keepassxc: cannot access Yubikeys #4928
Comments
This is about keepassx (no c) not keepassxc. |
|
No idea but can use test
|
Oops. My bad.
Well that's interesting. There's no |
With all of them? Or just one? |
|
That was for all of them. I just tested all possible combinations of the three options (so 3x just one of them and 3x two of them). All combinations fail. The |
|
Then you will need to comment the profile and uncomment it line for line to find the problematic command. |
|
So the minimal number of changes I needed to make this work was to eliminate Should I open a pull request to modify the current comment about |
|
Are you really sure |
|
Yeah that was puzzling to me based on the current description of how |
|
@seonwoolee commented on Feb 13:
What does the yubikey show up as in /dev? That is, what is the output of If it shows up as |
|
By doing a |
|
@seonwoolee commented on Feb 13:
What are their permissions and the user:group owners outside/inside the
|
|
Outside the sandbox Inside the sandbox, run as normal user I tried Just for fun I tried |
|
@kmk3 any thoughts? |
|
@seonwoolee commented on Feb 13:
65534:65534 is probably because of To clarify the ACLs now, based on a similar previous attempt from this comment: What is the output of running the code below? getfacl /dev/hidraw1 /dev/hidraw2
udevadm info /dev/hidraw1 | grep SUBSYSTEM
echo
udevadm info /dev/hidraw2 | grep SUBSYSTEM
udevadm test "$(udevadm info --query=path --name=/dev/hidraw1)" 2>&1 |
grep -e GROUP -e MODE
udevadm test "$(udevadm info --query=path --name=/dev/hidraw2)" 2>&1 |
grep -e GROUP -e MODE
checkudevgroups() {
gids="$(udevadm test "$(udevadm info --query=path --name="$1")" 2>&1 |
grep GROUP | rev | cut -f 1 -d ' ' | rev | tr '\n' ' ')"
printf 'udev gids for %s: %s\n' "$1" "$gids"
printf 'udev groups for %s: ' "$1"
printf '%s\n' "$gids" | while read -r gid
do
getent group "$gid" | cut -f 1 -d :
done | tr '\n' ' '
echo
test -z "$gids" && return 1
}
checkudevgroups /dev/hidraw1
checkudevgroups /dev/hidraw2
0:0 is probably because
|
I had to change the hid IDs because they changed across the reboot, but here's what I get You checkudevgroups function doesn't work as intended. There is no line with "GROUP" in the output of Here's the output of that command, as root
|
|
I can confirm it works with |
I'm having the same issue |
|
I was having the same issue (but with an Onlykey) and it worked with |
|
If I start keepassxc with this command then Yubikey works and it also detects when it is inserted/removed: |
kmk3
changed the title
kmk3
changed the title
Description
I use KeePassXC to open my KeePass database that is protected with a password, key file, and a challenge-response from my Yubikey. After the version 0.9.68 update, KeePassXC can no longer access my Yubikey when run under firejail. I have verified that it works fine when run without firejail.
I saw #4883 and the corresponding PR #4915 to add back
nou2f. I have tried putting bothignore nou2fandignore private-devin my~/.config/firejail/keepassxc.local, but it still doesn't work. I also tried commenting outprivate-devin/etc/firejail/keepassxc.profile, but that didn't work either. I'm not sure where the problem actually is, as that's the only line inkeepassxc.profilethat has changed recently. I assume the problem lies in some other file thatkeepass.profileincludes, but I'm not sure which.Steps to Reproduce
Run
firejail keepassxc, select my database, and then attempt to select my Yubikey as my hardware key. In the terminal it outputs the errorYubiKey: Failed to initialize USB interface.(full log at the end)I also tried this without a
globals.localor akeepassxc.local, and it didn't work. I also tried this without aglobals.localand justignore nou2finkeepassxc.local, and it still didn't work.Expected behavior
KeePassXC can access my Yubikey for Challenge-Response authentication
Actual behavior
KeePassXC cannot find my Yubikey
Behavior without a profile
Terminal output is uneventful and KeePassXC successfully finds my Yubikey.
Additional context
This only started occurring after the 0.9.68 update.
Environment
Checklist
/usr/bin/vlc) "fixes" it).https://github.com/netblue30/firejail/issues/1139)browser-allow-drm yes/browser-disable-u2f noinfirejail.configto allow DRM/U2F in browsers.--profile=PROFILENAMEto set the right profile. (Only relevant for AppImages)Log
Output of
LC_ALL=C firejail /path/to/programOutput of
LC_ALL=C firejail --debug /path/to/programThe text was updated successfully, but these errors were encountered: