Support for Yubikey / Hardware Key

libkeepass / pykeepass

Python library to interact with keepass databases (supports KDBX3 and KDBX4)

https://pypi.org/project/pykeepass/

GNU General Public License v3.0

401 stars 96 forks source link

Support for Yubikey / Hardware Key #311

Open MarcSchuh opened 2 years ago

MarcSchuh commented 2 years ago

Are there any thoughts on supporting Yubikey for challenge response as second factor?

zbyso23 commented 1 year ago

I don't think so, this is library for manipulate with KeePass database, not whole App.

MarcSchuhTNG commented 1 year ago

Sure, but the app uses the yubikey to hash the password to increase entropy. So to say: "Make a short easy to remember password strong" and hence it would be nice, if the same hashing function could be used by the lib.

zbyso23 commented 1 year ago

I still don't understanding why you need to add this functionality to library created for manipulating with keepass database? ...and how? Yubikey is hardware device what is dependent on some USB or another hardware port. I'm not Python expert - maybe it's simple, but in my eyes is low-level operation with differences for every OS, then be a much mess (dependencies) in this simple library because Youbikey? I still think this operation is better implement to App which using this library but not in library itself.

MarcSchuhTNG commented 1 year ago

I understand your argument but it still leads to the problem, that I cannot access the database with this lib, if it is encrypted with the Yubikey being a second factor.

zbyso23 commented 1 year ago

what about using this library together with Yubikey library? https://yubico-client.readthedocs.io/en/latest/

janbrummer commented 10 months ago

I've managed to add Yubikey support into a hacked version of Secrets. In order to implement it in a sane way that is compatible with the KeepassXC implementation i need access to the master seed of the database prior to unlocking it. This seed is used in Yubikeys challenged-response mechanism. Could you please provide it?

Evidlo commented 9 months ago

I'm open to adding some amount of support for this if we check for optional dependencies such as yubico-client at runtime.

janbrummer commented 9 months ago

I'm open to adding some amount of support for this if we check for optional dependencies such as yubico-client at runtime.

Although it is always nice having the necessary support in one lib, you are opening the gate for other crypto devices as well. I would request pkcs11 support afterwards and going further tpm support for it. IMHO this library should only support the core functions and leave the rest for the apps. Just my 2 cents.

janbrummer commented 9 months ago

Maybe adding an example how to add Yubkikey support as an example would be enough? Based on the current changes in my PR?