Account recovery fails - "This key doesn't match any account"

I’ve attempted to exercise the account recovery methods outlined at: https://help.passbolt.com/faq/security/change-passphrase

I go to mypassbolturi/app/settings/keys

Then I press the download private key button. I save this file.

Taking that key to mypassbolturi/recovery and importing it in the 2nd step results in an error saying: “This key doesn’t match any account.”

I get this error regardless of whether or not I’ve changed the GPG key’s password.

Does the passbolt app export keys from the profile page in a format that is consistent with the recovery mechanism’s import feature?

Hi @jtillman If it isn’t consistent, I can’t see how anyone has been able to recover keys.??

My question would be, after you change the password on the key from your own keyring, what is happening to the file before you import it to passbolt? Or, what kind of file format are you saving it to when downloading? Maybe the file is getting characters added or is formatted badly.

It looks like a standard gpg private key to me. Like the following, where ‘stuff’ is the content of my key.

-----BEGIN PGP PRIVATE KEY BLOCK-----
Version: OpenPGP.js v4.5.5
Comment: https://openpgpjs.org

stuff

-----END PGP PRIVATE KEY BLOCK-----

I’m just exporting the file from the user profile page then importing it in the recovery page. This is without using gpg to change the key’s password, so I’m kind of surprised it didn’t (apparently) work.

Does the account recovery utility work with the file you get from using the private key exporter from your user profile page? Or is it expecting a different file/key?

Have you used the account recovery utility before? Have you tried using it on the private key you can export from your profile page? I’m just trying to understand whether what I’m seeing is an application bug or if I’m using the app incorrectly.

@jtillman

Yes, I would be too.

Yes.

Yes, many times. Each time was either after an extension reinstall or installation on new browser.

  • You are not getting warnings of any kind at all? Any logs?
  • Are you uninstalling the extension and then reinstalling?
  • Is it possible you are using another extension that is affecting the Passbolt extension?

Thanks for confirming that the feature does in fact work. Was able to verify functionality - was dealing with a combination of not using the -a flag when exporting my key as well as long delays on the passbolt recovery email due to our environment’s filtering.

Was able to in the end verify the feature’s functionality - thanks again.

edit: Actually - the issue seems to be that you cannot change your password while still logged into the app. Not sure if this is documented somewhere and I missed it, but I’m consistently getting the ‘key doesn’t match any users’ error message if I’m authenticated to passbolt (in one of my 10,000 browser tabs) while attempting the my-passbolt-uri/recovery workflow. Logging out beforehand allows the recovery process to complete successfully.

Thanks again for verifying that the process worked.

This error message/failure path is insufficient. There should be reasonable messaging to say you need to be logged out of the app to do the password reset process. Even just changing the wording to ‘This key doesn’t match any account, log out of passbolt and try again’ would have covered my issue.

@jtillman It seems like you are making the assumption that someone who is logged in would be trying to restore their key.

The more reasonable assumption is that a user who is using the account recovery process is doing so because they cannot access their account without going through those steps.

To tell that user to log out would seem very odd, wouldn’t it?

No, the workflow here is a user has their key but wants to (or is required to by policy) change the passphrase. They then export their key, change the key passphrase, and import the key (with new passphrase) back into their account.

I know this probably isn’t the ‘intended, expected’ use of the /recovery workflow, but I’m unaware of any other way to change an account’s passphrase. It’s also seemingly what passbolt suggests via passbolt-dot-com/faq/security/change-passphrase

Even just updating the change-passphrase documentation to include a ‘you must be logged out to complete the account recovery process’ would be sufficient. As-is, users get a weird error message (I just exported this key from my passbolt profile, but the recovery workflow says it doesn’t acknowledge this key as being associated with any accounts).

@jtillman You are right but using this method is currently a workaround to an as of yet unavailable feature.

See: https://github.com/passbolt/passbolt_api/issues/112

Admittedly, a not very friendly workaround, but a workaround.

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.