Remote server support

[luckyrat]

I have a PC w/ KeePass running and I'd like to share the firefox passwords between different clients: a laptop, a macbook and possibly firefox mobile on my phone, without multiple KeePass installations.

KeeFox installs and works flawlessly on OSX just by editing the xpi package (removing the targetPlatform reference in ''install.rdf'' and changing the server address in ''/modules/session.js'' ), and KeePassRPC needs just a simple network forwarding to expose remotely the local TCP port, but it could be useful to have "real" support for sharing password remotely.

Ideally:

1. Custom setting to change KeePassRPC listen host/port
2. Custom setting to change KeeFox connect host/port
3. Add clients authorization on KeePassRPC
4. Make KeeFox compatible with Firefox Mobile

Sparse thoughts:
1 and 2. Should be trivial to implement (i can try to give a hand, if you want)
3. It is fundamental if the server is not behind a VPN or an ssh tunnel - right now KeePass asks to autorize KeeFox just the first time, if you later configure more instances of Firefox with KeeFox they all work without authentication and this is not really what KeePass users want :)
It could be done asking for authorization once for every new client and saving its credentials in a specific group of the KeePass database, or alternatively adding a KeeFox specific password in the KeePass database, and asking for it in the KeeFox settings when it connects for the first time.
4. Firefox Mobile extension development shouldn't be too much different from its desktop counterpart, with some luck there could be just some patching here and there, but I don't really know XUL deeply enough to speak about it.

[luckyrat]

Imported from trac issue 113. Created by psychowood on 2011-11-06T00:27:37, last modified: 2011-11-28T23:56:58

[luckyrat]

Trac comment by luckyrat on 2011-11-28 23:56:58:

Hi,

It's interesting to hear that you have got KeeFox to work on OSX. So far I have only tried to run it on Linux but without success. Do you mean that you have been able to run KeePassRPC in KeePass running on Mono?

As for enabling remote access to databases, this is not something I'm comfortable with at the moment - one is essentially doubling the surface area for attack (from one machine to two). For many people keeping two machines secure will be more difficult than one. As an advanced option for the future though, I'm certainly open to persuasion.

Are you saying you have already worked around points 1 and 2 with local network port forwarding? If not, what extra feature do you need? Just a configurable host name/IP yes?

For 3, you're right that currently the authentication is based on client name - in all cases this is "KeeFox Firefox add-on". I'm wary of changing this behaviour because I don't want to overcomplicate things for less technical users or put extra barriers in their way. I'm not quite sure how that could be implemented securely (at the moment the authenticity of a client is partially determined by my digital signature using a private key that only I have access to). User-generated signatures may be possible but I'm not sure how one can avoid exposing at least some extra attack vectors.

(See http://keefox.org/2010/keepassrpc-security-and-authentication for some background information on how things currently work)

Can you elaborate on "if you later configure more instances of Firefox with KeeFox they all work without authentication"? KeeFox should always prompt the user to re-authenticate if a request comes from a separate Firefox profile.

I'd love to have a Firefox mobile version but I think it will be a huge amount of work. Even before Mozilla announced their move to a native Android UI, I found it hard to see how I would ever have time to complete a mobile version but now they are pushing the "JavaScript only" approach to add-on design so hard it looks increasingly like an entire add-on rebuild would be required - it's taken years to get it working (just about) on the desktop so I can't see the mobile version happening unless someone else can take on a significant portion of the required work.

Naturally, enabling access to KPRPC running on a remote IP address would at least remove the need to provide a local KeePass database on the mobile phone.

There are some other considerations such as what happens to the UI elements from KeePass when the user is interacting from a remote terminal? E.g. master password prompts and entry "edit" functionality.

Thanks,
Chris

[github-actions]

Following the recent announcement of the end of critical security patch support for this old software - https://forum.kee.pm/t/keefox-critical-security-support-ends-30th-september-2020-kee-is-unaffected/3219 - this issue has been automatically marked as stale. We will soon close this issue and then archive this repository in early October 2020.

If you think that the issue contents may still be relevant to the actively maintained Kee project, the successor of KeeFox, please search the community forum for help and post a new topic if appropriate: https://forum.kee.pm

Please do not reply to this comment / notification - it won't be seen.