[opensuse-buildservice] Using keyring for storing passwords

Hi all as I really don't like idea of storing clear text passwords, I hacked support for GNOME Keyring in osc (see attached patch). If keyring is available, login credentials are stored and read from keyring and it stores them in a secure way. Is there a chance to get such change merged? -- Michal Čihař | http://cihar.com | http://blog.cihar.com

Hi, On 2008-12-04 10:56:51 +0100, Michal Čihař wrote:
Hi all
as I really don't like idea of storing clear text passwords, I hacked support for GNOME Keyring in osc (see attached patch). If keyring is available, login credentials are stored and read from keyring and it stores them in a secure way. Is there a chance to get such change merged?
First thanks for your patch but I'm a bit hesitant to add a gnome dependency to osc (although it's optional). What about if we simply store the password base64 encoded in the ~/.oscrc file? Wouldn't this be sufficient? Marcus -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org

On 12/4/2008 at 12:54 PM, Marcus Hüwe <suse-tux@gmx.de> wrote: First thanks for your patch but I'm a bit hesitant to add a gnome dependency to osc (although it's optional). What about if we simply store the password base64 encoded in the ~/.oscrc file? Wouldn't this be sufficient?
BASE64 is as good as no encryption at all. Trying to obfuscate has nothing to do with securing anything. The patch looks like it takes quiet nicely care of skipping in case it's not available... maybe it can be extended with a configure parameter, if it should try to be used at all: use-gkm: 1 in ~/.oscrc Dominique -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org

Hi Dne Thu, 4 Dec 2008 12:54:03 +0100 Marcus Hüwe <suse-tux@gmx.de> napsal(a):
First thanks for your patch but I'm a bit hesitant to add a gnome dependency to osc (although it's optional). What about if we simply store the password base64 encoded in the ~/.oscrc file? Wouldn't this be sufficient?
Do you seriously mean base64 as improvement to security? What is wrong on optional dependency? If python-gnomekeyring is not found or is not working, osc still behaves same as without patch. Maybe there could be also configuration option to disable usage of keyring... -- Michal Čihař | http://cihar.com | http://blog.cihar.com

On 2008-12-04 12:56:44 +0100, Dominique Leuenberger wrote:
On 12/4/2008 at 12:54 PM, Marcus Hüwe <suse-tux@gmx.de> wrote: First thanks for your patch but I'm a bit hesitant to add a gnome dependency to osc (although it's optional). What about if we simply store the password base64 encoded in the ~/.oscrc file? Wouldn't this be sufficient?
BASE64 is as good as no encryption at all. Trying to obfuscate has nothing to do with securing anything. Of course it has nothing to do with security but it prevents others from "stealing" one's password by just "looking over the shoulder". I thought this was his main concern.
The patch looks like it takes quiet nicely care of skipping in case it's not available... maybe it can be extended with a configure parameter, if it should try to be used at all: use-gkm: 1 in ~/.oscrc
Yes you're right the patch itself looks good. Marcus -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org

Am Thursday 04 December 2008 13:15:54 schrieb Michal Čihař:
Hi
What is wrong on optional dependency? If python-gnomekeyring is not found or is not working, osc still behaves same as without patch. Maybe there could be also configuration option to disable usage of keyring...
Add a config-option to disable it if needed. Then its imho ready for inclusion. Next steps would be: a) what about kwalletmanager ? b) what about password-encryption for osc itself ? best regards, Jan-Simon -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org

On 12/4/2008 at 1:16 PM, Marcus Hüwe <suse-tux@gmx.de> wrote: On 2008-12-04 12:56:44 +0100, Dominique Leuenberger wrote:
On 12/4/2008 at 12:54 PM, Marcus Hüwe <suse-tux@gmx.de> wrote: First thanks for your patch but I'm a bit hesitant to add a gnome dependency to osc (although it's optional). What about if we simply store the password base64 encoded in the ~/.oscrc file? Wouldn't this be sufficient?
BASE64 is as good as no encryption at all. Trying to obfuscate has nothing to do with securing anything. Of course it has nothing to do with security but it prevents others from "stealing" one's password by just "looking over the shoulder". I thought this was his main concern.
Pretty doubtful, as probably he's not editing the .oscrc that often ;) so just by looking over the shoulder, hardly any damage can be done. But maybe I interpreted more than there is... could be. Dominique -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org

Hi Dne Thu, 4 Dec 2008 13:39:32 +0100 "Jan-Simon Möller" <dl9pf@gmx.de> napsal(a):
Am Thursday 04 December 2008 13:15:54 schrieb Michal Čihař:
Hi
What is wrong on optional dependency? If python-gnomekeyring is not found or is not working, osc still behaves same as without patch. Maybe there could be also configuration option to disable usage of keyring...
Add a config-option to disable it if needed. Then its imho ready for inclusion.
Okay, added config option and command line switch to disable it.
Next steps would be:
a) what about kwalletmanager ?
I have no idea how to use it, but in case it has also Python API, it can be integrated also quite easily.
b) what about password-encryption for osc itself ?
That would ask you for password on every operation, what is not really comfortable. -- Michal Čihař | http://cihar.com | http://blog.cihar.com
participants (4)
-
Dominique Leuenberger
-
Jan-Simon Möller
-
Marcus Hüwe
-
Michal Čihař