Cannot create new password generator profile in non-enforced configuration
A lightweight and easy-to-use password manager
Brought to you by:
dreichl
Menu
▾
▴
After googling, asking the net and doing a ProcessMonitor trace, I ended up here:
I'm using a "normal" installation of KeePass on a Windows server via RDP.
Everything seems to work normally, except the password generator:
When trying to save a user-defined profile, the OK button has the additional "shield icon", and when I try to save, I'm asked for the administrator password (which I don't have for the server).
I tend to believe it's a bug in KeePass, because when I tried the same on another machine (Windows 10 Pro, local login), it worked. Trying it I see that a temporary file is created in %APPDATA%\Local\Temp and then renamed to %APPDATA%\Roaming\KeePass.config.xml
On the server with the problem %APPDATA%\Roaming\KeePass.config.xml can be modified, so I don't understand the issue.
Version is KeePass 2.54
Last edit: Ulrich Windl 2023-11-29
Password Profiles are stored in the enforced configuration file beginning with KeePass 2.54. See the Important section of the KeePass 2.54 release notes. If writing to the KeePass program directory requires administrative privileges, they are also required to save password profiles. An administrator can create a few well designed general use password profiles and save them to the enforced configuration file.
Last edit: wellread1 2023-11-29
So if an enforced profile does not exist, and the password generator profiles are stored in the user's profile, any new password generator profiles would be stored in a newly-created enforced profile, while a user could still define new password generator profiles by simply editing the user's profile?
If that's true, that's at least a very bad design, but I think that's simply a bug (feature not completely implemented).
Despite of that I think the text in the release notes is quite confusing:
The "you" that might want to use his/her profiles may not be the "you" that did install the software (and thus has admin rights), meaning: The "shield icon" is only available for administrators, right?
I think the release notes should point out clearly what the administrator should do to allow users to create or continue using their password generator profiles.
Last edit: Ulrich Windl 2023-11-30
You can save profiles in the database (sort of) as an alternative to the config file.
https://sourceforge.net/p/keepass/discussion/329220/thread/41d6d34b9d/
cheers, Paul
Profiles are moved to the enforced config file. You can no longer use / store them in the user config file.
cheers, Paul
The assumptions in the statement above are incorrect. If the enforced profile (enforced configuration file) does not exist, KeePass ignores and discards password generator profiles added to the user config file. The new design improves security. It prevents a malicious actor with user level access to a computer from surreptitiously adding or modifying password generator profiles.
There are a few options:
The administrator can install, or allow users to install, a personal copy of KeePass into a user writable directory.
The administrator can add a few custom password profiles that together satisfy 99% of the password composition requirements imposed by sites. A few convenient password generation profiles that are organizationally approved, widely compatible, and generate strong passwords will increase the organization’s security and relieve the burden on users, whose lives probably don’t revolve around creating strong passwords. This task should fall well within the abilities of an administrator that has experience creating passwords.
The administrator can edit the enforced configuration file and add
MergeContentMode="Merge"to the/Configuration/PasswordGenerator/UserProfileselement.See the Content Modes – Attribute ‘MergeContentMode’ (2.x) section, and the warning therein, of the KeePass Endorced Configuration documentation. The user will then be able to add as many custom password generator profiles as they wish by editing their local copy of the keepass.config.xml.
Last edit: wellread1 2023-11-30
It seems to me that this change has had a negative impact on regular users ( non- corporate & home user ) and I am trying to understand why this has been inflicted on us. So far all I can find is vague references to "security concerns', what are these concerns and where is the discussion of them. Can anyone explain the rational behind this change?
https://sourceforge.net/p/keepass/discussion/329220/thread/a146e5cf6b/
cheers, Paul
Hi Paul,
Thanks for the quick reply.
No wanting to drag up am old ( and messy issue ) but...
If I read that correctly there was a theoretical issue with triggers and exporting databases without prompting the user, which if Keepass was configured via enforced config to require a password for export was an non issue. Kind of line being on the other side of an airtight hatch as Raymond Chen would say.
And now due to that discussion there are no more per user triggers or password generator profiles and there is no configuration options to have these per user ?
Cheers,
Dom
Theoretical, yes.
Triggers/password profiles are still available.
Either store them in the enforced config (requires admin access), or use KeePass portable.
cheers, Paul
The enforced config file is shared so that is not per user.
As far as I can tell Portable would required a separate copy per user so no ability for any central admin.
For my use case we have shared computers with one Admin user and multiple regular users I can't have proper per user triggers without giving up all enforced config. These are family computers and previous to this change I was able to set per user triggers to open the correct database for my kids when they logged on without them having to have the master password. From a security point of view this is acceptable as it would require the systems is already compromised or admin rights for another user to changes these.
This seems like this is a worst of both worlds style compromise, are there any plan to review this design decision ?
And replace it with?
All suggestions welcome. :)
cheers, Paul
Hi Paul,
Perhaps an option in the enforced config file that allows per user triggers.
There is/was one "MergeContentMode" which seemed like it would do exactly this with a value of 'merge' but in my testing does not.
Either make MergeContentMode="Merge'/ "replace implicitly enable per user triggers or add a new config parameter that explicitly enable, something like <perusertriggersenabled>true<perusertriggersenabled> under Application >> TriggerSystem</perusertriggersenabled></perusertriggersenabled>
The second approach is probably better then no one can complain, like in the thread you referenced, that it is a security issue as it is explicit control of a 'new' feature and can't be done without write permissions to the app directory. That way those of who want this and can take responsibility for our own security can enable it.
Perhaps for the Password generator profiles a parameter <peruserprofilesenabled>true</peruserprofilesenabled> alongside the existing <profilesenabled>true</profilesenabled>. In case of conflicts with names then the Enforced config profile wins.
Given a choice between these two I would vote for the per user triggers to be available over the per user password profiles.
Thanks,
Dom
Last edit: Dom 2023-12-26
At present the triggers in the user config are disabled so the "merge" function no longer works. We would probably need a new mechanism to contain / control per user triggers.Trigger in the database have been suggested, but that wouldn't work in your scenario, but password profiles in the database would.
cheers, Paul
Last edit: Paul 2023-12-27
How about the idea of a 'PerUserTriggersEnabled' config parameter in the Triggers config section of the enforced config file ?
Already possible, there's just no UI. See https://sourceforge.net/p/keepass/discussion/329220/thread/f3a64df33e/?limit=250#ed64/7fe7.
Best regards,
Dominik
Hi Dominik,
Thanks for the input and can I say I really appreciate the work you do to make this excellent software.
I have followed that again and I have it working again with Triggers and Password Generator profiles in my KeePass.config.xml under \AppData\Roaming\KeePass.
If I edit the triggers in the GUI they all get copied to the enforced config file. I am pretty sure that is where I got lost in this came here looking for answers.
I assume that they will then run for all users and we will see permission errors as we try to read from other users directories ?
Regards,
Dom
I'm glad that you like KeePass :-)
You can create user-specific triggers as described on this page:
https://keepass.info/help/v2/triggers.html
(section 'User-Specific Triggers').
Best regards,
Dominik
Hi Dominik,
Ok. Then I am best not to even try per user triggers, just have them all in the enforced config files predefined by an admin user and the use the environment variable feature to make them only run when specific users are logged on so as to only open the correct users database ?
Surely I can't be the only one who thinks this is a lot of hoops to jump thru to get back functionality that was in Keepass up until a couple of version ago. Doubly so as these changes stem from a claimed security issue that seems more based on the mus-understanding of windows security model by one user that being an actual issue.
I really do hope you see clear to review this and make it's configuration and operation less like a test of endurance although I can understand if are past it and want to move on with other features..
Regards,
Dom
Actually now I have given this a little more thought I think this feature is working backwards. The way it works right now non enterprise users have to jump through hoops to get the software to behave as one would reasonably expect.
If corporate /enterprise admins want enforced config it should be on them to opt in by creating and deploying the enforced config file.
In absence of a enforced config file Keepass should do the setting as per user store in the users profile.
I'm very frustrated with this new "feature", as it only seem to make life much more difficult.
Using KeePass in portable mode, I cannot seem to edit either the regular or enforced configuration so that the settings in PasswordGenerator UserProfiles are handled in even a remotely understandable way. I've tried MergeContentMode in Merge/Replace, setting values in in either the user or enforced configurations, or both, removing the setting from either of them or whatever...
I just want to have a reliable configuration file that actually does what it claims to do. If I make a change, it should apply next time I open the program and if I copy the configuration files the same settings should apply the same way each and every time!
Have you even tried running the program in portable mode...?
Working fine for me using V2.56 portable.
How have you installed KeePass?
Is the folder containing KeePass.exe writable?
Do you have this in KeePass.config.xml?
cheers, Paul
I've simply unpacked the compressed file into a directory, where the config files are stored alongside the KeePass executable. It is writable and the mentioned setting is present in the file, yes.
Very Helpful content
If you already had KeePass installed the portable version would pick up those settings and attempt to save the profiles in the installation directory.
To fix this, make a new KeePass.config.xml in the portable directory. See this post.
cheers, Paul