Re: no password gnome-keyring tip (OT)

From: "Eli Criffield" <elicriffield gmail com>
To: "Jon Nettleton" <jon nettleton gmail com>
Cc: networkmanager-list gnome org
Subject: Re: no password gnome-keyring tip (OT)
Date: Sat, 15 Apr 2006 22:32:40 -0500
I wasn't going to reply but i think you missed an important point in my email.

The _only_ password in my gnome-keyring is my wpa network password.
Most people don't even have an encrypted wlan, and every other OS
doesn't store the wpa password encrypted.

Actually Linux doesn't either _unless_ you are using NetworkManager.

In my case, and many others, having a script unlock gnome-keychain is
the same as having the wpa password in plain text somewhere on the
disk (encrypted disk when the laptop is off and in transport), Just
like every other OS, just like every other implantation of wpa for
Linux. And why not, unless you are within 100 feet of my house Its not
all that useful, and even then feel free to barrow my bandwidth and
sniff my irc chats if its worth that much effort.

Eli

On 4/15/06, Jon Nettleton <jon nettleton gmail com> wrote:
> No offense, but this is the worst, most insecure solution I have ever
> had to respond to.  To save yourself some time... you just want to have
> people put their password in a shell script in clear text.
>
> I am sorry that the "cutting edge" Ubuntu desktop is still relying on a
> two year old PAM implementation.  I used the newest pam libraries
> because it provided me with functions and functionality that I needed to
> guarantee that pam_keyring was as secure as possible.
>
> Please don't post public work-arounds that implement saving clear text
> passwords in scripts. We are really trying our best to keep linux secure
> and convenient.  Some people might implement this without the knowledge
> to know how insecure this practice is.
>
> To address your problem here are my suggestions.
>
> 1)  unencrypt drive, obviously this has to be done at the bios or
> bootloader level, can't help you there.
> 2)  gdm, this is the session login
> 3)  ssh-add, this can be accomplished by using pam_ssh to use your pam
> password to unencrypt your private key and add it to your ssh-agent
> 4)  pam-keyring, given the limitations above, if you meet the
> requirements it can also unlock a single gnome password keying at login
> using your pam supplied password
> 5)  firefox passwords I have no solution for yet.  I have been thinking
> about writing a patch so all mozilla based code can use gnome-keyring to
> store their authentication data.
> 6)  For your samba mounts you can use gnome-vfs which can be unlocked at
> login with pam_keying, or you can use pam_mount from
> http://pam-mount.sourceforge.net/ .  I don't know too much about it, but
> it was originally written by Mike Petullo, who also started pam_keyring
> so I assume it works well.
>
> That gets you down to 3 passwords to get you working and all are secure
> without anything hanging out in the cleartext.  I am sorry Ubuntu is
> lagging behind in their PAM implementation, however I feel that is
> something their distro needs to step up and do, not something that the
> opensource community needs to cater to.
>
> Jon
>
>
> On Fri, 2006-04-14 at 22:52 -0500, Eli Criffield wrote:
> > Sorry for the slightly off topic post, but there is no gnome-keyring
> > mailing list right?
> >
> > I'm trying to pare down the number of passwords it takes to get my
> > laptop into a fully functional state. I currently have to enter 6
> > password prompts before I'm ready to start working.
> > 1. password for disk encryption
> > 2. gdm login/password
> > 3. ssh-add
> > 4. gnome-keyring for wpa
> > 5. firefox keymanager
> > 6. samba mounts
> >
> > Well i figured out how to get gnome-keyring to unlock automaticly on
> > login without having to upgrade pam.
> > Get pam_keyring-0.0.7.tar.gz,
> > http://www.hekanetworks.com/opensource/pam_keyring/pam_keyring-0.0.7.tar.gz
> > install the rpm or compile it. Really you only need pam-keyring-tool,
> > the rest didn't compile for me because ubuntu dapper has pam .7
> >
> > tar zxvf pam_keyring-0.0.7.tar.gz
> > cd pam_keyring-0.0.7
> > make pam-keyring-tool
> > cp pam-keyring-tool ~/bin/
> >
> > then make a script like this
> > #!/bin/bash
> > PATH=$PATH:$HOME/bin
> > echo mypassword | pam-keyring-tool -u -s
> >
> > put that in your "sessions"
> > System->Preferences->Sessions
> > Startup Programs tab
> > Add
> > enter the script you just made
> >
> > Logout, log back in, one less password prompt.
> >
> > I don't store anything but my wpa key in my gnome-keyring and i don't
> > use the password for gnome-keychain anywhere else so i'm not worried
> > about having the password for the keyring on disk.
> >
> > Eli Criffield
> > _______________________________________________
> > NetworkManager-list mailing list
> > NetworkManager-list gnome org
> > http://mail.gnome.org/mailman/listinfo/networkmanager-list
>
>
References:
- no password gnome-keyring tip (OT)
  - From: Eli Criffield
- Re: no password gnome-keyring tip (OT)
  - From: Jon Nettleton
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]