Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

macOS 10.15 Catalina: Yubikey slots not populating #3329

Closed
doits opened this issue Jun 27, 2019 · 47 comments
Closed

macOS 10.15 Catalina: Yubikey slots not populating #3329

doits opened this issue Jun 27, 2019 · 47 comments

Comments

@doits
Copy link

doits commented Jun 27, 2019

Since upgrading to 10.15 catalina beta I cannot unlock my database which is secured with yubikey challenge response: the yubikey is not detected.

Expected Behavior

Unlock database with yubikey

Current Behavior

Yubikey is not detected:

Jun-27-2019 14-14-37

I tried restarting everything, no change :-(

Otherwise yubikey works as expected (eg. with gpg), so currently only keepassxc cannot access it.

Debug Info

KeePassXC - Version 2.4.3
Revision: 5d6ef0c

Qt 5.12.3
Debugging mode is disabled.

Operating system: macOS 10.15
CPU architecture: x86_64
Kernel: darwin 19.0.0

Enabled extensions:

  • Auto-Type
  • Browser-Integration
  • SSH-Agent
  • KeeShare (signed and unsigned sharing)
  • YubiKey
  • TouchID

Cryptographic libraries:
libgcrypt 1.8.4

@doits doits added the bug label Jun 27, 2019
@droidmonkey
Copy link
Member

Does it work with the Yubikey Personalization tool?

@droidmonkey droidmonkey changed the title Catalina / 10.15 beta: Cannot access yubikey challenge response macOS 10.15 beta: Yubikey slots not populating Jun 27, 2019
@doits
Copy link
Author

doits commented Jun 27, 2019

good catch, no, it doesn't. It says "unkown error occured" when I attach the yubikey.

Bildschirmfoto 2019-06-27 um 16 42 54

@droidmonkey
Copy link
Member

Then this would be an error at the OS level or an incompatibility with yubikey itself. Recommend reporting the bug over on their repository: https://github.com/Yubico/yubikey-personalization-gui

@doits
Copy link
Author

doits commented Jun 27, 2019

👍 reported at Yubico/yubikey-personalization-gui#87

@doits
Copy link
Author

doits commented Jun 27, 2019

One more hint though: Using it in browsers for 2fa authentication or as a gpg smartcard for signing/encrypting e-mails still works though, so it is not completely broken. But looks like the functionality used in keepassxc and personalization tool is.

@doits
Copy link
Author

doits commented Jul 1, 2019

I made it working again by going to system settings --> security --> privacy --> input monitoring and manually adding keepassxc.app there. Looks like this permission should be requested by keepassxc when launching and/or trying to access yubikeys.

@doits

This comment has been minimized.

@droidmonkey
Copy link
Member

Yes looks like Catalina is introducing new privacy features that require additional approvals. Unfortunately they don't seem to be documented yet or it is non-intuitive when I read the apple developer documentation.

@Vertux

This comment has been minimized.

@thobryan

This comment has been minimized.

@doits
Copy link
Author

doits commented Sep 10, 2019

@thobryan using Beta 10.15 (19A546d) and it works like this for me:

Bildschirmfoto 2019-09-10 um 11 13 56

@thobryan

This comment has been minimized.

@doits

This comment has been minimized.

@james56b

This comment has been minimized.

@Vertux

This comment has been minimized.

@thobryan

This comment has been minimized.

@Vertux

This comment has been minimized.

@thobryan

This comment has been minimized.

@thobryan

This comment has been minimized.

@droidmonkey

This comment has been minimized.

@thobryan

This comment has been minimized.

@Vertux

This comment has been minimized.

@Vertux

This comment has been minimized.

@droidmonkey
Copy link
Member

macOS likes to "forget" permissions you gave an app but still show that you gave them. I've run into this with AutoType as well.

For this issue, is there a new entitlement we should be asking for?

@moredanphysics

This comment has been minimized.

@droidmonkey

This comment has been minimized.

@moredanphysics

This comment has been minimized.

@droidmonkey

This comment has been minimized.

@moredanphysics

This comment has been minimized.

@kanutope
Copy link

kanutope commented Oct 31, 2019

Upgraded from 10.14.6 today to 10.15.1 - had KeePassXC upgraded to 2.5.0 - created manually 'input monitoring' entries for both KeePassXC and YubiKey Personalization Tool - it works smoothly. Thanks @droidmonkey

@droidmonkey
Copy link
Member

I need to figure out how to trigger the permission request for input monitoring

@499602D2
Copy link

I'm on a machine stuck on High Sierra and I've had this issue ever since I got my YubiKey, so around version 2.3.4, and I was unable to fix the issue with the privacy settings mentioned above, as High Sierra lacks all of it.

However, I did some Googling around, and it seems that this issue is somehow triggered if "Secure Keyboard Entry" is enabled in Terminal's settings – I disabled it, and my key started to immediately work in KeepassXC, alongside with ykinfo -a producing actual output instead of USB error: kIOReturnSuccess, even when not run as sudo.

This thread is relevant: Yubico/yubikey-personalization#34

@famx-droid
Copy link
Contributor

I'am on a machine stuck with High Sierra (10.13.6) and have same problem as well. Disabling the "Secure Keyboard Entry" in the Terminal settings works for me fine (KeePassXC 2.5.1).
Citation from Apple support page says:

Before you turn on secure keyboard entry, make sure other apps don’t require keystrokes from Terminal.

Thanks for the hint @499602D2 ! This does not solve the real problem, but for now a good workaround.
DisableSecureKeyboard

@onlykey
Copy link
Contributor

onlykey commented Jan 7, 2020

I can verify that adding to security -> privacy -> input monitoring also works for OnlyKey. Is it possible for future release to automatically request adding KeePassXC to input monitoring? I think it already requests to automatically be added to accessibility.

@droidmonkey
Copy link
Member

droidmonkey commented Jan 7, 2020

I'll need a link to the documentation to do that. I find Apple's documentation to be the absolute worst.

@onlykey
Copy link
Contributor

onlykey commented Jan 8, 2020

@droidmonkey Did a little digging into it and I am thinking that Mac released 10.15 without a way yet for apps to request this, or at least its not documented yet:
https://forums.developer.apple.com/thread/124368
https://developer.apple.com/documentation/bundleresources/information_property_list/protected_resources

EDIT - Did a little more digging, still no luck. Looks like others have this issue too - https://discussions.apple.com/thread/250754222
When you look at the privacy options in Xcode there is no option for input monitoring:
image

@MarSalfer
Copy link

Workaround Generally: Add ("+" or drag and drop) KeePassXC.app into "System Settings --> Security --> Privacy --> Input Monitoring".

Workaround when the above won't work as no list appears: Populate Input Monitoring with another app first.

  1. Start an app that requests Input Monitoring permissions, e.g. CheatSheet. The Input Monitoring window will be opened and populated with this one app plus a "+" and a drag-drop functionality.
  2. Add or drag-drop KeePassXC into the Input Monitoring list.
  3. (optionally) remove the other app again.

@tswestendorp
Copy link

I've tried all the possible workarounds to get my OnlyKey working. KeePassXC is added to input monitoring and version 2.6.1, re-added is a couple of times as well, but still slots aren't populated.

Just a minute ago I found errors some errors caused by KeePassXC in my Console:

error	09:10:05.384303+0200	KeePassXC	IOConnectCallMethod(kIOHIDLibUserClientOpen):e00002c5
error	09:10:06.407640+0200	KeePassXC	IOConnectCallMethod(kIOHIDLibUserClientOpen):e00002c5
error	09:10:07.318337+0200	KeePassXC	IOConnectCallMethod(kIOHIDLibUserClientOpen):e00002c5
error	09:10:07.983491+0200	KeePassXC	IOConnectCallMethod(kIOHIDLibUserClientOpen):e00002c5

These errors occur when hitting 'Refresh' next to the slots. Anybody got an idea what might be happening here?

cc @onlykey

@droidmonkey
Copy link
Member

@phoerious what version of ykpers are you deploying with the macos build?

@phoerious
Copy link
Member

Can't check right now, but it should be the latest one from homebrew.

@onlykey
Copy link
Contributor

onlykey commented Aug 20, 2020

@tswestendorp Mac OS requires restart of app to have the privacy change take effect. I think in some cases it may require a reboot though, any luck after reboot?

@tswestendorp
Copy link

@tswestendorp Mac OS requires restart of app to have the privacy change take effect. I think in some cases it may require a reboot though, any luck after reboot?

Unfortunately not 😕

@repetitioestmaterstudiorum

I'am on a machine stuck with High Sierra (10.13.6) and have same problem as well. Disabling the "Secure Keyboard Entry" in the Terminal settings works for me fine (KeePassXC 2.5.1).
Citation from Apple support page says:

Before you turn on secure keyboard entry, make sure other apps don’t require keystrokes from Terminal.

Thanks for the hint @499602D2 ! This does not solve the real problem, but for now a good workaround.
DisableSecureKeyboard

This was the solution for me too!

@droidmonkey
Copy link
Member

I am closing this issue since it's not on us.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests