Re: gnome-keyring Passwords freely available after login

[Yaron Sheffer <yaronf gmx com>]

I would like feedback from the list on the following plan. It's rather 
simplistic, but after all we are buying a small amount of security at 
the price of a small usability degradation.

- Enable this feature with a command-line flag, default On.
- Ask for the password exactly once per Seahorse session, the first time 
the user requests to show a password. In other words, if you had opened 
Seahorse and started viewing passwords, and you keep the app open and 
*then* leave the machine unlocked, tough.
- Use a normal GTK dialog (instead of something more interesting like 
Policy Kit).
- Ask for the login password, and use PAM to validate it.
- Only support simple passwords (rather than generic PAM interaction), 
meaning only one computer-to-user message and one user-to-computer 
response. If you have something more fancy, you can disable this feature.
- If authentication fails, the application continues as usual but 
passwords are not shown.

Thanks,
    Yaron

On 12/13/2010 07:16 PM, Stef Walter wrote:
> On 12/13/2010 09:59 AM, Yaron Sheffer wrote:
> > Seahorse is available on many machines, and any snoop can come by and
> > view the passwords. What Karl is suggesting (I believe) is that the
> > Seahorse *application* should require the login (or keyring?) password
> > to be entered, even though as an application, it already has access to
> > the passwords.
> I guess we could try that. The behavior wouldn't represent the security
> of the system completely. But I guess we should find the right balance
> between usability and security.Yes,
>
> Do you have an implementation in mind? Would you be interested in
> working on this idea? Implementing this isn't as trivial as it seems. In
> any case, your work on this would be greatly appreciated by lots and
> lots of people. Here is a relevant bug:
>
> https://bugzilla.gnome.org/show_bug.cgi?id=627117
>
> > I agree with Karl that this would provide real security benefit, even
> > though a smarter attacker, or one who has more time, can install another
> > application and access the same secrets.
> Yes, and we have to remember that we'll keep getting people coming in
> here irritated about the fact that "it's trivial to use this or that
> command" to see their passwords.
>
> Cheers,
>
> Stef