Project

General

Profile

Feature #285

Password passed as cli parameter: Hide password

Added by Anonymous about 2 years ago. Updated over 1 year ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Target version:
-

Description

At the moment, the password passed to KeePassX using the --password parameter is visible as plain text afterwards, e. g. when using ps aux:

$ keepassx --password hunter2
$ ps aux | grep keepassx
[…] keepassx --password hunter2

Apparently, it is possible to rewrite the arguments passed to a program afterwards, so they cannot be accessed that easily. I am not familiar with the details, but as far as I know, it is (almost) as simple as

strncpy(argv[1], "***", strlen(argv[1]));

It is still possible for an attacker to read the password immediately after keepassx starts, but it greatly reduces the risk of accidentally exposing the master password later on.

Alternatively, it could be offered to pipe the password instead of passing it as an argument.

Associated revisions

Revision 65e8732e
Added by Felix Geyer almost 2 years ago

Remove --password command line option.

Passing passwords on the command line is unsafe.

History

#1 Updated by Felix Geyer about 2 years ago

I have added the --password option only for testing.
The help already says "DANGEROUS!" but I'm sure that will be largely ignored.

I'll remove the option before release.
If you want to open the database without entering the password use a key file.

#2 Updated by Felix Geyer almost 2 years ago

  • Status changed from New to Rejected

I've removed the option now.

#3 Updated by David Kačerek almost 2 years ago

That's unfortunate! Now I can't use a shortcut with a predifined password so I have to write it upon every keepassx startup. KeePass2 has the -pw option too. Why can't you leave it up to the user? No one have to use the feature obligatorily.

#4 Updated by Florian Kaiser almost 2 years ago

I agree with David. Please add the --password option again
and use the strncpy-trick to hide it from the process list.

#5 Updated by MOZGIII None over 1 year ago

Please don't add it back. This is serious security issue.
strncpy trick is useless, and overall it's absolutely not safe.

#6 Updated by David Kačerek over 1 year ago

Please don't add it back. This is serious security issue.
strncpy trick is useless, and overall it's absolutely not safe.

Are you forced to use it? No. So don't be so concerned about this and let others to decide for themselves.

#7 Updated by Florian Kaiser over 1 year ago

Since I found out that you can simply put your password into a text file and then use the keyfile option I'm satisfied.

#8 Updated by David Kačerek over 1 year ago

Florian Kaiser wrote:

Since I found out that you can simply put your password into a text file and then use the keyfile option I'm satisfied.

Unfortunately that's even more dangerous option than the -password parameter - what if you loose your usb flash disk with keepass and its keyfile on it? Than he can easily open your database.

#9 Updated by David Kačerek over 1 year ago

Florian Kaiser wrote:

Since I found out that you can simply put your password into a text file and then use the keyfile option I'm satisfied.

Unfortunately that's even more dangerous option than the -password parameter - what if you loose your usb flash disk with keepass and its keyfile on it and someone finds it? Than he can easily open your database.

#10 Updated by Florian Kaiser over 1 year ago

David Kačerek wrote:

Unfortunately that's even more dangerous option than the -password parameter - what if you loose your usb flash disk with keepass and its keyfile on it? Than he can easily open your database.

This is not my use case. The GNOME desktop environment (which I use) provides a secure password manager called "GNOME Keyring". Keyring is very integrated into the system so when I enter my disk encryption password and log in into my user account the Keyring opens too.

Now, what have I done? I stored my password inside Keyring. When I log in into my user account a script runs that reads the KeePass password from Keyring, creates a file with a random name inside /tmp and opens KeePass with that file as keyfile parameter. The file is never written to any disk since /tmp is a tmpfs (in memory only file system). After the KeePass read the file it is deleted from /tmp. Also the file is protected in a way that only allows the KeePass process to access it (selinux).

#11 Updated by David Kačerek over 1 year ago

Florian Kaiser wrote:

This is not my use case. The GNOME desktop environment (which I use) provides a secure password manager called "GNOME Keyring". Keyring is very integrated into the system so when I enter my disk encryption password and log in into my user account the Keyring opens too.

Now, what have I done? I stored my password inside Keyring. When I log in into my user account a script runs that reads the KeePass password from Keyring, creates a file with a random name inside /tmp and opens KeePass with that file as keyfile parameter. The file is never written to any disk since /tmp is a tmpfs (in memory only file system). After the KeePass read the file it is deleted from /tmp. Also the file is protected in a way that only allows the KeePass process to access it (selinux).

That's surely well worked-out but what you do if you're on some other PC? For example at some friend's or in an internet café? Then you a need portable version of your password manager on your USB flash disk along with the database (and keyfile).

#12 Updated by Florian Kaiser over 1 year ago

David Kačerek wrote:

That's surely well worked-out but what you do if you're on some other PC? For example at some friend's or in an internet café? Then you a need portable version of your password manager on your USB flash disk along with the database (and keyfile).

I have KeePass portable and a backup of my KeePass database on a USB stick and I can still open my database by entering my password manually (the normal way), whats the problem?

If I'm with my laptop everything works automatically and if I use another's PC I can fallback to the normal way.

#13 Updated by David Kačerek over 1 year ago

Florian Kaiser wrote:

I have KeePass portable and a backup of my KeePass database on a USB stick and I can still open my database by entering my password manually (the normal way), whats the problem?

If I'm with my laptop everything works automatically and if I use another's PC I can fallback to the normal way.

I'm sorry, I probably don't understand your setup correctly. When looking into the KeePass 2 documentation, it states:

KeePass does not support keys being used alternatively, i.e. it's not possible that you can open your database using a password or a key file. Either use a password, a key file, or both at once (both required), but not interchangeably.

I supposed that KeePassX works the same but you say that on your desktop you unlock your db with a keyfile and opening the db from an USB stick you unlock it with a password. Does KeepassX work differently from KeePass 2 in that regard?

#14 Updated by Florian Kaiser over 1 year ago

Your keyfile is just your password written into a file. No magic here.

This works:

$ echo -n 'myPassword' > myKeyFile
$ keepass keepass.kdbx -keyfile:myKeyFile

Understand what I mean?

#15 Updated by David Kačerek over 1 year ago

Florian Kaiser wrote:

Your keyfile is just your password written into a file. No magic here.

This works:

$ echo -n 'myPassword' > myKeyFile
$ keepass keepass.kdbx -keyfile:myKeyFile

Understand what I mean?

Up to that point I think I understand. But what I don't get is how can you open the same db by entering the password manualy even though it's locked with a keyfile.

#16 Updated by Florian Kaiser over 1 year ago

I just type myPassword into the password field in KeePass and click "OK".
The database was created with a password, not a keyfile.

#17 Updated by David Kačerek over 1 year ago

Florian Kaiser wrote:

I just type myPassword into the password field in KeePass and click "OK".
The database was created with a password, not a keyfile.

Now I see. I tried to open my db (created with a password) with a keyfile and it works. Well I guess that fixes the issue for me. Thank you for your help.

Also available in: Atom PDF