OnlyKey not being recognised as Yubikey by KeePassXC

Hi, I’m trying to set up my OnlyKey for use as a Hardware Password Manager, but I’m having trouble getting KeePassXC to recognise the OnlyKey for Challenge-Response purposes. This is what has been going on so far…

I set up my OnlyKey as standard, with a Primary PIN, Secondary PIN, Backup passphrase, and Self-Destruct PIN, and then followed all of the different HMACSHA1 setup methods in the User Guide and forum discussions.

Note: I have been generating hex key passwords using the command:
openssl rand -hex 20
I used the product from this command where I mention [PASSWORD] below.

First I tried using the GUI OnlyKey App, by selecting the HMACSHA1 (slot 1 - #130), and inserting a [PASSWORD] into the “private key” box. It simply said “[EEC/ECC - I forget] needs to be 64 characters”. I counted the characters, it was in fact 64. I tried a few more times but it didn’t work.
Then I tried using onlykey-cli by running the following command progressions (I performed a full reset and firmware reload using the most recent firmware release [Signed_OnlyKey_2_1_1_STD.txt] between each failed attempt, just to be sure), making sure to Ctrl+D to exit interacting mode before closing the terminal:

onlykey-cli
setkey 130 HMAC1
[PASSWORD]

onlykey-cli
setkey HMAC1 130
[PASSWORD]

onlykey-cli
setkey 130 HMACSHA1
[PASSWORD]

onlykey-cli
setkey HMACSHA1 130
[PASSWORD]

onlykey-cli
setkey 130 9
[PASSWORD]

My current understanding is that I have to program HMAC1 “slot 1 - #130” for HMAC1 protocol before KeePassXC will recognise the OnlyKey as a Yubikey for Challenge response purposes.

Please tell me if I made any mistakes. For reference, I have managed to create a KeePassXC database, and I programmed slot 1a of the OnlyKey to input the password and return after input, so the normal functions of the OnlyKey are easy enough for my to figure out, but I’m at a loss with this.

You don’t have to do anything to use HMAC challenge response. It’s all ready to go out of the box.

The instructions for setup of KeepassXC are here - OnlyKey User's Guide | Docs

What you describe above is attempting to set custom HMAC keys, you can do that or use the random key already set on OnlyKey. HMAC key is 20 bytes long and you set like this in the OnlyKey app using your custom random key value.

image

image

Still no response from KeePassXC.

I did a factory reset, then reloaded the firmware as before, then went through the setup again. I then tested the standard functions to make sure it was working, which it was. I then opened KeePassXC and clicked “Continue” twice, not changing any of the default database settings. I clicked “Add Additional Protection”, double-checked that my OnlyKey was open in the OnlyKey App, and clicked “Add Yubikey Challenge-Response”. It didn’t come up, so I clicked refresh, and still no luck. I then tried setting a custom HMACSHA1 key as stated in the method you described, first using “openssl rand -hex 20”, and when the OnlyKey app responded “ECC Key must be 64 characters”, I tried using the exact key listed in the image from your post, but got the same message.

I then opened the packaging of the secondary key I bought as a backup, hoping to put it through initial setup, but every time I tried to enter a PIN during initial setup, it was registering additional button presses that I didn’t make, so I just put it aside for now. I’ll reattempt the setup of that secondary key again later.

It sounds like keepassxc can’t communicate with key. If you’re on Mac you have to follow instructions to change privacy settings to allow app to see input devices.

I’m using Linux Mint 20 Cinnamon. I tried finding a way to change the permissions but couldn’t find it. Do I need to run something in the terminal?

Did you follow instructions for Linux? Does the OnlyKey app work? - Using OnlyKey with Linux | Docs

The OnlyKey App works. I managed to set up the OnlyKey with primary, secondary and selfdestruct PINs, and backup passphrase. I just can’t get KeePassXC to communicate with the OnlyKey. I can’t find the way to change the permission settings.

If the app works USB communication works. I know others have had issues with Yubikey/Keepassxc on Linux maybe try another computer.

Fixed the old problem, now a new problem.

I tried it on the same computer using Windows (I have dual-boot set up). I went through the KeePassXC database creation, and it all works. I set the OnlyKey Slot 1a with a Label, the KeePassXC database password, and the FIDO2/U2F setting; the OnlyKey showed up on KeePassXC, with Slot 1 and 2 as expected, database created and saved so that’s fixed.

New issue though; when I press the “#1” button to activate slot 1a of the OnlyKey, the Password types out, and I select the HMAC slot I used when setting up the OnlyKey, and when I press “OK” I get this message:
Error while reading the database: Invalid credentials were provided, please try again.
If this reoccurs, then your database file may be corrupt. (HMAC mismatch)
I tried resetting the OnlyKey and repeating the whole process (I thought that maybe there was a problem with the HMAC slots?), but I got the same message.

Any suggestions?

Also, given that my initial problem, labelled in the title of this post is solved, should I close this post and open a new one with this new problem for easier access by other people? I ask this because I went searching the entire support forum for this.