Keepassxc: --no-password option for CLI

Created on 24 Apr 2018  路  7Comments  路  Source: keepassxreboot/keepassxc

keepassxc-cli cannot open database with key file & empty password

Expected Behavior

I should be able to use keepassxc-cli on a database that requires only a key file with an empty password

Current Behavior

The command line prompts for a password even though the database does not have a password, and fails to open the database

Possible Solution

I haven't delved into the code yet, I don't know why this happens. There might need to be a switch like "--empty-password" for databases that only have a key and no password.

Steps to Reproduce (for bugs)

  1. Open keepassxc
  2. Select Database -> New Database
  3. Enter "test.kdbx"
  4. Click "Save"
  5. Uncheck "Password"
  6. Check "Key file"
  7. Click "Create"
  8. Enter "test.key"
  9. Click "Close"
  10. Click "OK"
  11. Select Database -> Quit
  12. run keepassxc-cli ls -k test.key test.kdbx
    A password prompt will show, and there is no way to successfully run commands on the database.

Context

I have a large number of password databases and backups that use no password, only a key file. I am trying to consolidate all of them and was hoping to use the cli to automate this, since the cli is broken with passwordless databases I cannot use the approach I wanted to.

Debug Info

KeePassXC - 2.3.1
Revision: 5a84978dab398978688268ccac31d749562cdf85

this probably isn't relevant, but
Operating system: Gentoo
CPU architecture: x86_64
Kernel: 4.9.76-gentoo-r1

bug CLI
Source
picture chasevasic
👍6

Most helpful comment

Added to 2.4.1

picture droidmonkey on 18 Apr 2019
🎉4

All 7 comments

I hacked the code to get this working, I didn't achieve it in an ideal way, I just wanted to see what exactly the problem was. It looks like the CLI assumes you are using a password, that is a bad assumption, if we modify the CLI to run with only a key file it can open databases that use a key and no password just fine.

This is the output from git diff src/cli/List.cpp which I modified to allow me to run keepassxc-cli ls with a key file and no password. This works but isn't implemented properly, it's just proof of what the problem is and that the problem can be fixed.

diff --git a/src/cli/List.cpp b/src/cli/List.cpp
index bdedaf21..01d19dcc 100644
--- a/src/cli/List.cpp
+++ b/src/cli/List.cpp
@@ -26,6 +26,8 @@
 #include "core/Database.h"
 #include "core/Entry.h"
 #include "core/Group.h"
+#include "keys/CompositeKey.h"
+#include "keys/FileKey.h"

 List::List()
 {
@@ -58,7 +60,17 @@ int List::execute(const QStringList& arguments)
         return EXIT_FAILURE;
     }

-    Database* db = Database::unlockFromStdin(args.at(0), parser.value(keyFile));
+    CompositeKey compositeKey;
+    FileKey fileKey;
+    QTextStream errorTextStream(stderr);
+    QString errorMessage;
+    if (!fileKey.load(parser.value(keyFile), &errorMessage)) {
+        errorTextStream << QObject::tr("Failed to load key file %1: %2").arg(parser.value(keyFile), errorMessage);
+        errorTextStream << endl;
+        return 0;
+    }
+    compositeKey.addKey(fileKey);
+    Database* db = Database::openDatabaseFile(args.at(0), compositeKey);
     if (db == nullptr) {
         return EXIT_FAILURE;
     }
chasevasic picture chasevasic on 24 Apr 2018

Using a database without a password is a bad practice, anyway it should still be possible to open it

TheZ3ro picture TheZ3ro on 24 Apr 2018

I think it's fair to assume that the database has a password. Adding a --no-password option to the relevant CLI commands seems like a good solution to me. We could pass that flag to Database::unlockFromStdin to avoid prompting for a password.

@aaronvasic If you're willing to work on this, I can review your PR.

louib picture louib on 25 Apr 2018

Same problem.
KeePassXC - 2.3.1
Revision: 2fcaeea
Operating system: Windows 7 Pro x64

> keepassxc-cli.exe show --key-file h:\xxx\key h:\xxx\db test_record
Insert password to unlock h:\xxx\db:
Error while parsing the database: Wrong key or database file is corrupt.

> keepassxc-cli.exe show h:\xxx\db test_record
Insert password to unlock h:\xxx\db:
Title: test_record
UserName: testu
Password: testp
URL: testa
Notes:
heX16 picture heX16 on 3 May 2018 
> keepassxc-cli.exe show --no-password --key-file ......
Unknown option 'no-password'.

:-(

heX16 picture heX16 on 16 Nov 2018
😕3

@chasevasic @heX16 the --no-password option has been added to the develop branch. You can go ahead and give it a try!

louib picture louib on 5 Apr 2019
👍1

Added to 2.4.1

droidmonkey picture droidmonkey on 18 Apr 2019
🎉4
Was this page helpful?
0 / 5 - 0 ratings

Related issues

guihkx picture guihkx  路  3Comments
Throne3d picture Throne3d  路  3Comments
TheZ3ro picture TheZ3ro  路  3Comments
MisterY picture MisterY  路  3Comments
haroldm picture haroldm  路  3Comments