[zypp-devel] CredentialManager to get data for authentication
Hi, i just committed an initial version of zypp::media::CredentialManager (CM) class (http://lists.opensuse.org/zypp-commit/2008-09/msg00057.html) which serves for manipulation of global and user's credential files. These are by default /etc/zypp/credentials (world readable, or group readable?) and ~/.zypp/credentials). CM is used by the media backend (currently only MediaCurl) to retrieve username/password in case it needs to authenticate to the target URL. If CM fails to find the credentials, MediaCurl will ask user via callback to provide it. It will also ask the user whether and where (global/user's) to save them and will use CM to save them after successful authentication. Current solution uses simple text files containing one URL per line, _containing_ also 'username:password@'. These URLs are then fed to the zypp::Url constructor which parses them into an object from which you can get the username and password, as well as compare with other URLs using different zypp::url::ViewOption, etc... This solution satisfies our current needs, but it could be extended in the future if needed. zypp::media::CredentialFileReader takes care of returning one AuthData_Ptr per valid line of the input file, so if you don't like the 'URL' solution, we just need to change the reader/writer. Three things to do yet (in the order of importance): - for services, propagate the credentials down to its repos when refreshing the service, or use the service's credentials when refreshing the repos. I don't know how to do this yet. - write CredentialFileWriter to be used by CredentialManager::save*() methods + a callback asking the user to decide whether he wants to save the credentials in the global file or user's own. - need a way to pass CredManagerOptions into MediaCurl (where the CredentialManager is currently used). Currently i'm just able to prefix the Target::root() to the default credential files paths. Later we can add an interface to zypper to manage these data, list, remove, add records, etc. Comments/suggestions are welcome. cheers, jano -- To unsubscribe, e-mail: zypp-devel+unsubscribe@opensuse.org For additional commands, e-mail: zypp-devel+help@opensuse.org
Hi, Am Montag, 8. September 2008 schrieb Jan Kupec:
Hi,
Current solution uses simple text files containing one URL per line, _containing_ also 'username:password@'. These URLs are then fed to the zypp::Url constructor which parses them into an object from which you can get the username and password, as well as compare with other URLs using different zypp::url::ViewOption, etc...
I would like to see an enhancement to this. It should be possible to write a pointer to a file into the url. With this we have the possibility to use the same credentials for more then one repo/service. Proposal: https://hostname.domain.top/path/?credentials=/etc/credentials.d/mycredentia... The credential file has the format: username=... password=... (of soemthing similar if curl supports credentials from file) The current inplementation can stay. So http://username:password@hostname.domain.to/path is an alternative. -- MFG Michael Calmer -------------------------------------------------------------------------- Michael Calmer SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg T: +49 (0) 911 74053 0 F: +49 (0) 911 74053575 - e-mail: Michael.Calmer@suse.com -------------------------------------------------------------------------- SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg)
Michael Calmer wrote:
Hi,
Am Montag, 8. September 2008 schrieb Jan Kupec:
Hi,
Current solution uses simple text files containing one URL per line, _containing_ also 'username:password@'. These URLs are then fed to the zypp::Url constructor which parses them into an object from which you can get the username and password, as well as compare with other URLs using different zypp::url::ViewOption, etc...
I would like to see an enhancement to this. It should be possible to write a pointer to a file into the url. With this we have the possibility to use the same credentials for more then one repo/service.
Proposal:
https://hostname.domain.top/path/?credentials=/etc/credentials.d/mycredentia...
OK, i like this as a third way to store/get credentials. So to sum it up, the media backend would look at: 1) global, world readable: /etc/zypp/credentials.d/* files (in case of INI format) OR /etc/zypp/credentials file (in case of one URL/line format) (which one do you like more? Note that the files in the credentials.d dir would have to have random names in case the name is not supplied in ?credentials=filename (without path)) 2) user readable ~/.zypp/credentials.d/* or ~/.zypp/credentials 3) user specified file (world/user readable?) look at the file provided as ?credentials=/absolute/path/credfile - the URL has to be saved with this parameter - Q: isn't revealing of the location of the credentials file a security issue?
The credential file has the format:
username=... password=...
(of soemthing similar if curl supports credentials from file)
plus a URL, in case the location is not part of the URL as the 'credentials' parameter. The URL could be the INI section name: [URL]. As suggested above, this would require to save each credentials in a separate file. Or we still could put all the credentials in one file (except for those user-specified) and separate them by the [URL] sections.
The current inplementation can stay. So http://username:password@hostname.domain.to/path is an alternative.
I guess one format should be enough :O) So i'll wait a bit for some votes choosing one of them. -- cheers, jano -- To unsubscribe, e-mail: zypp-devel+unsubscribe@opensuse.org For additional commands, e-mail: zypp-devel+help@opensuse.org
On Tue, Sep 16, Jan Kupec wrote:
look at the file provided as ?credentials=/absolute/path/credfile
- the URL has to be saved with this parameter - Q: isn't revealing of the location of the credentials file a security issue?
I don't think so. Everybody knows that passwords are stored in /etc/passwd. This does not make it less secure.
The credential file has the format:
username=... password=...
(of soemthing similar if curl supports credentials from file)
plus a URL, in case the location is not part of the URL as the 'credentials' parameter. The URL could be the INI section name: [URL].
This kind of credential file was meant to be independent from the URL, i.e even usable with multiple URLs. Not a catalog of credentials. Such a file should contain _one_ username/password pair. Nothing else. -- cu, Michael Andres +------------------------------------------------------------------+ Key fingerprint = 2DFA 5D73 18B1 E7EF A862 27AC 3FB8 9E3A 27C6 B0E4 +------------------------------------------------------------------+ Michael Andres YaST Development ma@novell.com SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) Maxfeldstrasse 5, D-90409 Nuernberg, Germany, ++49 (0)911 - 740 53-0 +------------------------------------------------------------------+ -- To unsubscribe, e-mail: zypp-devel+unsubscribe@opensuse.org For additional commands, e-mail: zypp-devel+help@opensuse.org
Michael Andres wrote:
On Tue, Sep 16, Jan Kupec wrote:
look at the file provided as ?credentials=/absolute/path/credfile
- the URL has to be saved with this parameter - Q: isn't revealing of the location of the credentials file a security issue?
I don't think so. Everybody knows that passwords are stored in /etc/passwd. This does not make it less secure.
true
The credential file has the format:
username=... password=...
(of soemthing similar if curl supports credentials from file) plus a URL, in case the location is not part of the URL as the 'credentials' parameter. The URL could be the INI section name: [URL].
This kind of credential file was meant to be independent from the URL, i.e even usable with multiple URLs. Not a catalog of credentials.
Such a file should contain _one_ username/password pair. Nothing else.
I agree, i wrote "in case the location is not part of the URL as the 'credentials' parameter". I just say we need to put the URL there as long as the location of the cred. file is not supplied by the user. Or? -- cheers, jano -- To unsubscribe, e-mail: zypp-devel+unsubscribe@opensuse.org For additional commands, e-mail: zypp-devel+help@opensuse.org
On Tue, Sep 16, Jan Kupec wrote:
I agree, i wrote "in case the location is not part of the URL as the 'credentials' parameter". I just say we need to put the URL there as long as the location of the cred. file is not supplied by the user. Or?
I mistiook this. Yes, credential catalogs with URL, and individual files without. -- cu, Michael Andres +------------------------------------------------------------------+ Key fingerprint = 2DFA 5D73 18B1 E7EF A862 27AC 3FB8 9E3A 27C6 B0E4 +------------------------------------------------------------------+ Michael Andres YaST Development ma@novell.com SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) Maxfeldstrasse 5, D-90409 Nuernberg, Germany, ++49 (0)911 - 740 53-0 +------------------------------------------------------------------+ -- To unsubscribe, e-mail: zypp-devel+unsubscribe@opensuse.org For additional commands, e-mail: zypp-devel+help@opensuse.org
Hi, Am Dienstag, 16. September 2008 schrieb Jan Kupec:
Michael Calmer wrote:
Hi,
Am Montag, 8. September 2008 schrieb Jan Kupec:
Hi,
Current solution uses simple text files containing one URL per line, _containing_ also 'username:password@'. These URLs are then fed to the zypp::Url constructor which parses them into an object from which you can get the username and password, as well as compare with other URLs using different zypp::url::ViewOption, etc...
I would like to see an enhancement to this. It should be possible to write a pointer to a file into the url. With this we have the possibility to use the same credentials for more then one repo/service.
Proposal:
https://hostname.domain.top/path/?credentials=/etc/credentials.d/mycreden tial
OK, i like this as a third way to store/get credentials. So to sum it up, the media backend would look at:
1) global, world readable:
having credentials world readable is bad. I would suggest to have them 600 root root in etc/[zypp]/credentials.d/ . A normal user cannot use them. A normal user should use 2).
/etc/zypp/credentials.d/* files (in case of INI format) OR /etc/zypp/credentials file (in case of one URL/line format)
(which one do you like more? Note that the files in the credentials.d dir would have to have random names in case the name is not supplied in ?credentials=filename (without path))
I would suggest "?credetials=filename" in the service or repos file mean: If user is "root": look into /etc/zypp/credentials.d/<filename> . If user is not root: look into ~/.zypp/credentials.d/<filename>
2) user readable
~/.zypp/credentials.d/* or ~/.zypp/credentials
3) user specified file (world/user readable?)
look at the file provided as ?credentials=/absolute/path/credfile
- the URL has to be saved with this parameter - Q: isn't revealing of the location of the credentials file a security issue?
The credential file has the format:
username=... password=...
(of soemthing similar if curl supports credentials from file)
plus a URL, in case the location is not part of the URL as the 'credentials' parameter. The URL could be the INI section name: [URL].
No. The URL in a service or repo defines which credetial file to use. Not the other way. This is the only way to use one credential file for more then one service or repo.
As suggested above, this would require to save each credentials in a separate file. Or we still could put all the credentials in one file (except for those user-specified) and separate them by the [URL] sections.
I do not like the idea of INI. One file per credential is easy. In case somebody has to replace a credentail it is much easier to remove the file and create a new with the new credentails under the same name.
The current inplementation can stay. So http://username:password@hostname.domain.to/path is an alternative.
I guess one format should be enough :O) So i'll wait a bit for some votes choosing one of them.
-- MFG Michael Calmer -------------------------------------------------------------------------- Michael Calmer SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg T: +49 (0) 911 74053 0 F: +49 (0) 911 74053575 - e-mail: Michael.Calmer@suse.com -------------------------------------------------------------------------- SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg)
So, after some discussions, current implementation looks like this: credential file locations: - global credential file /etc/zypp/credentials.cat 640(?) - user credential file ~/.zypp/credentials.cat 600 - custom credential file dir /etc/zypp/credentials.d the files will have 640 permission(?) when adding repos, credentials can be specified in the URL: - as username:password (http://username:password@foo.org) this will be saved in global file (or should we ask user?) - as ?credentials=credfile parameter (http://foo.org?credentials=credfile) filepath: - /absolute/path/credfile this particular file will be read - credfile $ZYPP_CRED_DIR/credfile will be read - path/credfile $ZYPP_CRED_DIR/credfile will be read (the leading path will be ignored) where ZYPP_CRED_DIR=/etc/zypp/credentials.d by default TODOs (next week probably) - make the file locations configurable via zypp.conf - add UI callbacks and implement methods for getting the credentials using these callbacks to ask user to provide the creds and where to save them - if ?credentials file does not exist, call back to user to provide them and save in the file - more comments in CredentialManager.h -- cheers, jano -- To unsubscribe, e-mail: zypp-devel+unsubscribe@opensuse.org For additional commands, e-mail: zypp-devel+help@opensuse.org
participants (3)
-
Jan Kupec
-
Michael Andres
-
Michael Calmer