Keepassxc: Version 2.3.4: Can't add key to ssh agent (pageant)

Wait, we have chocolatey distro now too?

Yes, the package is here: https://chocolatey.org/packages/keepassxc
It's not that new as you can see from the version history. But I don't expect any runtime differences. I can try the "official" distribution later.

The error is telling you that the key is already added, can you confirm that the key is NOT in pageant?

Yes, I can confirm this.
But if I add the key manually to pageant I can remove it with KeepassXC. But even after that I can't add it again with KeepassXC.

@hifi this one is for you

I just tried the msi 64 bit installer from the official page. Same behaviour! Unfortunately I don't know how to get some debug logs from keepassxc and pageant. Perhaps someone can give me a hint?

Just to be absolutely sure: you don't have any constraints configured for the key? Like require user confirmation or remove after X seconds?

Also what type of key it is, plain old RSA? Can you repro this with a new database and a new key?

Thanks.

No, both checkboxes are disabled. I've played around with new databases and new RSA keys. I was able to reproduce it with both. But I recognize that if I hit the Add to Agent button many times in a short time period, the key will appear in pageant after a few attempts. I could reproduce this several times. The remove action always succeeds on the first hit.

The problem does not appear

• in the same environment with KeepassXC 2.3.3
• and with the same DB in Ubuntu, KeepassXC 2.3.4 and openssh´s ssh-agent

Ok, forget about the multiple clicks in my last comment. I guess I've had somehow installed version 2.3.3 and 2.3.4 at the same time and mixed things up.
I've retested with a clean installed version 2.3.4:

• a new generated and attached 4096 bit RSA key could be added to pageant
• changing passphrase and comment (I think this was important) for the current key and create a new entry makes it addable to pageant, too.
• but after testing again the old entry the new one fails with a 'bad passphrase' message.
• deleting the old entry and reattach the key to the new entry fixed it again

So I hope my setup will work now for me. But I assume that there is something broken with key handling in version 2.3.4. Is it the expected behaviour that the key comment in the UI shows 'id_rsa' until the key is added to the agent?

I will take a look at reproducing this on my end with your detailed description when I have time again, I've been rather busy this week. Thank you for the detailed steps.

The key shows up by default as "id_rsa" if you don't have a username set up for the entry. Old RSA keys don't have your key name embedded in them (only the .pub file has) so it's set up to do that instead of an empty one as there has been compatibility problems with empty key names as well.

I found a work-around for this issue. I have several keys, one PEM generated by AWS, some other by ssh-keygen a while ago.

I stored one of the failing keys to disk and converted them to the "new format":

ssh-keygen -o -c -f id_rsa

-o Causes ssh-keygen to save private keys using the new OpenSSH format rather than the more compatible PEM format. The new format has increased resistance to brute-force password cracking but is not supported by versions of OpenSSH prior to 6.5. Ed25519 keys always use the new private key format.

Although this "new format" is supposed to be a default I noticed that once I change the passphrase (-p) the format is reverted and I have to change (-c) the key, again.

For me there was no difference if the key has a comment, passphrase or none (Username field is set). Once converted (-o) the key was loaded into pageant by keepassxc.

Note that I was able to load any version of this key into pageant using ssh-add.

/cc @maystar @hifi

Is this issue still relevant to anyone?

I just tried to change my password as described above and the agent loaded my key w/o complaining. LGTM