KeePass: an MFA TOTP codes, a browser’s passwords, SSH keys passwords storage configuration and Secret Service integration

By | 12/12/2019
0 Comment
 

So, this seems to be the last one post in the whole series about passwords and SSH management in Linux.

The previous parts were about:

Actually, knowing all of this we can grab them all together and configure normal secrets management on a work laptop with Arch Linux and Openbox DE.

In this post we will configure KeePassXC for:

  • a browser integration to store passwords in the KeePass instead of the Chromium’s own SQLite database
  • TOTP codes generation for MFA
  • will integrate the ssh-agent with KeePass to store RSA keys passwords
  • and will enable Secret Service integration to use KeePass as keyring storage for Linux

KeePass vs KeePassXC

I’ll use KeePassXC instead of the KeePass.

In fact, from the very beginning, I switched to the KeePassXC just because by default it looks much better in Linux with Openbox.

KeePass:

KeePassXC:

Also, KeePass is written in C# from Microsoft and under Linux requires mono to work, while KeePassXC is written in C++ (see its repository) and work in easy on any platform – Linux/BSD/macOS/Windows.

Take a look at the thread on Reddit for more details.

As a browser, I’ll use Brave based on the Chromium so there will no difference in a configuration.

KeePass and a browser’s passwords – KeePassXC-Browser

At first, there is a good question – do you really want to switch passwords storage for your browser?

I.e, you have Chromium, it has its own SQLite database, passwords stored there in an encrypted way.

Furthermore, Chromium has no issue with founding credential fields on webpages, but this happens sometimes with KeePass.

On the other hand, when using KeePass – all your passwords (and SSH keys, etc) are always with you, in the same place. Easy to backup/restore, move/share between computers, add to another browser and so on.

So, everybody will decide this himself, but let’s write the KeePass and Chromium integration process.

Go to the Tools > Settings, then to the Browser Integration, enable it:

Find the KeePassXC-Browser plugin, install it:

Go to the Settings:

  • Default group for saving new passwords – usually, I’m disabling the default KeePassXC-Browser Passwords and enabling this option to be always asked where I’d like to save a new password as in my database everything is divided over groups
  • Activate 2FA/OTP field icons – can enable if actively using MFA, but is it worth to do it? See the KeePass MFA TOTP generator below
  • Automatically reconnect to KeePassXC – comfortable to always stay connected to the database, didn’t saw any lags/bugs yet
  • Automatically fill in HTTP Basic Auth dialogs and submit them – looks useful, but I wasn’t able to make it works – an HTTP-form window always was displayed

Go back to the plugin, click Connect:

Set a connection name:

Check KeePass about connected browsers:

And it’s done – the icon is green now:

Log in somewhere and KeePass will prompt to save the password:

Save it (New), log in again – and our credentials are here now:

KeePassXC MFA TOTP generator

One more interesting thing – TOTP codes generator in the KeePassXC.

Still, there is a serious question: is it a good solution to enable it?

The main idea behind the MFA authentication is exactly to use two separate services to authenticate you, i.e. login:password from the one side, and a TOTP-code from your MFA on another.

Is it worth to keep them together in the same KeePass database – absolutely about you, but keep in mind that if somebody will get access to your KeePass – then you’ll have no chance for the MFA as the last hope to keep your data secure.

Still, such an option is present, I’m using MFA, so let’s take a look at how to configure it.

During an MFA configuration – chose something like “Show secret key” or “Can’t scan QR“, depending on a service, to see a text code instead of QR code.

Here is an example from the AWS Console:

Save the code, then in your KeePassXC find or update an entry you’d like to configure MFA for, right-click on it – TOTP > Set up TOTP:

And set the Secret Key from AWS:

Save, right-click again – Show TOTP:

And finish MFA configuration in AWS:

Try to log in, but… The button to fill up the TOTP field doesn’t works 🙁

And it didn’t work in Chromium for Gmail too.

Well – the code in the KeePass is generated, so just manually copy it by right click or by using Ctrl+T – and we are done here.

KeePass and ssh-agent for SSH keys passwords

The idea here is to store SSH keys passwords in the KeePass, and access them via ssh-agent without being asked for a SSH-key password.

It is already described in more details in the Linux: KeePass, SSH и хранение паролей RSA-ключей post, but it’s available in Russin only at this moment (will translate it in next couple of days).

Check if ssh-agent is running:

[simterm]

$ ps aux | grep ssh-agent
setevoy     1505  0.0  0.0   5796   456 ?        Ss   Dec10   0:00 ssh-agent

[/simterm]

If no – start it:

[simterm]

$ eval $(ssh-agent)
Agent pid 950428

[/simterm]

Check if the $SSH_AUTH_SOCK variable is available, as it will point to a socket used for communication with the agent:

[simterm]

$ env | grep SSH
SSH_AUTH_SOCK=SSH_AUTH_SOCK=/run/user/1000/ssh-agent.socket
SSH_AGENT_PID=950428

[/simterm]

Go to KeePass Tools > Settings, enable SSH Agent:

Restart KeePass and add a new key.

Generate it, set a password:

[simterm]

$ ssh-keygen -f /home/setevoy/rtfm-do-prod-setevoy
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/setevoy/rtfm-do-prod-setevoy.
Your public key has been saved in /home/setevoy/rtfm-do-prod-setevoy.pub.
...

[/simterm]

Pay attention that here is the -f used to set a key-file and it is not in the .ssh directory to make it simpler to add to the KeePass.

Check files:

[simterm]

$ ll /home/setevoy/rtfm-do-prod-setevoy*
-rw------- 1 setevoy setevoy 2655 Dec 11 10:53 /home/setevoy/rtfm-do-prod-setevoy
-rw-r--r-- 1 setevoy setevoy  579 Dec 11 10:53 /home/setevoy/rtfm-do-prod-setevoy.pub

[/simterm]

Go back to the KeePass, create a new entry, set any name, and set your key’s password in the Password field:

In the SSH Agent, a key can be added as Attachment, or as External file.

I’d suggest using Attachment as in this case the key will be stored in the database directly, and you’ll not need to copy it over your working/home/etc laptops.

In the same window switch to the Advanced, tab and attach the key file:

Go to the SSH Agent, add the key from the Attachment:

Here, pay attention to the Add key to agent when database is opened/unlocked option – worth to enable it only for keys that are used often and best to keep them less than 5, because when ssh-agent will try to connect to a host – it will try to use every key accessible in the ssh-agent, and SSH server on a remote host can close connection to “prevent a brute-force”.

Okay, try to connect to a host:

[simterm]

$ ssh [email protected]
Linux rtfm-do-production 4.9.0-8-amd64 #1 SMP Debian 4.9.144-3.1 (2019-02-19) x86_64
...
setevoy@rtfm-do-production:~$

[/simterm]

Okay – it works.

Remember, that using this approach ssh-agent must be started beforehand of the KeePass and must export its $SSH_AUTH_SOCK variable in such a way, so KeePass can see it. Check options in the Running ssh-agent with multitype terminals.

I’m using the variant with the systemd service and the socket path will be exported via the ~/.config/openbox/environment file (as I’m using Openbox DE).

My unit-file /home/setevoy/.config/systemd/user/ssh-agent.service:

[Unit]
Description=SSH key agent

[Service]
Type=simple
Environment=SSH_AUTH_SOCK=%t/ssh-agent.socket
ExecStart=/usr/bin/ssh-agent -D -a $SSH_AUTH_SOCK

[Install]
WantedBy=default.target

And environment file – ~/.config/openbox/environment:

export QT_QPA_PLATFORMTHEME="qt5ct"
export SSH_AUTH_SOCK="${XDG_RUNTIME_DIR}/ssh-agent.socket"

The last step just for a bit of comfort – add a “short-name” for the connection to the ~/.ssh/config:

Host rtfm
 Hostname rtfm.co.ua
 User setevoy

We are not adding IdentityFile at all – ssh-client will ask for ssh-agent about available keys to try to log in, so we are not tied to a key-file on the disk.

Connect now using this short-name:

[simterm]

$ ssh rtfm
...
setevoy@rtfm-do-production:~$

[/simterm]

Passwords were asked neither for the user nor for the key – everything is working, as expected.

sign_and_send_pubkey: signing failed: agent refused operation

A short side-note: if you’ll enable the “Require user confirmation when this key is used” option now:

Then during SSH logging in process, sometimes you can see the “sign_and_send_pubkey: signing failed: agent refused operation” error:

[simterm]

$ ssh rtfm
sign_and_send_pubkey: signing failed: agent refused operation
Load key "/home/setevoy/.ssh/id_rsa": Is a directory
[email protected]'s password:

[/simterm]

It happens because ssh-agent trying to ask a user for confirmation and uses the ssh-askpass utility which can be not installed in  a system:

[simterm]

$ file /usr/lib/ssh/ssh-askpass
/usr/lib/ssh/ssh-askpass: cannot open `/usr/lib/ssh/ssh-askpass' (No such file or directory)

[/simterm]

Install the x11-ssh-askpass package:

[simterm]

$ sudo pacman -S x11-ssh-askpass

[/simterm]

Re-try log in – and now you must see such a window with confirmation request:

Click on the ОК – and now all works.

KeePass and Secret Service integration

For a better understanding of keyrings in general and the Secret Service in particular cases – I’d strongly recommend you first to read the What is: Linux keyring, gnome-keyring, Secret Service, and D-Bus post.

At a first, let’s make sure we have no Secret Service available in our system – check the D-Bus:

[simterm]

$ qdbus --session org.freedesktop.DBus / org.freedesktop.DBus.GetConnectionUnixProcessID org.freedesktop.secrets
Error: org.freedesktop.DBus.Error.NameHasNoOwner
Could not get PID of name 'org.freedesktop.secrets': no such name

[/simterm]

Okay, it’s empty.

Go to the KeePass, Tools > Settings, choose the Secret Service Integration, enable it:

Now, go to the KeePass database’s settings, and in its Secret Service Integration settings specify a collection (team, folder) which will be used to store our secrets:

Also, it’s a good idea now to start KeePass beforehand every other application in the system.

In my case, this can be done with the ~/.config/openbox/autostart file:

xrandr --output HDMI-1 --primary
xrandr --output eDP-1 --right-of DP-1

feh --bg-scale /home/setevoy/Pictures/Wallpaper/seryy-kapli-strela-ten-arch.jpg &

tint2 -c /home/setevoy/.config/tint2/setevoy-tint2-90-pecent-bottom-wrk.tint2rc &
polybar -c /home/setevoy/.config/polybar/setevoy-polybar-wrk-bars.conf bottom &
polybar -c /home/setevoy/.config/polybar/setevoy-polybar-wrk-bars.conf top &
sleep 5

keepassxc &
dropbox &
lxqt-notificationd &
xscreensaver &
qxkb &

skypeforlinux &
sleep 5
slack &
...

Run a browser:

[simterm]

$ chromium --password-store=gnome

[/simterm]

And in the KeePass’ Tools > Settings check services which are using Secret Service now:

A notification from the KeePass when Chromium tries to access its password to decrypt some passwords in its SQLite database:

But here is another issue: when I’m starting Chromium via gmrun – it’s started with the --password-store=basic instead of the --password-store=gnome, although it has to check if a Secret Service is available and run “gnome” instead of the “basic” storage.

To salve it – read the Arch Wiki and create a ~/.config/chromium-flags.conf file:

--password-store=gnome

Restart the browser, go to the chrome://version/, and check options:

Okay, it worked for the Chromium – but Brave still uses the “basic” option.

For the Brave browser in Arch Linux, you can create a ~/.config/brave-flags.conf file, as mentioned in this>>> comment, so we can just to copy the existing one:

[simterm]

$ cp .config/chromium-flags.conf .config/brave-flags.conf

[/simterm]

Restart Brave, check its options:

And in the Secret Service of the KeePass, the brave record appeared, so it’s using the Secret Service now:

Done.