KDE Utils/kwallet/FeaturePlan42: Difference between revisions

From KDE Community Wiki
(New page: == General ideas == === Single signon === The user shouldn't have to enter his password twice (once for logging in, once for opening the default wallet). The main problem is that the wal...)
 
m (11 revisions imported: imported from techbase)
 
(10 intermediate revisions by 5 users not shown)
Line 1: Line 1:
== General ideas ==
== General ideas ==


Line 6: Line 8:


Gnome keyring provide a [http://live.gnome.org/GnomeKeyring/Pam hack] (is it?) for this:
Gnome keyring provide a [http://live.gnome.org/GnomeKeyring/Pam hack] (is it?) for this:
{{Box|How it works|
{{Info|2=How it works|
Upon authenticating the user, or logging into the session, the PAM module checks for the GNOME_KEYRING_SOCKET environment variable. If not present it assumes that gnome-keyring-daemon is not running for that session.
Upon authenticating the user, or logging into the session, the PAM module checks for the GNOME_KEYRING_SOCKET environment variable. If not present it assumes that gnome-keyring-daemon is not running for that session.
*If the auto_start argument is present in in the PAM config, it then starts it as a daemon.
*If the auto_start argument is present in in the PAM config, it then starts it as a daemon.
Line 32: Line 34:
=== Make sure passwords are saved ===
=== Make sure passwords are saved ===


This relates to Bug {{Bug|105752}}. We should come up with a way to store passwords before a session crashes. Of course shouldn't disturb the user (which is why I ([[User:Lemma|Lemma]]) don't like the timed solution proposed by a comment in this report). Complete rewrites of the kwl file should happen at points in time when the user is used to waiting (ie. opening the wallet after a crash, saving the session).
<s>This relates to Bug {{Bug|105752}}. We should come up with a way to store passwords before a session crashes. Of course shouldn't disturb the user (which is why I ([[User:Lemma|Lemma]]) don't like the timed solution proposed by a comment in this report). Complete rewrites of the kwl file should happen at points in time when the user is used to waiting (ie. opening the wallet after a crash, saving the session).


General idea: On adding new passwords, append the encrypted password entries to the kwl file without rewriting it completely. If the session crashes the passwords are still here. The kwl file could be cleaned up upon reopening the wallet. As far as I know this might work. We'll see.
General idea: On adding new passwords, append the encrypted password entries to the kwl file without rewriting it completely. If the session crashes the passwords are still here. The kwl file could be cleaned up upon reopening the wallet. As far as I know this might work. We'll see.</s>


This is already fixed and will be in 4.1. Benchmarking showed that syncing the wallet on every change (with a very small timer) is feasible.
=== Use QCA ===
Currently kwallet uses its own implementations of MD5, SHA-1 and Blowfish to encrypt the wallet. While SHA-1 is probably still safe enough it might not be in the future. Therefore switching to an external library to handle encryption will not only simplify the code but also provide more choices for hashing/encryption algorithms.
=== Save more information ===
This hasn't been talked about yet, but I'd like to additionally store the date of creation and the date of modification for a wallet entry. No API changes are needed for that as all the work could be done by the backend transparently. One thing that would require an API change is commenting on the entries. This could be used to make obscure entries (like the ones by kmail) more transparent to the user.


=== Overhaul the interface ===
=== Overhaul the interface ===
Line 45: Line 56:
* Using model/view classes
* Using model/view classes
* Improving usability (have a look at various bugreports concerning that)
* Improving usability (have a look at various bugreports concerning that)
* The current gui only provides basic undo support (you can only undo changes to a password/map that hasn't been saved yet). I think we could improve on that - it has to be "secure enough" though as I don't like the idea of having passwords stick around everywhere in memory.
* Maybe choose a one-window solution instead of the current two-window solution
* Maybe choose a one-window solution instead of the current two-window solution
* No need to reinvent the wheel, learn from what others have done, eg:
* No need to reinvent the wheel, learn from what others have done, eg:
** [http://en.wikipedia.org/wiki/Image:Keychainaccess.png]
** [http://en.wikipedia.org/wiki/Image:Keychainaccess.png Apple Keychain]
 
 
=== Access Granularity Management ===
KWallet provides all or nothing access to the password store. This is a security problem, because it enables application A in principle to access keys of application b.
 
Possible solutions:
* Ownership model (application can only read values it has created). Here the problem of how to identify applications arises.
* If application wants to access data it has not created, the user is presented with the precise keys the application wants to read and can make an informed decision.
* Possibly rights management for keys is required. (For example, to allow the user to configure that subversion and subclipse both can read/write the SVN password).

Latest revision as of 10:27, 15 April 2016


General ideas

Single signon

The user shouldn't have to enter his password twice (once for logging in, once for opening the default wallet). The main problem is that the wallet will still have to be password protected, so we need a way to transmit the password to the daemon.

Gnome keyring provide a hack (is it?) for this:

500px

Upon authenticating the user, or logging into the session, the PAM module checks for the GNOME_KEYRING_SOCKET environment variable. If not present it assumes that gnome-keyring-daemon is not running for that session.
  • If the auto_start argument is present in in the PAM config, it then starts it as a daemon.
  • The gnome-session process does the same checks, which prevents it from starting twice.

Upon authenticating the user, the PAM module tries to unlock the 'login' keyring with the password entered by the user.

  • If the 'login' keyring does not exist it is created with the user's password.
  • If the 'login' is the first and only keyring it will become the default keyring.


We could basically do something quite similar to this for kwallet:

  • Extract the kwalletd to run standalone.
  • Adapt/rewrite the gnome mini-pam module to start kwalletd and pipe the password to it using some sort of socket.
  • This would probably have to be optional (default policy might be to NOT enable it and let the user choose the level of security he wants).
  • It's important to consider security implications.

Sascha Peilicke will look into this matters and come up with a plan. This is a core issue so we'll have to discuss it on kcd.


Inter-desktop integration

Sascha proposed making kwallet/keyring cross-desktop so the user would need only a single authentication backend running. For this to work we'd either need a single API and multiple implementations or a common backend implementation - probably something for freedesktop.org. Coordinating that would take a hell lot of time so this is more or less a long-term goal. In the process we have to consider binary API compatibility.

It would also be nice to have software not tied to a desktop use this (ie. Firefox).


Make sure passwords are saved

This relates to Bug Bug #105752. We should come up with a way to store passwords before a session crashes. Of course shouldn't disturb the user (which is why I (Lemma) don't like the timed solution proposed by a comment in this report). Complete rewrites of the kwl file should happen at points in time when the user is used to waiting (ie. opening the wallet after a crash, saving the session).

General idea: On adding new passwords, append the encrypted password entries to the kwl file without rewriting it completely. If the session crashes the passwords are still here. The kwl file could be cleaned up upon reopening the wallet. As far as I know this might work. We'll see.

This is already fixed and will be in 4.1. Benchmarking showed that syncing the wallet on every change (with a very small timer) is feasible.

Use QCA

Currently kwallet uses its own implementations of MD5, SHA-1 and Blowfish to encrypt the wallet. While SHA-1 is probably still safe enough it might not be in the future. Therefore switching to an external library to handle encryption will not only simplify the code but also provide more choices for hashing/encryption algorithms.

Save more information

This hasn't been talked about yet, but I'd like to additionally store the date of creation and the date of modification for a wallet entry. No API changes are needed for that as all the work could be done by the backend transparently. One thing that would require an API change is commenting on the entries. This could be used to make obscure entries (like the ones by kmail) more transparent to the user.

Overhaul the interface

The interface will have to be reworked. We were talking about:

  • Overall goal:
    • Make the manager a little shinier and a breeze to use
    • Make it a program that eases managing personal account data rather than an editor for account data stored by various programs (yes, I know it already is, but the emphasis is on EASES :-)).
  • Using model/view classes
  • Improving usability (have a look at various bugreports concerning that)
  • The current gui only provides basic undo support (you can only undo changes to a password/map that hasn't been saved yet). I think we could improve on that - it has to be "secure enough" though as I don't like the idea of having passwords stick around everywhere in memory.
  • Maybe choose a one-window solution instead of the current two-window solution
  • No need to reinvent the wheel, learn from what others have done, eg:


Access Granularity Management

KWallet provides all or nothing access to the password store. This is a security problem, because it enables application A in principle to access keys of application b.

Possible solutions:

  • Ownership model (application can only read values it has created). Here the problem of how to identify applications arises.
  • If application wants to access data it has not created, the user is presented with the precise keys the application wants to read and can make an informed decision.
  • Possibly rights management for keys is required. (For example, to allow the user to configure that subversion and subclipse both can read/write the SVN password).