I’m using Nitrokey Pro on Linux (openSUSE, Manjaro and Mint). My question are related to the use og the password manager, and may extend to OTP. When selecting a password it is copied to the clipboard where it can be found in clear text. And it will stay there until it is manually deleted, over-written or you log out. The clipboard is known to be a security risk as any application can read its content. And anyone gaining physical access to your logged in computer can quickly read it. I am also using Keepass as a password manager, and it will clear what you have copied to the clipboard after a predetermined time. Is it possible to have such a timeout in the Nitrokey App?
Knut H.
Hello!
Nitrokey App clears the clipboard from copied secret after 60 or 120 seconds depending on which one is copied (AFAIR 60 for passwords / OTP, 120 for OTP base64 secrets). Would you like to change the time periods to shorter ones or have such possibility in configuration?
Edit: I have checked - on v1.1 clipboard is always cleared after 60 seconds.
On my openSuse Leap 42.2, the password is still available on the clipboard after 5 10 minutes. And yes, I would like to be able to configure a short time out period.
Knut H.
What Application version do you use?
I use 0.6.3 from the openSUSE repositories. I see on the Nitrokey site that 1.1 is the latest. Is an upgrade an openSUSE issue, or are the latest version not pushed to the repository? Will I get the 1.1 if I install from source?
Knut H.
Indeed, it looks like package has not been rebuilt for latest version link.
Yes, installation from source should be straightforward. It needs Qt5.5 (0.6.3 worked on Qt4).
Quick compilation guide below, (details are in readme).
git clone https://github.com/Nitrokey/nitrokey-app.git --recursive
cd nitrokey-app
mkdir build
cd build
cmake ..
make -j2
#install is optional - needed only for udev rules to be copied, could be done manually too
make install
Edit: just checked and the issue is not occurring on v1.1, Ubuntu 16.10, Storage v0.45 - clipboard was correctly cleared.
Edit: without udev rules (allowing to use USB devices by user) it might not be possible to use the Application without root privileges
I get an error at command “make -j2”:
knu104@ws-ism-knuth:~/Nedlastinger/Nitrokey/git/nitrokey-app/build> make -j2
Scanning dependencies of target nitrokey-app.debug_automoc
Scanning dependencies of target nitrokey-static-log
[ 1%] Automatic moc, uic and rcc for target nitrokey-app.debug
[ 2%] Building CXX object libnitrokey/CMakeFiles/nitrokey-static-log.dir/command_id.cc.o
Generating ui_aboutdialog.h
Generating ui_licensedialog.h
Generating ui_mainwindow.h
Generating ui_pindialog.h
Generating ui_stick20changepassworddialog.h
Generating ui_stick20debugdialog.h
Generating ui_stick20hiddenvolumedialog.h
Generating ui_stick20lockfirmwaredialog.h
Generating ui_stick20responsedialog.h
Generating ui_stick20updatedialog.h
[ 3%] Building CXX object libnitrokey/CMakeFiles/nitrokey-static-log.dir/device.cc.o
Generating moc_Authentication.cpp
Generating moc_Clipboard.cpp
Generating moc_StorageActions.cpp
Generating moc_Tray.cpp
Generating moc_ThreadWorker.cpp
Generating moc_libada.cpp
Generating moc_aboutdialog.cpp
Generating moc_licensedialog.cpp
Generating moc_mainwindow.cpp
In file included from /home/knu104/Nedlastinger/Nitrokey/git/nitrokey-app/libnitrokey/device.cc:7:0:
/home/knu104/Nedlastinger/Nitrokey/git/nitrokey-app/libnitrokey/include/device.h:14:26: error: ‘chrono_literals’ is not a namespace-name
using namespace std::chrono_literals;
^
/home/knu104/Nedlastinger/Nitrokey/git/nitrokey-app/libnitrokey/include/device.h:14:41: error: expected namespace-name before ‘;’ token
using namespace std::chrono_literals;
^
/home/knu104/Nedlastinger/Nitrokey/git/nitrokey-app/libnitrokey/device.cc: In constructor ‘nitrokey::device::Stick10::Stick10()’:
/home/knu104/Nedlastinger/Nitrokey/git/nitrokey-app/libnitrokey/device.cc:196:44: error: unable to find numeric literal operator ‘operator"" ms’
Device(0x20a0, 0x4108, DeviceModel::PRO, 100ms, 5, 100ms)
^
/home/knu104/Nedlastinger/Nitrokey/git/nitrokey-app/libnitrokey/device.cc:196:54: error: unable to find numeric literal operator ‘operator"" ms’
Device(0x20a0, 0x4108, DeviceModel::PRO, 100ms, 5, 100ms)
^
/home/knu104/Nedlastinger/Nitrokey/git/nitrokey-app/libnitrokey/device.cc: In constructor ‘nitrokey::device::Stick20::Stick20()’:
/home/knu104/Nedlastinger/Nitrokey/git/nitrokey-app/libnitrokey/device.cc:203:48: error: unable to find numeric literal operator ‘operator"" ms’
Device(0x20a0, 0x4109, DeviceModel::STORAGE, 20ms, 20, 20ms)
^
/home/knu104/Nedlastinger/Nitrokey/git/nitrokey-app/libnitrokey/device.cc:203:58: error: unable to find numeric literal operator ‘operator"" ms’
Device(0x20a0, 0x4109, DeviceModel::STORAGE, 20ms, 20, 20ms)
^
libnitrokey/CMakeFiles/nitrokey-static-log.dir/build.make:86: recipe for target ‘libnitrokey/CMakeFiles/nitrokey-static-log.dir/device.cc.o’ failed
make[2]: *** [libnitrokey/CMakeFiles/nitrokey-static-log.dir/device.cc.o] Error 1
CMakeFiles/Makefile2:227: recipe for target ‘libnitrokey/CMakeFiles/nitrokey-static-log.dir/all’ failed
make[1]: *** [libnitrokey/CMakeFiles/nitrokey-static-log.dir/all] Error 2
make[1]: *** Waiting for unfinished jobs…
Generating moc_pindialog.cpp
Generating moc_stick20changepassworddialog.cpp
Generating moc_stick20debugdialog.cpp
Generating moc_stick20hiddenvolumedialog.cpp
Generating moc_stick20lockfirmwaredialog.cpp
Generating moc_stick20responsedialog.cpp
Generating moc_stick20updatedialog.cpp
[ 3%] Built target nitrokey-app.debug_automoc
Makefile:149: recipe for target ‘all’ failed
make: *** [all] Error 2
knu104@ws-ism-knuth:~/Nedlastinger/Nitrokey/git/nitrokey-app/build> sudo make -j2
[ 1%] Automatic moc, uic and rcc for target nitrokey-app.debug
[ 2%] Building CXX object libnitrokey/CMakeFiles/nitrokey-static-log.dir/device.cc.o
[ 2%] Built target nitrokey-app.debug_automoc
Scanning dependencies of target nitrokey-app_automoc
[ 3%] Automatic moc, uic and rcc for target nitrokey-app
Generating ui_aboutdialog.h
Generating ui_licensedialog.h
Generating ui_mainwindow.h
Generating ui_pindialog.h
Generating ui_stick20changepassworddialog.h
Generating ui_stick20debugdialog.h
Generating ui_stick20hiddenvolumedialog.h
Generating ui_stick20lockfirmwaredialog.h
Generating ui_stick20responsedialog.h
Generating ui_stick20updatedialog.h
Generating moc_Authentication.cpp
Generating moc_Clipboard.cpp
Generating moc_StorageActions.cpp
In file included from /home/knu104/Nedlastinger/Nitrokey/git/nitrokey-app/libnitrokey/device.cc:7:0:
/home/knu104/Nedlastinger/Nitrokey/git/nitrokey-app/libnitrokey/include/device.h:14:26: error: ‘chrono_literals’ is not a namespace-name
using namespace std::chrono_literals;
^
/home/knu104/Nedlastinger/Nitrokey/git/nitrokey-app/libnitrokey/include/device.h:14:41: error: expected namespace-name before ‘;’ token
using namespace std::chrono_literals;
^
/home/knu104/Nedlastinger/Nitrokey/git/nitrokey-app/libnitrokey/device.cc: In constructor ‘nitrokey::device::Stick10::Stick10()’:
/home/knu104/Nedlastinger/Nitrokey/git/nitrokey-app/libnitrokey/device.cc:196:44: error: unable to find numeric literal operator ‘operator"" ms’
Device(0x20a0, 0x4108, DeviceModel::PRO, 100ms, 5, 100ms)
^
/home/knu104/Nedlastinger/Nitrokey/git/nitrokey-app/libnitrokey/device.cc:196:54: error: unable to find numeric literal operator ‘operator"" ms’
Device(0x20a0, 0x4108, DeviceModel::PRO, 100ms, 5, 100ms)
^
/home/knu104/Nedlastinger/Nitrokey/git/nitrokey-app/libnitrokey/device.cc: In constructor ‘nitrokey::device::Stick20::Stick20()’:
/home/knu104/Nedlastinger/Nitrokey/git/nitrokey-app/libnitrokey/device.cc:203:48: error: unable to find numeric literal operator ‘operator"" ms’
Device(0x20a0, 0x4109, DeviceModel::STORAGE, 20ms, 20, 20ms)
^
/home/knu104/Nedlastinger/Nitrokey/git/nitrokey-app/libnitrokey/device.cc:203:58: error: unable to find numeric literal operator ‘operator"" ms’
Device(0x20a0, 0x4109, DeviceModel::STORAGE, 20ms, 20, 20ms)
^
libnitrokey/CMakeFiles/nitrokey-static-log.dir/build.make:86: recipe for target ‘libnitrokey/CMakeFiles/nitrokey-static-log.dir/device.cc.o’ failed
make[2]: *** [libnitrokey/CMakeFiles/nitrokey-static-log.dir/device.cc.o] Error 1
CMakeFiles/Makefile2:227: recipe for target ‘libnitrokey/CMakeFiles/nitrokey-static-log.dir/all’ failed
make[1]: *** [libnitrokey/CMakeFiles/nitrokey-static-log.dir/all] Error 2
make[1]: *** Waiting for unfinished jobs…
Generating moc_Tray.cpp
Generating moc_ThreadWorker.cpp
Generating moc_libada.cpp
Generating moc_aboutdialog.cpp
Generating moc_licensedialog.cpp
Generating moc_mainwindow.cpp
Generating moc_pindialog.cpp
Generating moc_stick20changepassworddialog.cpp
Generating moc_stick20debugdialog.cpp
Generating moc_stick20hiddenvolumedialog.cpp
Generating moc_stick20lockfirmwaredialog.cpp
Generating moc_stick20responsedialog.cpp
Generating moc_stick20updatedialog.cpp
[ 3%] Built target nitrokey-app_automoc
Makefile:149: recipe for target ‘all’ failed
make: *** [all] Error 2
Knut H.
It looks like you have a C++ compiler not supporting C++14 standard. Is it possible to install GCC 5.0 or Clang 3.4 (possibly 3.3?) on your workstation and use it for compilation?
I have had no luck compiling the source from git, even if I use the gcc v5 compiler. However I found an rpm with nitrokey-app v. 1.1 at https://github.com/Nitrokey/nitrokey-app/releases and installed that successfully.
So, reverting to my original question about clearing the clipboard, I find that the copied password is still available on the clipboard after more than 15 minutes. And yes, I am sure I’m using version 1.1.
Knut H.
Glad it worked for you with the package.
Could you share are you using unicode characters in the password? I might have tested ASCII back then.
I have registered an issue from your description here: #263. Could you write please a reproduction route for it? Just to be sure the issue is fixed or not.
Also added mentioned enhancement as #262
You have wrote before that you are using other OSes too. Is it occurring on Mint?
Yes, I am using unicode. I have also tried to add a test password with only ASCII-characters, and it remains on the clipboard still after 30 minutes.
I don’t have any PC with Mint anymore. I have, however, downloaded the source from git onto my Manjaro laptop. It compiled without problems. But nitrokey-app shows the same behavior. The password remains on the clipboard.
Knut H.
I see. I will let you know once this is solved. Thank you for testing!
Hey,
I tested today on OpenSuse 42.3 and could not reproduce the behavior. The Clipboard got deleted after two minutes.
I tried
- @30lW’A@m+JDb%+4q<Zj
- áśdḱĺfj
Both worked fine. So I guess it is something else. Can you still try these two passwords to make sure it has nothing to do with the exact passwords you are use?
Kind regards
Alex
Hi @knuth !
Please post exact reproduction path on which the issue occurs on your side. Please also post environment details for formality: OS version, App version, device model and version (you can follow issue template if you would like to). Do I understand correctly this issue is occurring for you on both v1.1 and v0.6.3?
Hi!
I’m very sorry to respond so late. As I can see there is a difference between v1.1 and v0.6.3. In v.1.1 an entry of blanks are added to the clipboard, which means that you cannot directly paste the password to anywhere else. This does not happen in v0.6.3. However, in v1.1, the password remains in the clipboard (klipper) history in clear text, and it can be easily retrieved. It is possible to get around this behaviour by configurating klipper to only hold one entry. But that would cripple klippers functionality severely. I can delete individual entries in the klipper history, and that is what I would prefer the Nitrokey app to do as well.
Knut
Hi,
ah… so you are using Klipper? Well Klipper is meant to cache the clipboard, isn’t it? I don’t see how we can circumvent this. Maybe there is a cli which let us deleting the last entry. As the Nitrokey App is done to work on many different systems and setups I am not sure whether this would be a good idea though 
Can you have a look, if everything works as intended when Klipper is turned off?
And you are saying, that the password is not copyied in Klipper when using 0.6.3 but it is when using 1.1?
Kind regards
Alex
Klipper is the default clipboard manager in openSuse. I assume that most (all?) Linux distributions are using some clipboard manager. And I would guess that keeping several entries are part of the basic functionality of that. If there are other managers (for KDE) that is easier for the Nitrokey app to interface against, I’ll be happy to try one out.
The difference between v0.6.3 an 1.1 is that the password remains on top of the clipboard stack in v0.6.3, ie. it can be pasted in to any application for ever as long as you don’t copy some other item into the clipboard, in which case it get pushed back in the history stack. But remains available and readable. In v1.1 of the Nitrokey app it seems as a dummy entry of several blanks are copied to the clipboard so that it will not longer be possible to immediately use ctrl-v to paste the top entry somewhere else. But the original password is still in the clipboard stack and can be selected. I assume that some malicious program could read the clipboard history and thereby access password information.
Knut
1 Like
Hi @knuth!
Now it is clear where the issue came from. Actually I believe no clipboards managers are delivered (=shipped by default) in Gnome and Unity (perhaps KDE only?) and this is why we have not realized what is this issue about at the beginning.
This is actually quite fine observation. The workaround for it would be copying 20 (or more if the manager has higher entries count limit) random strings to the clipboard to overwrite its history. Actual interfacing with the clipboard manager to remove the specific entry (and save the rest of the memorized copied chunks) will be rather troublesome. I hope this solution will satisfy you.
Issue created: #293