[PATCH] Make pinentry-qt read and store passphrases in KDE 3.2's wallet

Martijn Klingens klingens at kde.org
Wed Dec 3 22:56:47 CET 2003


On Wednesday 03 December 2003 21:49, Werner Koch wrote:
> What's wrong with plain ssh-agent - I use this for years even on the
> local network and it is definitely more convenient than Kerberos
> (ktelnet has quite some practical disadvantages)

Nothing, except that it asks for a password once per server per X session. 
It's exactly what I want at work btw (or like I'm doing now, neither the 
agent, nor the wallet), but at home I find this needlessly cumbersome. 
Especially since my box at home is off during the night, so I have an X 
session per day.

(Ideally I'd even distinguish between the SSH pass of my own server and those 
at work, storing only my own server's pass in the wallet.)

> > Actually, there's a difference between 'ssh -i /path/to/my.key me at server'
> > with a passwordless key and having an actual password in a wallet. The
> > latter is safe as long as the wallet is closed, the former is not.
>
> Please remember that the keys for ssh are managed by ssh-agent and
> usually there is not much point in using the -i option

You suggested a passwordless key. Which means that another user who has root 
(or access to your home) can use 'ssh -i ...' to do some club-hopping to 
other servers.

A pass inside the wallet however is still encrypted to even root. It doesn't 
help against root installing keyboard sniffers, but certainly makes it more 
difficult.

> > Well, is the only of the mentioned components that allows passing on
> > passwords securely without user intervention after the initial logon.
>
> So, for what do you need these passwords?  Are they really that
> valuable that you have to secure them the same way as a private key?

The valuable passes I have at home:
- My user pass
- My root pass
- My server's user pass
- My server's root pass
- My GPG pass
- My KWallet pass

I also have some work-related passes, notably the SSH key's pass, but I 
ideally want those grouped in a second wallet. My patch doesn't address this, 
nor do I think the rest of such a framework is there, but hey, I have to 
start somewhere :)

> Say, you have 3 admins with access to that routers.  All of them are
> using KWallet.  Within each wallet there are 20 different passwords,
> ranging from the router access one over the porn site one to the
> slashdot account.  They are all equally valuable?  And all of the
> admin will take the same precautions accessing slashdot as they would
> do with the router?  That is not a security policy I'd use.

You assume that the contents of the wallet are accessible to the outside 
world, which is not true. Or rather, they are not more accessible that what's 
stored in gpg-agent's memory or ssh-agent. Or kdesu's cached root passwords 
for that matter.

Still it would make sense to have two wallets, one for casual web sites and 
e.g. Kopete's instant messaging passes, and one for SSH, GPG and root passes. 
Or like I said, to use gpg-agent for storage and use KWallet only as frontend 
for the KDE apps.

Either way, the passes are stored *somewhere* and the aim is to minimize the 
amounts of passes that has to be _typed_ without necessarily removing or 
unifying the passes themselves, and with no security loss over 
gpg-agent/ssh-agent.

> With locking the X-session to prevent password sniffing while
> accessing the Heise forum?

Well, sure, when locking X the wallet should be closed again in an untrusted 
environment.

> > moot whatever way you put it. Likewise, KMail stores the passphrase in
> > memory, KIO:Fish has the SSH password, etc.
>
> I might have missed something, but what is the importance of the SSH
> password - you enter it when you login in the morning and that's it
> for most folks.

Once per server/key (depending on whether you have password or key based auth, 
most home systems I have access to use password, my work uses key). All in 
all that's a fair amount of passes. Now I don't use most of them a lot and I 
am more than willing to live with the current situation, but other people 
using KDE might not. I'm also trying to make it more convenient and user 
friendly for _others_, and as long as security is not given up that should be 
fair enough.

So the discussion basically boils down to the amount of security you give up 
by using the wallet and the amount of security you are WILLING to give up. 
Ideally you don't give up security, though I'm pretty sure the memory storage 
leaves traces behind for people not using encrypted swap. Therefore I was 
thinking of using gpg-agent as the central storage location instead.

> The agent's have another purpose: Thet encapsulate the secret key
> operation into one module and thus making the entire system more
> secure.  Sometines it is better to put all your eggs in one basket and
> watch that basket very carefully.  You may want to s/eggs/secret keys/
> s/watch/audit/.

Actually that means that on a KDE 3.2 system there are FOUR baskets: 
ssh-agent, gpg-agent, kdesud and kwallet. Each of them stores different 
passes, but ideally those should be only one app.

I agree that my approach only duplicates data in KWallet, the solution would 
be to make those four REALLY one app, but I have no idea where to start 
that :)

-- 
Martijn



More information about the Gpa-dev mailing list