Per our discussion here, this issue describes the behavior I am seeing on the OnlyKey when using the HMAC Challenge Response to open a kdbx file with KeePassXC.
Firmware: v0.2-beta.8c
App: v5.2.0
KeePassXC: 2.5.3
Per your instructions, I added my 20 byte HMAC secret (generated with the ykper tool) to ECC Slot 30 on the Advance Tab of the app, padding the right with zeros to fully supply the required 32 bytes.
The OnlyKey was disabled (became unresponsive to password touches1) in exactly two ways, although I think both are triggered by the same mechanism.
- Clicking the Refresh Button for the Hardware Key input in KeePassXC
- Pressing any button on the OK when prompted (for the Challenge/Response) by KeePassXC.
Steps to reproduce 1.
- Have your YK HMAC Secret Loaded
- Insert and Unlock the OnlyKey
- In some text editor/entry/whatever test the password type capability by pressing a slot on OK
- Without a Yubikey inserted2, start KeePassXC and open a database.
- Click on Refresh next to the Hardware Key entry
- Repeat step 3 - The OK no longer types out passwords
- If you type in the password for the kdbx and attempt to open the file, KeePassXC attempts the Challenge Response against the OK (the LED flashes RED until pressed) and the kdbx is successfully opened.
- Locking the kdbx and repeating step 7 still successfully prompts the OK for HMAC.
Steps to reproduce 2.
- After unlocking (step 7 above) re-lock the kdbx file - KeePassXC will be in its waiting state, prompting you to Unlock KeePassXC Database
- Note the Hardware Key entry will show OnlyKey[ser#] Challenge Response - Slot 1 - Press
- Disconnect, Re-Insert and Re-Unlock the OK
- Repeat step 3 above, proving passwords are typed
- Type the password in KeePassXC and unlock the file
- You are again prompted to press the OK and the LED flashes RED.
- Pressing any button on the OK successfully responds to KeePassXC and the file is opened.
- Repeat step 3 above - Once again, the OK no longer types out passwords1
I will upload some screenshots/video demonstrating this when I have a bit more time.
1 This HMAC soft lock (as we might call it) only affects using the OnlyKey to type out passwords. onlykey-agent still works, after OK has become unresponsive. Although interestingly, in this state, an extra <Enter> press is necessary with onlykey-agent. Under normal operating conditions, the moment the 3-digit challenge is met (or pressed when 3-digit challenge is disabled) the secure shell session is opened. After the HMAC soft lock as described above, the moment the 3-digit challenge is met, the terminal will wait until <Enter> is pressed on the keyboard.
2 I've noticed KeePassXC favors the Yubikey. If the YK is inserted prior to all of this, the OK isn't even considered.
Additionally (and possibly related,) this is kind of still an issue (I need to update that issue with new findings post beta8.) Any time the OnlyKey is used for any operation outside of typing passwords, the OnlyKey App no longer detects the OK. The OK still functions correctly, types out passwords (sans HMAC soft lock,) works with onlykey-cli and onlykey-agent and functions correctly as a U2F token. To get the App to recognize the OK again, it must be disconnected, re-inserted and re-unlocked.
Per our discussion here, this issue describes the behavior I am seeing on the OnlyKey when using the HMAC Challenge Response to open a kdbx file with KeePassXC.
Firmware: v0.2-beta.8c
App: v5.2.0
KeePassXC: 2.5.3
Per your instructions, I added my 20 byte HMAC secret (generated with the ykper tool) to ECC Slot 30 on the Advance Tab of the app, padding the right with zeros to fully supply the required 32 bytes.
The OnlyKey was disabled (became unresponsive to password touches1) in exactly two ways, although I think both are triggered by the same mechanism.
Steps to reproduce 1.
Steps to reproduce 2.
I will upload some screenshots/video demonstrating this when I have a bit more time.
1 This HMAC soft lock (as we might call it) only affects using the OnlyKey to type out passwords. onlykey-agent still works, after OK has become unresponsive. Although interestingly, in this state, an extra
<Enter>press is necessary with onlykey-agent. Under normal operating conditions, the moment the 3-digit challenge is met (or pressed when 3-digit challenge is disabled) the secure shell session is opened. After the HMAC soft lock as described above, the moment the 3-digit challenge is met, the terminal will wait until<Enter>is pressed on the keyboard.2 I've noticed KeePassXC favors the Yubikey. If the YK is inserted prior to all of this, the OK isn't even considered.
Additionally (and possibly related,) this is kind of still an issue (I need to update that issue with new findings post beta8.) Any time the OnlyKey is used for any operation outside of typing passwords, the OnlyKey App no longer detects the OK. The OK still functions correctly, types out passwords (sans HMAC soft lock,) works with onlykey-cli and onlykey-agent and functions correctly as a U2F token. To get the App to recognize the OK again, it must be disconnected, re-inserted and re-unlocked.