-
Notifications
You must be signed in to change notification settings - Fork 567
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
keepassxc: cannot access Yubikeys #4928
Comments
This is about keepassx (no c) not keepassxc. |
No idea but can use test
|
Oops. My bad.
Well that's interesting. There's no |
With all of them? Or just one? |
That was for all of them. I just tested all possible combinations of the three options (so 3x just one of them and 3x two of them). All combinations fail. The |
Then you will need to comment the profile and uncomment it line for line to find the problematic command. |
So the minimal number of changes I needed to make this work was to eliminate Should I open a pull request to modify the current comment about
|
Are you really sure |
Yeah that was puzzling to me based on the current description of how |
@seonwoolee commented on Feb 13:
What does the yubikey show up as in /dev? That is, what is the output of If it shows up as |
By doing a |
@seonwoolee commented on Feb 13:
What are their permissions and the user:group owners outside/inside the
|
Outside the sandbox
Inside the sandbox, run as normal user
I tried
Just for fun I tried
|
@kmk3 any thoughts? |
@seonwoolee commented on Feb 13:
65534:65534 is probably because of To clarify the ACLs now, based on a similar previous attempt from this comment: What is the output of running the code below? getfacl /dev/hidraw1 /dev/hidraw2
udevadm info /dev/hidraw1 | grep SUBSYSTEM
echo
udevadm info /dev/hidraw2 | grep SUBSYSTEM
udevadm test "$(udevadm info --query=path --name=/dev/hidraw1)" 2>&1 |
grep -e GROUP -e MODE
udevadm test "$(udevadm info --query=path --name=/dev/hidraw2)" 2>&1 |
grep -e GROUP -e MODE
checkudevgroups() {
gids="$(udevadm test "$(udevadm info --query=path --name="$1")" 2>&1 |
grep GROUP | rev | cut -f 1 -d ' ' | rev | tr '\n' ' ')"
printf 'udev gids for %s: %s\n' "$1" "$gids"
printf 'udev groups for %s: ' "$1"
printf '%s\n' "$gids" | while read -r gid
do
getent group "$gid" | cut -f 1 -d :
done | tr '\n' ' '
echo
test -z "$gids" && return 1
}
checkudevgroups /dev/hidraw1
checkudevgroups /dev/hidraw2
0:0 is probably because
|
I had to change the hid IDs because they changed across the reboot, but here's what I get
You checkudevgroups function doesn't work as intended. There is no line with "GROUP" in the output of Here's the output of that command, as root
|
I can confirm it works with |
I'm having the same issue |
I was having the same issue (but with an Onlykey) and it worked with |
If I start keepassxc with this command then Yubikey works and it also detects when it is inserted/removed:
|
Description
I use KeePassXC to open my KeePass database that is protected with a password, key file, and a challenge-response from my Yubikey. After the version 0.9.68 update, KeePassXC can no longer access my Yubikey when run under firejail. I have verified that it works fine when run without firejail.
I saw #4883 and the corresponding PR #4915 to add back
nou2f
. I have tried putting bothignore nou2f
andignore private-dev
in my~/.config/firejail/keepassxc.local
, but it still doesn't work. I also tried commenting outprivate-dev
in/etc/firejail/keepassxc.profile
, but that didn't work either. I'm not sure where the problem actually is, as that's the only line inkeepassxc.profile
that has changed recently. I assume the problem lies in some other file thatkeepass.profile
includes, but I'm not sure which.Steps to Reproduce
Run
firejail keepassxc
, select my database, and then attempt to select my Yubikey as my hardware key. In the terminal it outputs the errorYubiKey: Failed to initialize USB interface.
(full log at the end)I also tried this without a
globals.local
or akeepassxc.local
, and it didn't work. I also tried this without aglobals.local
and justignore nou2f
inkeepassxc.local
, and it still didn't work.Expected behavior
KeePassXC can access my Yubikey for Challenge-Response authentication
Actual behavior
KeePassXC cannot find my Yubikey
Behavior without a profile
Terminal output is uneventful and KeePassXC successfully finds my Yubikey.
Additional context
This only started occurring after the 0.9.68 update.
Environment
Checklist
/usr/bin/vlc
) "fixes" it).https://github.com/netblue30/firejail/issues/1139
)browser-allow-drm yes
/browser-disable-u2f no
infirejail.config
to allow DRM/U2F in browsers.--profile=PROFILENAME
to set the right profile. (Only relevant for AppImages)Log
Output of
LC_ALL=C firejail /path/to/program
Output of
LC_ALL=C firejail --debug /path/to/program
The text was updated successfully, but these errors were encountered: