Re: [PATCH] Saving only the group password in keyring

From: Dan Williams <dcbw redhat com>
To: Mathieu Trudel-Lapierre <mathieu tl gmail com>
Cc: networkmanager-list gnome org
Subject: Re: [PATCH] Saving only the group password in keyring
Date: Fri, 14 Nov 2008 16:18:43 -0500
On Tue, 2008-10-21 at 23:53 -0400, Mathieu Trudel-Lapierre wrote:
> Dan,
> 
> I finally got something together, following some of the ideas you
> pointed out. I've also done a slight change to the auth dialog to not
> show the passwords that are already known in the keyring, unless it's
> in a "reprompt" situation (although I haven't been able to test it
> without manually calling nm-vpnc-auth-dialog...), and to always prompt
> for a password that is marked as "otp" although it may already be
> saved in the keyring.
> 
> It's a pretty crude patch, I realize it will need some rework, but if
> someone could test it out and let me know what parts to look at.. :)
> 
> Right now, I really don't think the "unused" cases work properly, but
> I'm still looking into it -- I just don't have an easy way to test
> that case.

Fixed up and committed, thanks!

Dan

> Patch is attached, one gziped file and one .patch:
> 
> 01-password-types.patch.gz
> 01-vpnc-auth-password-types.patch
> 
> / Matt
> 
> On Sun, Oct 12, 2008 at 10:04 PM, Dan Williams <dcbw redhat com> wrote:
> > On Sat, 2008-10-11 at 11:22 -0400, Mathieu Trudel-Lapierre wrote:
> >> Dan,
> >>
> >> Actually one other little question. How much use do you think there is
> >> for this kind of feature? Do you regularly hear about this, or is it
> >> more a user here and there?
> >
> > There are open bug reports for both of these and I've heard about
> > interactive auth mode and hybrid auth support from a number of people.
> > It was certainly on my list to do when I had the time.  But hey, if
> > patches show up first... :)
> >
> > Dan
> >
> >> / Matt
> >>
> >> On Thu, Oct 9, 2008 at 12:05 PM, Dan Williams <dcbw redhat com> wrote:
> >> > On Thu, 2008-10-09 at 09:15 -0400, Mathieu Trudel-Lapierre wrote:
> >> >> Hi,
> >> >>
> >> >> First, my apologies for pushing for this, since I believe the
> >> >> interested parties are probably already notified through bugzilla on
> >> >> this...
> >> >
> >> > So the reason this didn't get merged in the first place is that when
> >> > this is used, the auth dialog looks like ass.  Having _3_ buttons there
> >> > has confused every user I've ever seen, and makes me read things a few
> >> > times whenever I get the dialog.  It's just bad UI.  Plus, it's not
> >> > something you can change in the connection editor out-of-band from
> >> > authentication.  That's not to say it doesn't fill a need and fix the
> >> > bug, but the solution is not one I'd like to have upstream.
> >> >
> >> > Instead, we need a better solution.  We have two passwords, the user
> >> > password and the group password.  Each password has 3 different types:
> >> >
> >> >                  u s e r
> >> >         |  static  |  unused  | OTP
> >> >   ------|----------|----------|------
> >> > g  static|     Y    |    Y     |  Y
> >> > r  ------|----------|----------|------
> >> > o  unused|     Y    |    X     |  ?
> >> > u  ------|----------|----------|------
> >> > p  OTP   |     Y    |    Y     |  ?
> >> >   ------|----------|----------|------
> >> >
> >> >    Legend:
> >> >      Y = I've heard of it being used
> >> >      X = Pointless
> >> >      ? = I don't know if this is used by anyone
> >> >
> >> > The cases where you don't want to save passwords in the keyring are the
> >> > OTP/RSA and the "unused" cases.
> >> >
> >> > Here's my solution: for each of the group and user password entries,
> >> > have a small popup menu behind each on in the main config dialog like
> >> > so:
> >> >
> >> >                  .------------------------.  .------------.
> >> >   User Password: | i4mvrl1337&^%          |  | Default  |V|
> >> >                  `------------------------'  `------------'
> >> >                  .------------------------.  .------------.
> >> >  Group Password: | my-GrOuP-PassWORD      |  | Default  |V|
> >> >                  `------------------------'  `------------'
> >> >
> >> > Where the combo box has the following items:
> >> >
> >> >   Default     (ie, static password that rarely changes)
> >> >   Interactive (ie, RSA dongles)
> >> >   Unused      (ie, no password required and nothing saved to keyring)
> >> >
> >> > It always defaults to "Default" (ie, static) so most peoples configs
> >> > will work, but you have to option to change it for your config.
> >> >
> >> > Note that Interactive authentication can't be used yet anyway because we
> >> > don't support challenge-based authentication that it requires, which
> >> > will come after 0.7 when I can rework the VPN cleanup patch I've talked
> >> > about before, and will require
> >> >
> >> > If somebody came up with the UI patch to do this, that would be awesome
> >> > and I'd commit it.  It would additionally mean adding two keys to the
> >> > vpnc plugin's GConf data (user-password-type and group-password-type)
> >> > which would then have to be added to the nm-vpnc-service's validation
> >> > code and used internally if required, but that's pretty easy.  These
> >> > keys would store the password type (as a string) so that the auth dialog
> >> > would know when to save which passwords and which password entry widgets
> >> > to disable/desensitize when the user had selected "unused".
> >> >
> >> > Thoughts?
> >> >
> >> > Next, we get to add authentication types to the client to support Hybrid
> >> > Auth mode.  Not sure if you can use all the normal Xauth stuff (like
> >> > interactive) with the hybrid auth mode as well, but I have to assume you
> >> > can.
> >> >
> >> > Dan
> >> >
> >> >
> >>
> >>
> >>
> >
> >
> 
> 
>
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]