search

keepassxreboot / keepassxc

KeePassXC is a cross-platform community-driven port of the Windows application “Keepass Password Safe”.
https://keepassxc.org/
Other
21.27k stars 1.47k forks source link

shared database is overwritten (not merged) when configured with challenge-response with yubikey #9111

Closed krikk closed 1 year ago

krikk commented 1 year ago

Overview

user1 and user2 open a shared keepass file (on a UNC Path), which is protected with password + challenge-response (yubikey)

Steps to Reproduce

  1. user1 opens file with yubikey plugged
  2. user2 opens file with yubikey plugged
  3. user2 leaves keepassxc open but unplugs the yubikey (he goes on lunch break, keeps workstation and keepassxc running)
  4. user1 adds an entry to the shared keepass file
  5. the keepassxc process on user2 workstation tries to reload the keepass file, but fails to do so, because yubikey is missing
  6. user2 returns from break and re-plugs yubikey (but does not change anything)
  7. user2 closes keepass database (user gets NO warning prompt or anything) -> file seems to be saved automatically on close

-> BOOM user2 overwrites the change of user1, the entry from user1 is lost!

Expected Behavior

keepassxc should check for changes on the filesystem on every save?

Actual Behavior

user2 overwrites the change of user1, the entry from user1 is lost!

Context

if the user2 in step6 does not replug the key, he will get a warning about saving changes on closing keepassxc

screen after step 5: image

screen the user2 sees before closing keepassxc (before step 7): image

KeePassXC - Version 2.7.4 Revision: 63b2394

Qt 5.15.6 Diagnosemodus ist deaktiviert.

Betriebssystem: Windows 10 Version 2009 CPU-Architektur: x86_64 Kernel: winnt 10.0.19045

Aktivierte Erweiterungen:

Kryptographische Bibliotheken:

my keepassxc.ini:

[General]
ConfigVersion=2
UpdateCheckMessageShown=true
AutoTypeHideExpiredEntry=true
OpenPreviousDatabasesOnStartup=false
AutoSaveAfterEveryChange=true
BackupBeforeSave=false
UseAtomicSaves=false
FaviconDownloadTimeout=3
GlobalAutoTypeKey=65
GlobalAutoTypeModifiers=201326592
BackupFilePathPattern={DB_FILENAME}-{TIME:yyyy-MM-dd_HH-mm-ss}.kdbx

[GUI]
CheckForUpdates=false
TrayIconAppearance=monochrome
ShowExpiredEntriesOnDatabaseUnlock=false
HidePasswords=true
AdvancedSettings=true
HidePreviewPanel=true
CompactMode=false
ApplicationTheme=classic

[Security]
LockDatabaseScreenLock=false
EnableCopyOnDoubleClick=true
AutotypeAsk=false
ClearClipboardTimeout=15
PasswordsRepeatVisible=false
IconDownloadFallback=true
ClearSearch=false

[Browser]
CustomProxyLocation=
Enabled=true
BestMatchOnly=false
SearchInAllDatabases=true
AlwaysAllowAccess=true

[SSHAgent]
UsePageant=true
UseOpenSSH=false
Enabled=true
droidmonkey commented 1 year ago

Always lock your database when you unplug your yubikey.... until #5290 is fixed