KeepassXC HMAC problems caused by Firejail?

9Syd85 · November 19, 2021, 10:53pm

Attempting to use OnlyKey 2.1.1 HMAC challenge-response for KeepassXC 2.6.6 on Linux Mint 20.1. The OnlyKey app works just fine, but KeepassXC doesn’t recognize the presence of the OnlyKey. When I refresh the list of hardware, nothing. Searching the forum I see a few others in the same boat.

I discovered that the only way I can get KeepassXC to recognize the OnlyKey is by running the flatpak version from the command line outside of Firejail protection.

flatpak run org.keepassxc.KeePassXC

That’s fine I guess, but inconvenient. Is there a way that I can tweak the Firejail profile to allow connecting to the OnlyKey?

t11 · November 22, 2021, 2:14pm

Do you have the OnlyKey UDEV rule added? There is an issue here that seems to resolve the same issue with Yubikey - Firejail app cannot communicate with my Yubikey · Issue #1176 · netblue30/firejail · GitHub

9Syd85 · November 22, 2021, 11:50pm

Thanks for finding that thread!

I copied /etc/firejail/keepassxc.profile to ~/.config/firejail/keepassxc.profile and then commented out the following lines. KeepassXC is able to detect the OnlyKey now.

#protocol unix,netlink
#private-dev

Topic		Replies	Views
OnlyKey not being recognised as Yubikey by KeePassXC Hardware Password Manager	17	1954	January 11, 2022
HMAC-SHA1 broken on the current version of OnlyKey FW and/or Utilities	1	233	March 31, 2021
Onlykey-agent fails after HMAC-SHA1/KeePassXC SSH, OpenPGP, GPG	2	299	January 26, 2022
KeepassXC: HMAC mismatch when saving KeepassXC database after OnlyKey timeout (kinda SOLVED) Challenge-Response	8	1364	April 2, 2024
2.1.2 firmware update-HMAC for KeepassXC Firmware Loading	10	434	February 23, 2022

KeepassXC HMAC problems caused by Firejail?

Related topics