Re: Request for comments: GNOME Keychain



Hi,

We are in particular looking at the http proxy password storing
mechanism in gnome. This is configurable via network preferences capplet
& is stored in Gconf. 

This is later extracted by gnome-vfs for applications ( nautilus,
gweather & stockticker) for connecting to the server.

we need to do 2 things - save the password in a secure way on disk and
provide an option for prompting for the password once-per-session.

The password saving information can be done for using the GNOME keychain
framework.

- Remove the password from gconf at the network capplet end. Use the new
Keychain APIs to store it in the keychain. decide on an unlocking ( e.g.
use the easiest - login-unlock).

- At the gnome-vfs http-method end, extract from the keychain and use
it. There will be an api for extraction.

I guess the Gnome Keychain framework can also be used for the prompting
option. That would require handling a service specific session-only
keychain.

Regards,
Hema. 

Mikael Hallendal wrote:
> 
> Hi!
> 
> A while back I started looking some on implementing something similar to
> Keychain Manager used in Mac OS X. Documentation at:
> http://developer.apple.com/techpubs/macosx/Carbon/securityservices/keychainmanager/keychainmanager.html
> 
> Today Hema Seetharamaiah from Wipro asked me for progress mentioning
> that they where going to start working on something similar. So I wanted
> to post a mail about what I was planning and ask for feedback (and
> possibly others that might be interested in helping out).
> 
> I was planning to write it with a similar architecture of GConf. A
> daemon managing the keychains and a client C API which would be used by
> the applications to retrieve the key items.
> 
> The daemon will be started when first needed (we might want to have the
> default keychain unlocked at login time and the daemon would then start
> running at login) until session ends.
> 
> What will happen when an application needs access to a certain keychain
> item. Say Nautilus needs access to http://my.site.com/webdav so that it
> can put a file there:
> 
> 1) Nautilus notices that http://my.site.com/webdav needs a
>    username/password for write access.
> 
> 2) It asks the GNOME keychain daemon (through the client API) for the
>    keychain item for write access to http://my.site.com/webdav.
> 
> 3) The keychain daemon looks in it's unlocked keychains (if we have
>    support for multiple keychains).
> 
> 4a) If the item is found it checks if Nautilus has access to get it.
> 
>  4a.1) If Nautilus has access it returns the keychain item to Nautilus
>        where it can be used. The user wouldn't know that Nautilus
>        retrieved the information from the keychain daemon.
> 
>  4a.2) If Nautilus doesn't have access a dialog is shown to the user
>        asking the user if Nautilus is allowed access. With the text
>        similar to "Nautilus asks for access to your key MyWebdav in
>        keychain Default, should it be granted Yes/No". The user can also
>        make sure that Nautilus is always allowed access to this key.
> 
> 4b) If the key is not found in any of the unlocked keychains. The
>     keychain daemon looks in the locked keychains.
> 
>  4b.1) If found, the user is presented with a dialog asking the user to
>        unlock the keychain. Something like: "Nautilus needs access to
>        key MyWebdav which is stored in locked keychain MySecureChain. If
>        you want to grant access to Nautilus you need to unlock the
>        keychain by giving your password. The item is then given to
>        Nautilus.
> 
>  4b.2) If not found the item is not stored in any keychain. The user is
>        shown a dialog where he can enter the needed information. He can
>        then choose to store it in his default keychain or just store it
>        in a session-only keychain (in which case it will never be
>        written to disk).
> 
> A tool for managing the keychains, like remove keychain items, move an
> item from one keychain to another, ..., needs to be written too.
> 
> This is just initial thoughts, what do you think?
> 
> Regards,
>   Mikael Hallendal
> 
> --
> Mikael Hallendal                micke codefactory se
> CodeFactory AB                  http://www.codefactory.se/
> Office: +46 (0)8 587 583 05     Cell: +46 (0)709 718 918



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]