Keepassxc: Provide password cache for keepassxc-cli

Created on 14 Feb 2018  Â·  10Comments  Â·  Source: keepassxreboot/keepassxc

Expected Behavior



keepassxc-cli should have password cache, that similar to github password cache in git

Current Behavior



keepassxc-cli always prompt user a password in every operation

Possible Solution



implement it :)

Debug Info


KeePassXC - Version 2.2.4
Revision: 4723f66

Libraries:

  • Qt 5.7.1
  • libgcrypt 1.7.6-beta

Operating system: Debian GNU/Linux 9 (stretch)
CPU architecture: x86_64
Kernel: linux 4.9.0-4-amd64

Enabled extensions:

  • KeePassHTTP
  • Auto-Type
  • YubiKey
new feature CLI
Source
picture azzamsa
👍7

Most helpful comment

Gotcha perfect. I think we can abuse the browser proxy for this purpose.

picture droidmonkey on 28 Jan 2020
👍3

All 10 comments

Agreed; could keepassxc-cli communicate with client, if running, to ask for authentication status.

Additionally it'd be great if it defaults to whatever database currently loaded in keepassxc client, eg we could do

keepassxc-cli locate mysearch

instead of current

keepassxc-cli locate /path/to/my_db.kdbx mysearch
laur89 picture laur89 on 3 Jun 2018

with this the cli interface will depend on the gui client, right now the cli interface is pure cli that works standalone (can work without the gui installed)

TheZ3ro picture TheZ3ro on 5 Jun 2018

This is where the keyring integration would be nice

droidmonkey picture droidmonkey on 6 Jun 2018

Except that keyring integration is not available on all platforms, and not necessarily desired (especially on Windows).

Yes, I'd love to see the CLI client (or an alternative CLI client) have a mode that is similar to the browser plugin, where you auth it every X minutes and it can query for passwords on demand.

wohali picture wohali on 28 Jan 2019

Maybe you can use the open command now, this will give you an interactive session where you can issue multiple commands on the same database without giving a password each time.

sjamesr picture sjamesr on 28 Jan 2020

@sjamesr Hrm, I'd have to use an expect script to automate this, and I'd have to have a background process running all the time with the open command running in it, _and_ have some sort of RPC mechanism. Sounds bad.

Let me explain my use case: the idea is to provide scripting for my employees. They have a keepassxc database with some corporate passwords in them to access machines. I want them to be able to ssh to various machines in our infrastructure without being prompted. This could be for provisioning, or port forwarding, or other needs. A 3 or 4 line shell script should be all this needs, but right now I can't do this with keepassxc-cli at all.

wohali picture wohali on 28 Jan 2020

Please expand your description of your use case because I don't understand how you can have no prompt at all for your workers. At some point someone needs to unlock the database. Where/when does that occur in your use case?

droidmonkey picture droidmonkey on 28 Jan 2020

@droidmonkey If keepassxc is unlocked on their laptop already, then the CLI should be able to connect to that and retrieve the credentials. If it's not unlocked, it would prompt for a password.

wohali picture wohali on 28 Jan 2020

Gotcha perfect. I think we can abuse the browser proxy for this purpose.

droidmonkey picture droidmonkey on 28 Jan 2020
👍3

Hi,
there is a tool which seems to do what you describe here, at least for git.
git-credential-keepassxc

raphaelahrens picture raphaelahrens on 28 May 2020
🎉1 👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

mstarke picture mstarke  Â·  3Comments
bleepnetworks picture bleepnetworks  Â·  3Comments
MisterY picture MisterY  Â·  3Comments
lostfictions picture lostfictions  Â·  3Comments
shyim picture shyim  Â·  3Comments