Keepassxc: Add message on SSH Agent page about setting the password

Can you reproduce the issue with a freshly generated key that would effectively have the same parameters as your own key?

I am also facing the same issue. I was able to use the agent pretty much positively under by Gnome Desktop Environment. I recently made a switch to KDE but whenever I try to add my new key it always throws up the error "Decryption failed, wrong passphrase?". Any pointers on how to manage that?

BTW thanks a ton for all the improvements over the original KeepassX. Huge fan of the software.

Debug Info

KeePassXC - Version 2.3.3
Revision: 0a155d8

Libraries:

• Qt 5.11.1
• libgcrypt 1.8.3

Operating system: Manjaro Linux
CPU architecture: x86_64
Kernel: linux 4.14.53-1-MANJARO

Enabled extensions:

• Auto-Type
• Browser Integration
• Legacy Browser Integration (KeePassHTTP)
• SSH Agent
• YubiKey

@theryecatcher I would need a test database that has a non-working test key as an attachment that can be added with ssh-add but not by KeePassXC. Could you possibly provide that?

If I can't reproduce it on my system I need to install a VM with the exact same distribution and DE you are using to try to get to the bottom of it.

Thanks for the update I tried to create a TestUser, TestDb and a TestKey. The thing is initially while loading the file it gave the "Decryption failed, wrong passphrase?" error. But if I continue to save by clicking on Apply and the OK the returning back to the entry >> ssh-agent decrypts the key. I am still running the same mentioned configuration as in the above comment. Uploading the test files that I used.

test.zip

My steps to test were (in a VM):

1. Install Manjaro KDE Edition 17.1.11
2. Update packages
3. Install KeePassXC from Arch community repo (2.3.3-1 at the time of testing)
4. add eval $(ssh-agent) to ~/.xprofile
5. Reboot
6. Test ssh-agent is running with ssh-add
7. Start KeePassXC and enable SSH Agent, then close
8. Double click on testDb.kdbx, use testdb as the passphrase
9. Go to entry SSH Agent page, browse to the key location on the test VM
10. Key is loaded and decrypted, adding to agent works

I tried to reopen the entry multiple times but it didn't fail to decrypt even once. :thinking:

I also get this error. Even if the error is displayed, the key will be added successfully. But the error certainly confused me.

How to reproduce:

1. Generate a RSA key and use a password
   openssl genrsa -aes128 -out id_rsa 2048 openssl rsa -in id_rsa -outform PEM -pubout -out id_rsa.pub
2. Add the entry in KPXC by providing the chosen password and choosing the generated key

I checked this behavior in both the latest commit (4ff63c2bf55f7801c7e3386f46c3a7f4b05a5952) and release 2.3.4.

There is no error, if I generate my key with this command ssh-keygen -t rsa -b 4096.

I cannot replicate this at all even with @schra steps. The key loads perfectly fine in the SSH Agent settings page displaying all relevant data.

Faced this issue aswell but kinda solved it. It is both a technical and and a UX feedback problem. I just added the private key in the SSH agent tab, and it said, decryption failed, wrong passphrase. I expected having to enter the passprhase in that tab, but you will have to do it in the entry tab.

So if you want to add a key:
1: Click Add new entry in the main screen
2: In moodle entry tab enter a name for the SSH key and add your passphrase (from your private key)
3: Add your private key in the SSH tab (it will still mention : decryption failed )
4: Click ok to save your entry
5: In main screen, right click the entry and select view details.
6: Select SSH tab and see loaded key (you will see the public part and fingerprint).

Hope that helps.

Reproduced in KeyPassXC 2.3.4. on Fedora 29.

@hifi, it wouldn't be too hard to duplicate the password entry field on the sshagent page. That might clear up confusion

I just had the same issue as @Sourcetreehugger : Even though the error message kept popping up, I could simply add the key and save it. When I now edit the key it shows the public part just fine, despite the initial error message.

And I agree with @droidmonkey that at least giving a hint like "password is available on entry page" would be great.