keepassxc
keepassxc copied to clipboard
keepassxreboot
Ignore confirmation on use setting when ssh key added to Windows OpenSSH
Expected Behavior
SSH key is added to agent
Current Behavior
SSH key is not added to agent
Possible Solution
Uncheck require user confirmation when this key is used
Steps to Reproduce
- Enable OpenSSH Client for Windows 10
- Enable SSH Agent for Keepass database
- Check use OpenSSH for Windows instead of Pageant
- Add entry for key file 4.1 Add a private key file (i used an ecdsa key) 4.2 Enable key adding to agent when database is opened/unlocked 4.3. Enable key remove from agent when database is closed/locked 4.4 Enable require user confirmation when this key is used
Context
I switched from Linux to Windows and was very happy to see that there is also Windows support for ssh agent. When i find out it was not working I had to add it myself via shell.
Debug Info
KeePassXC - Version 2.5.3 Revision: f8c962b
Qt 5.13.2 Debugging mode is disabled.
Operating system: Windows 10 (10.0) CPU architecture: x86_64 Kernel: winnt 10.0.18363
Enabled extensions:
- Auto-Type
- Browser Integration
- SSH Agent
- KeeShare (signed and unsigned sharing)
- YubiKey
Cryptographic libraries: libgcrypt 1.8.5
Looks like an upstream issue to me: https://github.com/PowerShell/Win32-OpenSSH/issues/1056
Does it actually work with -c from command line and prompt you before use if you do that outside KeePassXC?
I have same problem here is output
PS C:\Users\vv632728\.ssh> ssh-add.exe -c .\id_rsa_
Could not add identity ".\id_rsa_": communication with agent failed
PS C:\Users\vv632728\.ssh> ssh-add.exe .\id_rsa_
Identity added: .\id_rsa_ (.\id_rsa_)
Likely an issue on MS side.
When I uncheck Enable require user confirmation when this key is used then KeypassXC loads key correctly.
Would it be possible to add a setting to ignore requiring user confirmation when the agent doesn't support it?
It's very inconvenient to disable user confirmation for Linux and macOS because I want to use the keys on Windows as well.
Hello,
As I write these lines, it seems Windows' native OpenSSH is still not supporting the confirm-on-use. Because of that, and because I use the same KeepassXC database files on a mix of Linux/Windows/MacOS at home & work, I have to accept the lowest level of security on ALL these machines, i.e. no confirmation-on-use. This is a bit annoying :-( I personally haven't found any other alternative for Windows that work and support this feature.
So accepting this fact and clearly exposing this option works only on Linux/MacOS (and therefore not passing the '-c' flag to ssh-add when on Windows hosts), or accepting proposal from @dancojocaru2000 to add a global setting to ignore confirmation would really make it more usable without compromising security on other machines that correctly support it.
Please consider this request! Thank you.
@hifi since we know that this feature doesn't work when using Windows native OpenSSH, let's just ignore the setting when that combo is present.
@droidmonkey We know it doesn't work right now but when it does we would be gimping our side. Having an option would be slightly odd as well, maybe an option without a GUI that defaults to off on Windows so if it's ever implemented there's a workaround to force enable it?
Can we attempt to add with the option, and if that fails, fall back to without the option?
Then we would be silently discarding a security option which doesn't sound too good either. Even if it was non-silent we'd still ignore it without user intervention which is again worse for security.
I know the current behavior is not ideal but I'm conceptually against discarding security options without explicit user action or making it behave differently on different platforms by default (which I suggested in the previous message). Unsuspecting user could be leaving a key loaded to OpenSSH for Windows until they log out completely if they used a timeout for example.
A warning about the behavior could be added on the Windows version of KeePassXC in the settings page where OpenSSH support is enabled?
Just got bitten by this. An improved error message mentioning that the configuration doesn't work with Windows OpenSSH instead of the vague "Agent protocol error", or a small label next to the option that mentions that windows OpenSSH may not work with that option (shown only when the system is Windows and OpenSSH agent is enabled, and maybe linking to this issue too) would really go a long way to mitigate what can otherwise become a significant source of frustration. Or provide access to the more detailed error (if there's one instead of that vague "protocol error").
I know it's very annoying to have to go after other people's broken stuff like this, and that it should be on Microsoft to fix this... but there are reasonable improvements to be made on KeePassXC too.
Just commenting as a reminder that the issue still exists and in case it motivates anyone to tackle it. Thanks for all the work you people put into this.
Agreed, just went down this rabbit hole as well, the error message should be augmented with something like "windows doesn't support option "require confirmation" when using the OpenSSH agent, see #4374" when kpxc is configured to use the "native" agent and the user tries to add a key requiring confirmation.
If we cannot actually ignore these options (or target it specifically to OpenSSH for Windows) then a better error message hint will suffice. Also pairing this with #9661 would bring back functionality without relying on OpenSSH for Windows to implement it.