search

twpayne / chezmoi

Manage your dotfiles across multiple diverse machines, securely.
https://www.chezmoi.io/
MIT License
13.4k stars 493 forks source link

Add ability to specify extra flags for keepassxc-cli #2002

Closed isindir closed 2 years ago

isindir commented 2 years ago

Feature request description

Is your feature request related to a problem? yes

I'm trying to use keepassxc-cli integration with yubikey protection and it does not work. What is missing is -y <slot>:<serial> missing from the command issued by chezmoi.

Describe the solution you'd like

I'd like to see a configuration feature, where I'd be able to specify extra flags to keepassxc-cli configuration file. And I'd like potentially to specify multiple -y <slot>:<serial> flags, so that I can use different hardware keys with the same database without having special configs and remember where to use which key (multiple -y are not yet supported by kepassxc as of version 2.7.1, but I have raised separate ticket with the project).

How the potential solution could look like, various options in ~/.config/chezmoi/chezmoi.yaml file:

preffered:

...
keepassxc:
extra_args: "-y <slot>:<serial> -y <slot>:<serial>"
database: "<full_path>/<file_name>.kdbx"
...
...
keepassxc:
  yubikeys:
    - "<slot>:<serial>"
    - "<slot>:<serial>"
    - ...
  database: "<full_path>/<file_name>.kdbx"
...
...
keepassxc:
  yubikey: "<slot>:<serial>"
  database: "<full_path>/<file_name>.kdbx"
...

Describe alternatives you've considered

I've tried following config, but it fails as the whole string was interpreted as db file name:

...
keepassxc:
  database: "<full_path>/<file_name>.kdbx -y <slot>:<serial>"
...
twpayne commented 2 years ago

The keepassxc.args configuration variable already exists, but I see that it is not mentioned in the keepassxc* template function documentation. I'll update the documentation.

In the immediate term you can use:

keepassxc:
  args:
    - "-y"
    - "<slot>:<serial>"
    - "-y"
    - "<slot>:<serial>"
isindir commented 2 years ago

Thanks @twpayne , just discovered this feature via code and playing with it trying to make it to work

isindir commented 2 years ago

@twpayne , FYI, I've got somewaht satisfying result, summary:

I've used following command to see more information on the go as well:

chezmoi --debug status --verbose

Everytime chezmoi is invoked - it requests password once and then uses it to read secret each time it needs replacement via template, but if yubikey OTP slot is configured to require touch - it also requests user to touch sensor on each keepassxc-cli invocation (and without more debugging enabled - this behaviour is invisible and makes impression that nothing is happening). Touching yubikey on each invocation is totally not an option.

I've disabled touch functionality and now it works, but it takes a lot more time in comparrison with using db file not protected by yubikey:

% /usr/bin/time chezmoi status
Insert password to unlock <full_path>/<file_name>.kdbx:
        9.78 real         6.19 user         1.33 sys
% /usr/bin/time chezmoi status
Insert password to unlock <full_path>/<file_name>.kdbx:
       51.67 real         6.42 user         1.92 sys

I understand that all of this may not be 100% relevant to only chezmoi, as I'm using a chain of tools chezmoi -> keepassxc-cli -> yubikey, but I think someone else may be interested to read this in the future.

I'd think it's worth mentioning in this documention not to enable touch functionality on yubikey OTP Chanllenge-response if keepassxc db file is protected and used by chezmoi.

As for configuration - I'm now using follwing settings for 2 yubikeys with the same OTP Chanllenge-response configured:

...
keepassxc:
  database: "<full_path>/<file_name>.kdbx"
  args: ["-y", "2"]
...

Thank you for amazing tool, Regards

twpayne commented 2 years ago

Thanks for the report. I'm not sure if there's much else that chezmoi can do here. Other password managers have a time-limited login (typically by using a session key in stored in an environment variable or by forking a daemon process), but KeepassXC does not have such a feature to my knowledge. Each invocation of keepassxc-cli requires the user to enter their password, which is why chezmoi caches it for the duration of the chezmoi process, otherwise you'd have to enter your password for every secret.

chezmoi suppresses the prompts from keepassxc-cli because otherwise they would be visible every time keepassxc-cli is invoked, so this is what's eating the Yubikey prompt.

For the performance issues, I'm pretty sure that this are also on the keepassxc-cli side. As you've seen from the code, all that chezmoi does is exec keepassxc-cli as a subprocess and then perform some mild transformation of the output.

I'll add some notes to the chezmoi documentation about using KeepassXC with Yubikeys. What's really needed, however, is better support from keepassxc-cli for being invoked repeatedly from a non-interactive process.