Provide password cache for keepassxc-cli #1483
Comments
|
Agreed; could Additionally it'd be great if it defaults to whatever database currently loaded in keepassxc client, eg we could do instead of current |
|
with this the cli interface will depend on the gui client, right now the cli interface is pure cli that works standalone (can work without the gui installed) |
|
This is where the keyring integration would be nice |
|
Except that keyring integration is not available on all platforms, and not necessarily desired (especially on Windows). Yes, I'd love to see the CLI client (or an alternative CLI client) have a mode that is similar to the browser plugin, where you auth it every X minutes and it can query for passwords on demand. |
|
Maybe you can use the |
|
@sjamesr Hrm, I'd have to use an Let me explain my use case: the idea is to provide scripting for my employees. They have a keepassxc database with some corporate passwords in them to access machines. I want them to be able to ssh to various machines in our infrastructure without being prompted. This could be for provisioning, or port forwarding, or other needs. A 3 or 4 line shell script should be all this needs, but right now I can't do this with keepassxc-cli at all. |
|
Please expand your description of your use case because I don't understand how you can have no prompt at all for your workers. At some point someone needs to unlock the database. Where/when does that occur in your use case? |
|
@droidmonkey If keepassxc is unlocked on their laptop already, then the CLI should be able to connect to that and retrieve the credentials. If it's not unlocked, it would prompt for a password. |
|
Gotcha perfect. I think we can abuse the browser proxy for this purpose. |
|
Hi, |
|
Perhaps a little off-topic; but I'd like a similar enter-password-once feature for use in scripting and automation; and I was thinking more along the lines of the sshpass tool that can pick up the password out of an envvar, for instance. The actual sshpass tool does not work with keepass, alas :-) |
|
The open command exists for caching purposes. But it is kind of useless for usecases like |
|
Oh man, I wish I saw @raphaelahrens post before this weekend :). I could save some time :D. I also created something to be able to use keepassc in scripts. It is wrapper around keepassxc-cli open. Something similar to what @wohali suggested and considered it as bad idea :). Nevermind, if someone would be interested you can find it here: Keepassxc-cli WRAPPER |
|
For those interested, on Linux, with FdoSecrets integration enabled, you can use edit: If you set up a separate DB for it, that can also work as a password cache (similar to gnome keyring). But |
|
@michaelk83 the system I need this working on is running without X. |
If we're still talking Linux, the GUI won't run without X (or Wayland), so the CLI won't have anything to connect to. Then this scenario won't be possible either:
But on a typical user's laptop, there should still be a desktop environment of some sort. This scenario is exactly what the FdoSecrets + FdoSecrets itself doesn't need a desktop, just DBus. So when the GUI is separated from the core, this should work on a server as well (see #5717). But that's still a while away. The DB can be unlocked via KPXC's native DBus interface, so no GUI is needed for that either. On Windows, this might work under WSL. Otherwise, a minimal Linux in a VM might do the trick, if you're willing to mess with that. |
|
We won't implement this beyond what is provided by using the |
Expected Behavior
keepassxc-cli should have password cache, that similar to github password cache in git
Current Behavior
keepassxc-cli always prompt user a password in every operation
Possible Solution
implement it :)
Debug Info
KeePassXC - Version 2.2.4
Revision: 4723f66
Libraries:
Operating system: Debian GNU/Linux 9 (stretch)
CPU architecture: x86_64
Kernel: linux 4.9.0-4-amd64
Enabled extensions:
The text was updated successfully, but these errors were encountered: