Re: no password gnome-keyring tip (OT)



No offense, but this is the worst, most insecure solution I have ever
had to respond to.  To save yourself some time... you just want to have
people put their password in a shell script in clear text.

I am sorry that the "cutting edge" Ubuntu desktop is still relying on a
two year old PAM implementation.  I used the newest pam libraries
because it provided me with functions and functionality that I needed to
guarantee that pam_keyring was as secure as possible.

Please don't post public work-arounds that implement saving clear text
passwords in scripts. We are really trying our best to keep linux secure
and convenient.  Some people might implement this without the knowledge
to know how insecure this practice is.

To address your problem here are my suggestions.

1)  unencrypt drive, obviously this has to be done at the bios or
bootloader level, can't help you there.
2)  gdm, this is the session login
3)  ssh-add, this can be accomplished by using pam_ssh to use your pam
password to unencrypt your private key and add it to your ssh-agent
4)  pam-keyring, given the limitations above, if you meet the
requirements it can also unlock a single gnome password keying at login
using your pam supplied password
5)  firefox passwords I have no solution for yet.  I have been thinking
about writing a patch so all mozilla based code can use gnome-keyring to
store their authentication data.
6)  For your samba mounts you can use gnome-vfs which can be unlocked at
login with pam_keying, or you can use pam_mount from
http://pam-mount.sourceforge.net/ .  I don't know too much about it, but
it was originally written by Mike Petullo, who also started pam_keyring
so I assume it works well.

That gets you down to 3 passwords to get you working and all are secure
without anything hanging out in the cleartext.  I am sorry Ubuntu is
lagging behind in their PAM implementation, however I feel that is
something their distro needs to step up and do, not something that the
opensource community needs to cater to.

Jon


On Fri, 2006-04-14 at 22:52 -0500, Eli Criffield wrote:
> Sorry for the slightly off topic post, but there is no gnome-keyring
> mailing list right?
> 
> I'm trying to pare down the number of passwords it takes to get my
> laptop into a fully functional state. I currently have to enter 6
> password prompts before I'm ready to start working.
> 1. password for disk encryption
> 2. gdm login/password
> 3. ssh-add
> 4. gnome-keyring for wpa
> 5. firefox keymanager
> 6. samba mounts
> 
> Well i figured out how to get gnome-keyring to unlock automaticly on
> login without having to upgrade pam.
> Get pam_keyring-0.0.7.tar.gz, 
> http://www.hekanetworks.com/opensource/pam_keyring/pam_keyring-0.0.7.tar.gz
> install the rpm or compile it. Really you only need pam-keyring-tool,
> the rest didn't compile for me because ubuntu dapper has pam .7
> 
> tar zxvf pam_keyring-0.0.7.tar.gz
> cd pam_keyring-0.0.7
> make pam-keyring-tool
> cp pam-keyring-tool ~/bin/
> 
> then make a script like this
> #!/bin/bash
> PATH=$PATH:$HOME/bin
> echo mypassword | pam-keyring-tool -u -s
> 
> put that in your "sessions"
> System->Preferences->Sessions
> Startup Programs tab
> Add
> enter the script you just made
> 
> Logout, log back in, one less password prompt.
> 
> I don't store anything but my wpa key in my gnome-keyring and i don't
> use the password for gnome-keychain anywhere else so i'm not worried
> about having the password for the keyring on disk.
> 
> Eli Criffield
> _______________________________________________
> NetworkManager-list mailing list
> NetworkManager-list gnome org
> http://mail.gnome.org/mailman/listinfo/networkmanager-list




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]