBeeDe commented 3 years ago

Hi, very good idea!!!

Frederick888 commented 2 years ago

I wonder if it's possible to leverage ykchalresp to write a Bash wrapper for this?

I skimmed over the code and apparently it's not as easy as printf '%s' 'pw' | ykchalresp -2 - | keepassxc --pw-stdin... Can anyone shed some light on me please?

tuxcrafter commented 2 days ago

Any interest in adding this option, this ticket is three years old?

droidmonkey commented 2 days ago

It requires a small refactoring to wait for the yubikey detection to finish before attempting to unlock