feat: Add support for YubiKeys with KeePassXC #3443
Conversation
twpayne
changed the title
twpayne
force-pushed
the
fix-3440
branch
3 times, most recently
from
ac92130 to
a5bf013
Compare
twpayne
changed the title
|
This PR, in theory, adds YubiKey support to chezmoi's KeePassXC support. Refs #2002. @MathieuDR @isindir would you be able to test this? You'll need to add something like this to your config file: [keepassxc]
args = ["--yubikey", "1:7370001"]
mode = "open"
prompt = falseFor more information, see the changes to the documentation in this PR. If needed, you can download a chezmoi binary from the most recent GitHub Actions run on this PR. Go to checks, click on |
|
Hello, I have quickly tried following config: keepassxc:
database: "/Users/username_redacted/path_redacted/file_name_redacted.kdbx"
#args: ["-y", "2"]
args: ["--yubikey", "2:serial_redacted"]
mode: "open"
prompt: falsecommented args are the ones I have used with version I also have tried to comment out |
|
Thanks for testing - I don't have a YubiKey available and so can't test easily. What is the output of: $ /Users/redacted/homebrew/bin/keepassxc-cli \
--yubikey 2:serial_redacted \
/Users/redacted/path_redacted/file_name_redacted.kdbx \
openI'm particularly interested in the prompt that keepassxc-cli gives when using a YubiKey. |
| if c.Keepassxc.console == nil { | ||
| // Create the console. | ||
| console, err := expect.NewConsole( | ||
| expect.WithStdout(os.Stdout), |
There was a problem hiding this comment.
Note to self: this line is for debugging and should be removed.
After entering password it opens prompt, but I have not noticed any yubikey activity.
|
|
How do you normally use keepassxc-cli with a YubiKey? |
|
Are the |
|
I'm normally using it with UI, after attempts to configure YK with chezmoi I have not tried it any more tbh. If I remember correctly, I was trying to configure it in a way, so that a single touch would trigger fetch of all the data when needed. The command which is used under the hood of chezmoi I believe is something like follows: which silently waits for password and once entered shows me data. If I omit and after entering correct password prints data to stdout. Without Yubikey inserted, it fails. This is how I use it now Indirectly. |
|
If I try to use it with I think I configured DB to require both password and YK. And it feels now that current set of tools works correctly. Maybe no need to change the code. Also, I'm not using key file as auth method. |
|
Great! Thanks for testing! In the case of needing both a password and a YubiKey, you'll need to remove the |
|
With Where |
|
@twpayne Does this still need further testing? Thank you so much for this already 🎉! |
|
@MathieuDR if you could check that it works for you, that would be fantastic! |
I'll try to do it by this evening |
|
|
||
| The KeePassXC CLI does not currently support any persistent login, which | ||
| means that you will have to enter your password every time you run chezmoi. | ||
| If your database is not protected with a password, include the following in your |
There was a problem hiding this comment.
I would reword this a bit:
If your database is not password protected, add `--no-password` to `keepassxc.args` and `keepassxc.prompt = false`:It might be nice for keepassxc that if prompt = false, --no-password is automatically added (and just from a configuration perspective, if there were a yubikey configuration field, it would automatically add --yubikey {{ .keepassxc.yubikey }} to the params).
There was a problem hiding this comment.
Thanks, wording updated.
For the automatic detection of prompt, this would require chezmoi to parse keepassxc-cli's arguments the same way that keepassxc-cli does, which is likely to be fragile. I think it's OK to require the user to specify both the arguments and the configuration variable for now.
|
Great feature, i had the same issue with the --no-password but it was because keepass was configured to use both, a password and Yubikey for auth. |
twpayne
changed the title
Fixes #3440.