Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ssh agent integration doesnt add ed25519 keys #2102

Closed
kniteli opened this issue Jul 9, 2018 · 5 comments
Closed

ssh agent integration doesnt add ed25519 keys #2102

kniteli opened this issue Jul 9, 2018 · 5 comments
Assignees
@hifi
Labels
feature: SSH agent
Milestone
v2.3.4

Comments

@kniteli
Copy link

kniteli commented Jul 9, 2018
edited
Loading

I'm on Arch Linux with OpenSSH. I'm having no problem getting RSA keys added to ssh-agent correctly, but ed25519 keys silently fail on open, and when I manually click the "add to agent" button it fails to decrypt. If I physically copy paste the key it decrypts, so it's not an issue there.

Expected Behavior

ed25519 key should be added to ssh-agent on opening database

Current Behavior

Keepassxc doesn't add key to ssh-agent, nor does it mention anything about failing to decrypt unless I manually press "add to agent" button. In neither case is the key added to ssh-agent despite the passphrase being correct.

Steps to Reproduce (for bugs)

  1. Generate key: ssh-keygen -a 100 -t ed25519
  2. Use keepassxc to generate the password, use special characters + extended ASCII
  3. Add key and password to database entry with "add to agent on database open" and "remove from agent on database close" checked (no others).

Context

Just trying out modern algos, I'll probably just stick with RSA until this is resolved.

Debug Info

KeePassXC - Version 2.3.3
Revision: 0a155d8

Libraries:

  • Qt 5.11.1
  • libgcrypt 1.8.3

Operating system: Arch Linux
CPU architecture: x86_64
Kernel: linux 4.17.4-1-ARCH

Enabled extensions:

  • Auto-Type
  • Browser Integration
  • Legacy Browser Integration (KeePassHTTP)
  • SSH Agent
  • YubiKey
@kniteli
Copy link
Author

kniteli commented Jul 9, 2018
edited
Loading

Ok, I wanted to try one more thing since typing a password seemed too simple an interface to have a serious bug. My original key used symbols and extended ascii. I created a new key without either of those (just the standard alphanumeric set) and keepassxc now correctly adds the key to ssh-agent, and it appears in ssh-add -l

@droidmonkey
Copy link
Member

Good report, definitely a bug there. Does this extended ascii password also break RSA keys?

@kniteli
Copy link
Author

kniteli commented Jul 9, 2018

RSA keys worked fine with the extended ASCII characters.

@hifi
Copy link
Member

hifi commented Jul 10, 2018

Thanks for the report. I will need to take a look where these characters are lost.

@hifi hifi added this to the v2.3.4 milestone Jul 13, 2018
@hifi hifi self-assigned this Jul 13, 2018
hifi added a commit to hifi/keepassxc that referenced this issue Jul 13, 2018
@hifi
SSH Agent: Expect passphrases to be in UTF-8
2712cd9 
The previous default was to expect passphrases to be ASCII or
rather Latin-1. It would be reasonable to expect modern keys to
use UTF-8 instead.

This is a non-breaking change if passphrases only use characters
that fall within ASCII.

Fixes keepassxreboot#2102
@hifi hifi mentioned this issue Jul 13, 2018
Merged
@hifi
Copy link
Member

hifi commented Jul 13, 2018

@kniteli Could you please test if #2117 fixes your issue? If it doesn't could you please provide a test database that has an embedded RSA and Ed25519 key where decrypting RSA works but Ed25519 doesn't?

Not exactly sure what "extended ASCII" means here. We need to interpret the passphrase in some encoding when convert them into raw bytes and which is used for someone's key depends on the encoding of the terminal they used to type those characters in I suppose. UTF-8 seems like a safer bet than Latin-1, though.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hifi hifi

Labels
feature: SSH agent
Projects
None yet
Milestone
v2.3.4
Development

No branches or pull requests
3 participants
@kniteli @hifi @droidmonkey