Unable to enter "Keybase passphrase" to add second desktop client (Ubuntu)

[dannyman]

Adding a second desktop client (ubuntu)
Installed keybase, ran it, typed a long passphrase in my first client
GUI shows me a list of private folders I can not get into. There's a dialog labeled "Pinentry" that says:

Please enter your Keybase passphrase to unlock the secret key for Device [...] Reason: you must sign your new paper key

It will not accept my keybase passphrase. I tried putting in my paper key, but nada. I am totally locked out on the second computer:

djh@djh-dell-p5510:~$ ls /keybase/private
dannyman  dannyman,genos,rjmb  dannyman,rjmb
djh@djh-dell-p5510:~$ ls /keybase/private/dannyman

Used to be an error. Now it just hands.

my log id: 1be4929a0457ca5a723e3a1c

[maxtaco]

you provisioned the new device fine, but the new device has locked keys. You need to enter your correct keybase passphrase to unlock your keys. Have you forgotten your passphrase? Can you log onto the website with that same passphrase? You should be able too.

Note that this is your keybase passphrase, and not your paper key.

[dannyman]

Here's what I do:
Firefox Private Mode --> https://keybase.io --> Login --> email address & passphrase --> Success!

But:
Computer --> "keybase" --> "Show Keybase" --> "Please enter your Keybase passphrase ... Reason: KBFS Authentication" --> Fail

Also try: keybase login and the same GUI window pops up. Can I log in without going through a GUI element?

I use same passphrase on both occasions. Have tried rebooting, &c no dice. :(

djh@djh-dell-p5510:~$ keybase status
Username:      dannyman
Logged in:     yes

Device:
    name:      dell-p5510
    ID:        [removed]
    status:    active

Session:       dannyman [loaded: yes, cleared: no, expired: no]
    is valid:  yes
    keys:      locked

Key status:
    stream:    not cached
    secret:    not stored
    dev sig:   not cached
    dev enc:   not cached
    paper sig: not cached
    paper enc: not cached
    prompt:    skip
    tsec:      not cached

[maxtaco]

ok, this is sort of narrowing it down.

obviously super hard for us to debug "my password doesn't work" since I don't want to know your password to try it out.

a couple of things to try, I guess.

Can you try logging into the website with your username/password just to make sure it works? (you said email/password above)

Can you also provide a keybase log send?

thanks

[maxtaco]

Also, can you "show typing" and make sure your password is displayed properly in the GUI?

[dannyman]

I appreciate the difficulty on this bug report, aye. Possibly some bizarre-o pile of weird KDE interactions. :/

1. Website with username login okay
2. Sent another log: 0361722db9872a03f88e511c
3. When I click view passphrase it is rendered correctly in the dialog box.

If I could just do it through the terminal ... ;)

Cheers,
-danny

[maxtaco]

Can't figure out what's wrong. IT's either that your passphrase is being relayed incorrectly to the backend, or that your private key encryption weirdly failed. Your login is failing in trying to unlock your local secret key. Never seen this issue before.

You might try to deprovision your device (run keybase deprovision) and try to reprovision again (via keybase login).

[maxtaco]

Can you try to logout/login on your working device?

[dannyman]

Working device keybase UI is very different. keybase login results in a larger window with control widgets, my picture, and a select button that shows my username and gives me the option to select a different user.

New broken device keybase login presents a smaller window with no UI chrome, and the verbiage about "Please enter you blahblahblah" with no option to select an alternate user, picture, &c.

Right now the working device seems to have login blocked on an error:
CONN keybase service c1777851 .. onConnect handler: server is dead, not authenticating

I can not deprovision from the broken device because I can not successfully enter passphrase. I guess I could revoke it via web .. ?

[dannyman]

Both are 1.0.17 but different long-versions. The broken one is keybase version 1.0.17-20161013160323+c0170f4

[patrickxb]

It looks like on your broken device it is falling back to gpg pinentry, which can be problematic. My guess is the desktop app isn't running. Can you try

run_keybase

(which should start it) and then

keybase login

?

thanks!

[dannyman]

On the working device, run_keybase fires up the login prompt, which works fine.

I then keybase logout and keybase login and the login is blocking, no errors printed to console, just the ANSI squirrel staring at me, with hunger in its eyes. If I interrupt keybase login the login GUI stays up. I then run run_keybase and the login GUI goes away, everything restarts, squirrel, login GUI which works. Great success.

I do the same sequence on the broken client, and I get the login dialog at run_keybase which just tells me I am a failure at typing secret passphrases.

[maxtaco]

Uggg, this is going from bad to worse :(

On the machine that used to work, that is now hosed, can you do a keybase log send?

[patrickxb]

On the broken client, are you now seeing a pinentry with UI chrome?

[dannyman]

@maxtaco : on the good machine, run_keybase fixes the hanging keybase login ... I'll keybase log send ... 59895aa8c4abd2790f1dad1c

@patrickxb : on the broken client, run_keybase pops up a login dialog with no chrome, picture, or username select.

[maxtaco]

@dannyman any chance we can trouble you for a screenshot on the broken client? It seems as if the GUI isn't starting up for you....

Also try this:

keybase config set -b pinentry.disabled 1
keybase login

Also, do you have any weird non-ASCII characters in your passphrase?

[dannyman]

The login dialog that works:

The login dialog that does not work:

[maxtaco]

Ok, thank you, that really helps. OK, let's try some more creative ideas for dell-p5510

Can you do this, on dell-p5510?

keybase ctl stop
mv $HOME/.config/keybase $HOME/.config/keybase-old
run_keybase

And then try to reprovision again?

I'm curious to know if you'll have the same issue. Thank you for all of your help.

[dannyman]

That did it. I had to enter a word series into the working client, then was prompted for my paper word series into the new client, and I'm in.

whew

Huge thanks for all your time spent here.

Looking at keybase-old I see:

diff .config/keybase-old/config.json .config/keybase/config.json
3,5d2
<     "pinentry": {
<         "disabled": true
<     },
8c5
<             "device": "d8f92a0832562b96fb523d4875817318",
---
>             "device": "3c4aeba5f37429e6b479a908c2e62218",

Also variations in some of the values of secretkeys.dannyman.mpack ... any interest to you or just nuke it?

[maxtaco]

It's safe to nuke the old directory, and it's not a surprise that it's different, it's a totally new set of keys.

I'm very glad you're able to use your laptop now, but I'm highly perplexed/troubled (as is @patrickxb) as to what happened the first time. It's clear you were using the correct passphrase, so you must have hit some rare bug that we've never seen before.