I done some research and installed KeePassXC using the '--devmode' option and YubiKey worked fine. So it's a permission problem.

@droidmonkey Probably plugs missing

shakes fist

I have the same problem. waiting for the fix in 2.2.1 :)

I don't know if it's related or not, but this issue is also present in the appimage version

My 2 cents: Probably is a permission-related problem too where application
can't communicate using USB interface. I can't say this is it becasue I
don't know AppImage.

Same here with Ubuntu 16.4.3 and latest snapd. The --devmode solution is also working for me.

Can you guys with yubikeys check to see which plug does the trick? I'm assuming devmode connects all plugs

Sorry, but how could I check that?

Am 08.08.2017 um 14:45 schrieb Jonathan White notifications@github.com:

Can you guys with yubikeys check to see which plug does the trick? I'm assuming devmode connects all plugs

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or mute the thread.

I find out the 'raw-usb' plug does the trick, but this plug isn't connected automatically, security measures. To do this test I cloned the repositiory, added the plug on snapcraft.yml, built the snap, connected the plug to the connector and used 'snap try' command.

Ok great. One of my feedback items to the snap team was to make the discovery of unplugged plugs due to security more obvious. Right now the average user has no idea a plug is witheld until approved explicitly.

Is this the same issue happening on the Mac? When I try to change from a password or create a database with Challenge/Response nothing shows, so I push Refresh and I see a blue line but nothing I can select. I have a YubiKey4 Nano and it works everywhere else just not showing on this application, is there something else I need to do in order to use it?

@gcstang May be you need enable a slot to use challange-response. By default the first slot use Yubico OTP and second slot is empty. If the problem still happening after this configuration, I afraid is a different problem because this problem is related just to Snap and AppImage (may be Flatpak could suffer from this too). The problem is incorrect permissions to access USB devices and I think Mac doesn't have this problem.

@mhalano Thank you for your response, it turns out I have 2 filled slots already one is Yubico OTP and the other is static, neither are CR so it seems like it won't work.

Glad to help. (:
If you be able to create a challange-response slot, please let us know if works for you.

Very excited to use yubikey with keepassxc, but still have issues.
Updated to the latest version 2.2.1 and tried snap on 2 different computers with Ubuntu 16.04.1 LTS, one ubuntu fresh install, and the issue is still reproducible (YubiKey doesn't shows on the list of valid devices). Tried with AppImage install and same issue. Only if using "sudo snap install --devmode" it displays the yubikey option, but I'm not sure that I will trust all my passwords to the --devmode.
Debug info:
KeePassXC - Version 2.2.1
Libraries:
-Qt 5.9.0
-libgcrypt 1.6.1

Operating System: Ubuntu 16.04.1 LTS
CPU architecture: x86_64
Kernel: linux 4.4.0-31-generic

Enabled extensions:
-KeePassHTTP
-Auto-Type
-YubiKey

@PeterWq You could execute:
sudo snap connect keepassxc:raw-usb core:raw-usb
As described on the link https://github.com/keepassxreboot/keepassxc/wiki/Snap-Tips

Thanks @PeterWq,
Yubikey is available as challenge response option now.

BTW is there available any guide to set the yubikey chalenge-response? I have set my yibikey using yubikey personalization tool >> challenge-response >> yubico OTP and it's working fine, but would like to check if I setup it correctly.
To confirm that still is not available to verify the GPG Snap package (#413), right? and AppImage 2.2.1 is not working with yubikey on ubuntu (#1034).

Thanks,
p.s. will appreciate if anybody will point me to any keepassxc forum(s) to read more info how to setup yubikey and gpg verify the keepassxc

The setup pf your yubikey is covered under yubikey's documentation.

Here are my steps to get the yubikey option displayed using snap package with keepassxc 2.2.1 on Ubuntu 16.04.3 LTS:
1) install the keepassxc snap package:
sudo snap install keepassxc
2) manually enable the "raw-usb" interface in order to use your YubiKey (https://github.com/keepassxreboot/keepassxc/wiki/Snap-Tips), Thanks @mhalano:
sudo snap connect keepassxc:raw-usb core:raw-usb
3) to enable the ctrl+u to open the url (https://github.com/keepassxreboot/keepassxc/wiki/Snap-Tips), Thanks @mhalano :
sudo apt-get install snapd-xdg-open
4) install yubico pluggable authentication library to integrate with ubuntu (http://code.litomisky.com/2014/01/01/ubuntu-yubikey-2fa-config/):
sudo apt-get install libpam-yubico
5) restart the computer

@droidmonkey
Thanks for your response,
I have read and watch yubico videos on how to, but I'm new to yubikey and I'm still learning how to use it to secure as much as possible my passwords, so I (and maybe others too) still would like to know what options are the best to setup a chalenge-response settings for yubikey used with keepassxc (or maybe somebody could advise what settings they are using)?

@PeterWq You just need to configure a regular challange-response using yubikey-personalization-gui. The trick part is: need to be HMAC-SHA1 challange-response and not Yubico OTP challange-response. Also KeePassXC just recognize just on slot at the time. So you can't have two slots with challange-response enabled.

You can have two slots enabled, the gui has a drop down to select the slot.

@droidmonkey In theory yes, but I just configured a YubiKey NEO with challange-response using HMAC-SHA1 on both slots and just the first slot showed up.

I will test this myself, thanks for alerting me. Come to think of it i only tested slot 1 or slot 2 not both.

Please let us know about the results.

Marcos H. Alano
Linux System Administrator
[email protected]

On Oct 6, 2017 19:49, "Jonathan White" notifications@github.com wrote:

I will test this myself, thanks for alerting me. Come to think of it i
only tested slot 1 or slot 2 not both.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/keepassxreboot/keepassxc/issues/693#issuecomment-334887830,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AFvvR7YwTVy7nGr18OUVROaWaEIMSN8Iks5spq52gaJpZM4OGsPR
.

I have confirmed this is an issue and made a fix. The handling of yubikeys still needs a little work, but I will stage as a PR for 2.2.2 hopefully today.

See #1045

Thanks #mhalano

Would like to confirm if the next steps are correct to configure an yubikey challenge-response settings using Yubikey Personalization Tool:
1) on the Challenge-Response tab, select a configuration slot (selected slot 1);
2) Configuration Protection - Yubikey unprotected - Keep it that way (probably will need to change to "Yubikey unprotected - Enable Protection" and add an access code that will need to be kept);
3) Under the HMAC-SHA1 Parameters, select Require user input (button press), Variable input - checked, Secret Key (20 bytes Hex) - Generated (clicked the button;
4) Under Actions, Write Configuration clicked and saved to yubikey.

BTW, how to backup the yubikey to be able to set a new yubikey if the original one is broken, lost ? Is it enough to save only the Secret key (from the step 3 above) to set a new yubikey if needed in the future? How people are protecting their keepasxc from been locked out of their passwords if yubikey is not available (broken, lost, etc.) ?

All you need is the secret key that was generated in step 3.

I recommend not requiring user interaction. It doesn't make the interaction any more secure, but a lot more annoying.

@phoerious Makes more secure AND also annoying. Of course, requires interaction is completely optional.

No, it doesn't add any security.

@phoerious In fact adds security because you need to be present to use the YubiKey device. Without this someone could hack your machine and use the YubiKey normally.

If someone can use your Yubikey and inject its response into KeePassXC without you knowing, then they can also grab a memory dump of your database after you opened it. So nothing gained.

Perhaps KeePassXC should consider opening the the database in Intel SGX-protected memory so that the database cannot be dumped. It will only work on newer CPUs, but as people buy new computers their overall security will increase.

https://ark.intel.com/Search/FeatureFilter?productType=processors&SoftwareGuardExtensions=true

Trusting Intel wouldn't be the first thing I'd do these days. But anyhow, this is should be a separate issue.

1378 Opened to track it.

Actually, SGX-enabled apps proved resistant to Meltdown and pulling off a Spectre attack is very difficult in SGX from what I hear.