keepassxc-cr-recovery not functioning #4744
Comments
|
Worked perfectly for me. I opened a yubikey protected database with zero problems. Make sure your secret is typed using NO spaces and UPPERCASE. |
|
Eventually this will be built into KPXC, maybe just the CLI. We'll see. |
|
For the record your database needs to be KDBX4 format. |
|
is there any difference if I do it with cmd.exe or with powershell ? or whether it is admin or not ? yubico personalization tool creates a .csv file where secret jey is located in, it is with small characters, I tried that default form as well as changing all letters into capital ones entering secret key manually or pasting it from a notepad, not difference it is kdbx4 format its impossible to enter valid secret key because it gives then error: "couldn't decode secret: encoding/hex: invalid byte: ..." result is: author tested it with 1.13, i do it with 1.14, could it be the issue ? |
|
Again, make sure the secret has NO spaces or any other characters besides hexadecimal. No quotes, no whitespace, nothing. |
|
well that is obvious,as I wrote it wouldn’t allow me to create a key file if I put extra letter in front or after or a space in between, the only options are secret key in small or capital letters,tried both also pasting as well as typing manually.. |
|
I likewise cannot create a keyfile that works, I get the same error message "HMAC discrepancy"
Since it seems to be working in your tests, I assume that there is something that makes my database incompatible. Is there a way to force KeepassXC to re-write the database in a current format, perhaps making it compatible that way? |
|
I hexdumped my way through both keepasscx and keepass-cr-recovery and found that the recovery tool did not pad the challenge before applying HMAC-SHA1 as the yubikey-code does; I fixed the code and created a PR at #7521. |
keepass-cr-recovery used the challenge unpadded, add padding as in https://github.com/keepassxreboot/keepassxc/blob/develop/src/keys/drivers/YubiKeyInterfaceUSB.cpp\#L291 https://github.com/keepassxreboot/keepassxc/blob/develop/src/keys/drivers/YubiKeyInterfacePCSC.cpp\#L747 Closes #4744
|
Hi, keepassxc-cr-recovery doesn't work for my newly created database until I comment out modifications from #7521. Have no idea how to properly debug it, but will be glad to provide additional information. My KeePassXC version is 2.7.1. |
|
Hm, 2.7.1 still uses the padding. I just tried it with a yubikey and v2.7.1: With a newly created DB I need to use the recovery tool with my patch from #7521 for the recovery to work. I have yubikey firmware version 3.4.9. |
keepass-cr-recovery used the challenge unpadded, add padding as in https://github.com/keepassxreboot/keepassxc/blob/develop/src/keys/drivers/YubiKeyInterfaceUSB.cpp\#L291 https://github.com/keepassxreboot/keepassxc/blob/develop/src/keys/drivers/YubiKeyInterfacePCSC.cpp\#L747 Closes keepassxreboot#4744
|
Did anybody succeed using keepass-cr-recovery with KeePassXC 2.7.6? I followed all the steps from above by creating a new KDBX4 file (using Argon2d with a password + challenge/response), but wasn't able open it again using my recovery key file. Any further pointers or suggestions? EDIT: I just got it working by compiling the keepass-cr-recovery in the KeePassXC's utils folder myself. I first used https://github.com/jeinwag/keepassxc-cr-recovery as a pre-built binary and assumed that this is the real deal, i.e. the original source. This did NOT work for me in turn, so just use the source in KeePassXC's utils folder. To the creators: Is the keepassxc-recovery part of a package (i.e. compiled), or is this always intended to be self-compiled? |
|
It's not really part of the release. We will have a real recovery option in the main application at some point. |
Hi,
I have installed go version go1.14.3 windows/amd64, (author used it with 1.13)
KeePassXC 2.5.4. on Win10
I have set up a challenge-response setting with yubikey 5 NFC, secret key was set using yubikey personalization tool (as admin) on slot 2,
KeePassXC is able to open such a database without any issues,
now when executing keepassxc-cr-recovery in command line, that db and keyfile,
I enter secret key which was set in yubikey personalization,
keyfile is generated,
when trying to open that db again with KeePassXC using password and key file option, without yubikey challenge-response, error is generated:
"error when reading db, wrong authentication data, try again, db file might be corrupted, HMAC discrepancy"
when opening it again with yubikey challenge-response it works fine,
any hint ?
thanks
The text was updated successfully, but these errors were encountered: