A Weird Imagination

Troubleshooting KeePassXC browser extension

Posted in

The problem#

I use KeePassXC as my password manager in Firefox and while sometimes the connection between Firefox and KeePassXC drops and I have to explicitly click reconnect, it recently stopped working entirely.

The solution#

Install the keepassxc-full package instead of the keepassxc package. If you get the browser extension via the webext-keepassxc-browser package, then your package manager will automatically get the right one.

(This only applies to Debian Sid and Trixie or newer.)

The details#

Finding the problem#

I looked at the KeePassXC settings for "Browser Integration" and didn't see anything obviously wrong. I tried toggling it off and on to no effect. Then I looked at the "Advanced" tab and noticed one of the settings was "Use a custom browser configration location:" which defaulted to ~/.config/mozilla/native-messaging-hosts/. I have an old Firefox install, so I found it at ~/.mozilla/native-messaging-hosts/ where there was a single file org.keepassxc.keepassxc_browser.json:

    "allowed_extensions": [
    "description": "KeePassXC integration with native messaging support",
    "name": "org.keepassxc.keepassxc_browser",
    "path": "/usr/bin/keepassxc-proxy",
    "type": "stdio"

I looked for /usr/bin/keepassxc-proxy and saw that it didn't exist.

Fixing the problem#

I used the wajig command wajig whichpkg to determine what package would include that file:

$ wajig whichpkg /usr/bin/keepassxc-proxy

keepassxc-full: /usr/bin/keepassxc-proxy

and wajig list keepassxc showed that I had keepassxc, not keepassxc-full. Furthermore, the package description of keepassxc includes

This package includes only the bare minimal functionality, and no security complications like networking, SSH agent, browser plugin, fdo secret storage. See keepassxc-full if you absolutely need those.

explaining that installing keepassxc-full is the intended fix if I want the browser extension to work.

Why did it change?#

Looking at the Debian changelog for KeePassXC and for the browser extension package pointed to bug #953529 where a user had requested Debian ship the locked-down version of KeePassXC by default and require users to opt-into the version that supports external connections as that complexity necessarily increases the attack surface.

Seeing this, I could have taken the other approach of deciding to use the more locked down version of KeePassXC, but that would both be less convenient and would give up the phishing protection inherent in a password manager in-browser.

Other discussion on the change#

After I wrote this, I ran across discussions on multiple platforms where people were unhappy and arguing about the change. The main discussion was in a GitHub issue of the upstream KeePassXC project. I found other comments about that discussion in a Debian bug and the news aggregators SoylentNews, and Hacker News.


Have something to add? Post a comment by sending an email to comments@aweirdimagination.net. You may use Markdown for formatting.

There are no comments yet.