Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

KeepassXC does not recognise YubiKey unless opened as Administrator on Windows 10 #11400

Closed
theoisadoor opened this issue Oct 23, 2024 · 7 comments
Closed

KeepassXC does not recognise YubiKey unless opened as Administrator on Windows 10 #11400

theoisadoor opened this issue Oct 23, 2024 · 7 comments
Labels
feature: Hardware Keys not reproducible platform: Windows

Comments

@theoisadoor
Copy link

theoisadoor commented Oct 23, 2024
edited
Loading

Overview

In an attempt to add another layer of security to my database, I have tried adding a YubiKey 5 NFC for 'Challenge-Response'. On Mac, have tested both YubiKey 5 NFC & YubiKey 5C Nano and both are recognised. On Windows, neither are recognised by KeepassXC unless the program is opened elevated. YubiKey Manager has no issue seeing the device without being opened elevated. Have tested on 2.7.7 & 2.7.8 to no avail.

Steps to Reproduce

Creating New Database

  1. Open KeepassXC without elevation
  2. Create new database
  3. Continue till you can 'Add Challenge-Response'
  4. 'No hardware keys detected'
  5. Open KeepassXC with elevation
  6. Repeat steps 2-3
  7. YubiKey now present and available

Editing Existing Database

  1. Open existing DB (without Challenge-Response enabled) without KeepassXC elevation
  2. Navigate to 'Database > Database Security...'
  3. 'Add Challenge-Response'
  4. 'No hardware keys detected'
  5. Open existing DB (without Challenge-Response enabled) with KeepassXC elevation
  6. Repeats steps 2-3
  7. YubiKey now present and available

Expected Behavior

YubiKey available as an option for 'Challenge-Response'

Actual Behavior

YubiKey is not present in the list as an option for 'Challenge-Response'

Context

Have tested on Macbook Pro 2019, same version (2.7.9 rev 8f6dd13) with no issue in recognising the YubiKey(s).

Windows

KeePassXC - Version 2.7.9
Revision: 8f6dd13

Qt 5.15.11
Debugging mode is disabled.

Operating system: Windows 10 Version 2009
CPU architecture: x86_64
Kernel: winnt 10.0.19045

Enabled extensions:

  • Auto-Type
  • Browser Integration
  • Passkeys
  • SSH Agent
  • KeeShare
  • YubiKey
  • Quick Unlock

Cryptographic libraries:

  • Botan 3.1.1

Operating System: Windows/Linux/macOS
@droidmonkey
Copy link
Member

I cannot replicate this. I did find an odd behavior in the auto-detection of yubikeys which I fixed in a recent PR. However, this did not prevent finding the key after a manual refresh. You'll have to check your system settings, maybe, on access to USB devices. Without replication there can be no fix. Also this only appears to be affecting you at the moment which raises the likelihood it is a local problem.

@theoisadoor
Copy link
Author

Tried with a fresh install of Win10 and had the same issue, spoke it through with Yubico support, and they likewise couldn't replicate it. Not sure where the issue lies, because it's not a hardware fault since it is detected albeit not by KeepassXC unless elevated, and a fresh install of Windows didn't solve it either which should be the 'ideal' conditions.
I'm going to try installing Linux on this machine and see if I see the same behaviour, which would then entirely rule out hardware.

@theoisadoor
Copy link
Author

Just tested with Ubuntu 24.04 and worked perfectly straight away, so not hardware.
Windows 10 22H2 19045.5011 is the version I am testing on.

@defkev
Copy link

defkev commented Nov 3, 2024

I can replicate this!

Same Problem with a fresh 2.7.9 installation on Windows 10 22H2 I did just now → No hardware keys detected unless run as admin

For posterity on my Workstation, also running 22H2, KeePassXC 2.7.4 is working just fine with the same key. Same with 2.7.9 on Arch.

I'll try to downgrade KeePassXC to 2.7.4 later and see if this is a KeePass or Windows problem.

@droidmonkey
Copy link
Member

droidmonkey commented Nov 3, 2024
edited
Loading

Requiring administrator access automatically makes it an OS problem and not an app problem. This appears to be some issue with 22H2 and yubikey.

@theoisadoor
Copy link
Author

theoisadoor commented Nov 5, 2024
edited
Loading

I've just tested on Win11 22H2 22621.4317 and exact same issue again, will not work unless elevated.
I've pointed Yubico support towards this issue thread and hopefully they can investigate/resolve with Microsoft.

@tmo1
Copy link

tmo1 commented Jan 23, 2025

Perhaps this (by Yubico) is relevant?

The following are scenarios where the error "Failed connecting to the YubiKey. Make sure the application has the required permissions." can appear in YubiKey Manager, as well as what to do in each case. ...

Windows

You attempt to open Applications > FIDO2

Due to API changes in recent versions of Windows 10/11, in order to access FIDO protocols, YubiKey Manager needs to be run as administrator. This can be done by right-clicking the app's shortcut, and then clicking Run as administrator.

You plug in a Security Key by Yubico or a Security Key NFC, but the key is not detected

Since our Security Keys support FIDO protocols only, and API changes in recent versions of Windows 10 have restricted access to FIDO protocols so administrator elevation is required, YubiKey Manager needs to be run as administrator in order to detect a Security Key. This can be done by right-clicking the app's shortcut, and then clicking Run as administrator.

See also here and here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature: Hardware Keys not reproducible platform: Windows
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@droidmonkey @defkev @tmo1 @theoisadoor