Using Secret Service on Windows #11210
Replies: 3 comments 5 replies
-
|
I am going to go with "no". Secret service operates on dbus and that isn't exposed in any way to the windows host. |
Beta Was this translation helpful? Give feedback.
-
|
Yeah, I'm not talking about using dbus from windows, but rather some proxy that would act as the provider. I don't know much about the protocol, but assuming for simplicity that's it's some kind of a simple stdin/out thing, I could implement that as a shell script that actually uses the KeePassXC Windows cli to actually grab the passwords. (But yes, I know that this is a big oversimplification.) |
Beta Was this translation helpful? Give feedback.
-
|
You're welcome to build such a proxy but that isn't anything we would go about doing. It would be far easier to just install keepassxc on your WSL instance and open your database file from the c-drive mount. |
Beta Was this translation helpful? Give feedback.
-
|
That's where I started all of this. It really bugs me that I need to run two copies to get that done. Including unlocking the same DB on both sides. Including the WSL-side hassle of getting the service to persist. |
Beta Was this translation helpful? Give feedback.
-
|
Welcome to Windows. In this wonderful world, everything comes at least in doubles, from Terminals and Git installations to system settings. |
Beta Was this translation helpful? Give feedback.
-
|
@phoerious Actually, I manage pretty well to NOT do almost all of that -- including git + ssh (nothing on windows), editors (vscode on windows, emacs on wsl), etc. But more seriously, a password manager happens to be more obnoxious when duplicated because of
I will say though that the auto-merge of db changes makes it possible to run two copies in the first place, otherwise syncs would be a big additional item in this list. [*] I did consider using it only on the wsl side too. It seems that making it work will be more difficult since I'll need to make the windows browser work with the wsl keepassxc, and I lose the extra security of tying it to the windows login. |
Beta Was this translation helpful? Give feedback.
-
|
Just to follow up here, in case anyone runs into a similar need: I ended up using a python library that I found ( The only issue left is that it cannot pull out information from the secret service group... But I'll make a new post about that. |
Beta Was this translation helpful? Give feedback.
-
|
I eventually hacked it by
It's a hack but it allows me to get the entries and find the right one... The code is below if anyone's interested. It implements just #!/usr/bin/env python.exe
# -*- python -*-
import sys, base64, win32cred, pywintypes
sys.stdout.reconfigure(newline="\n")
def die(msg):
print("error: " + msg, file=sys.stderr)
exit(1)
args = sys.argv[1:]
if len(args) == 0:
die("missing arguments")
verb = args.pop(0)
if verb not in ["lookup", "search"]:
die("don't know how to " + verb)
try:
import keepassxc_proxy_client
import keepassxc_proxy_client.protocol
except:
die("missing library: keepassxc_proxy_client")
credName, credType = "My-KeePassXC-Proxy", win32cred.CRED_TYPE_GENERIC
def storeNameKey(name, key):
win32cred.CredWrite({
"TargetName": credName,
"CredentialBlob": base64.b64encode(key).decode("ascii"),
"Persist": win32cred.CRED_PERSIST_ENTERPRISE,
"Type": credType,
"Attributes": [{"Keyword": "name", "Flags": 0, "Value": name}],
})
def getNameKey():
try:
cred = win32cred.CredRead(credName, credType)
except pywintypes.error as e:
if e.funcname == "CredRead" and "Element not found" in e.strerror:
return None, None
else:
raise e
key = base64.b64decode(cred["CredentialBlob"].decode("utf-16"))
name = cred["Attributes"][0]["Value"].decode("utf-16")
return name, key
connection = keepassxc_proxy_client.protocol.Connection()
connection.connect()
name, pubkey = getNameKey()
if name == None:
connection.associate() # opens a keepassxc dialogue
name, pubkey = connection.dump_associate()
storeNameKey(name, pubkey)
else:
connection.load_associate(name, pubkey)
if not connection.test_associate():
die("association failed", file=sys.stderr)
search = [("group", "SecretService")]
findAll = False
while len(args) > 0:
attr = args.pop(0)
if attr == "--all" and verb == "search":
findAll = True
continue
if attr.startswith("-"):
die("unknown flag, " + attr)
if len(args) == 0:
die("missing value for attribute " + attr)
search.append(("name" if attr == "Title" else "KPH: " + attr, args.pop(0)))
def isOK(x):
for attr, val in search:
if (({ attr: val } not in x["stringFields"])
if attr.startswith("KPH: ")
else x.get(attr, None) != val):
return False
return True
results = connection.get_logins("https://SecretService.invalid/")
results = list(filter(isOK, results))
if len(results) == 0:
exit()
if len(results) > 1 and not findAll:
die("multiple entries found")
import os
os.linesep = "\n"
if verb == "lookup":
print(results[0]["password"])
else:
for x in results:
print("[/{}]".format(x["uuid"]))
print("label = {}".format(x["name"]))
print("secret = {}".format(x["password"]))
print("attribute.Title = {}".format(x["name"]))
print("attribute.UserName = {}".format(x["login"]))
print("attribute.Path = /{}".format(x["name"]))
for f in x["stringFields"]:
attr, val = list(f.items())[0]
if attr.startswith("KPH: "):
print("attribute.{} = {}".format(attr[5:], val)) |
Beta Was this translation helpful? Give feedback.
-
Good morning,
I work in Windows using WSL, so I generally prefer to have KeePassXC installed on Windows. The thing is that I also want to have the secret service on the linux side, and currently I have a half-baked script that just starts another KeePassXC in linux.
Is there any way to have some kind of a secret service proxy provider on linux that talks to the Windows instance instead of running two of them?
Beta Was this translation helpful? Give feedback.
All reactions