Bug 478728 - Teach krb5-auth-dialog to use gnome-keyring
Teach krb5-auth-dialog to use gnome-keyring
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: krb5-auth-dialog (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Itamar Reis Peixoto
Fedora Extras Quality Assurance
: Patch
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-01-04 04:30 EST by Bojan Smojver
Modified: 2009-04-27 21:26 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-04-27 21:26:46 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Patch, briefly tested (4.41 KB, patch)
2009-01-04 04:30 EST, Bojan Smojver
no flags Details | Diff
A slightly cleaner patch (passing keyring items using available mechanism) (4.65 KB, patch)
2009-01-04 17:15 EST, Bojan Smojver
no flags Details | Diff
Avoid a segfault (4.69 KB, patch)
2009-01-04 18:21 EST, Bojan Smojver
no flags Details | Diff
Patch against 0.8 source (5.61 KB, patch)
2009-01-13 19:33 EST, Bojan Smojver
no flags Details | Diff
Corrected patch against 0.8 source (5.74 KB, patch)
2009-01-13 22:46 EST, Bojan Smojver
no flags Details | Diff
Patch against 0.8 source with better memory management (5.96 KB, patch)
2009-01-14 00:44 EST, Bojan Smojver
no flags Details | Diff
Better patch against 0.8: attempt gnome keyring authentication once (6.49 KB, patch)
2009-01-14 02:01 EST, Bojan Smojver
no flags Details | Diff
Patch against 0.8 source: split keyring functionality into separate files (4.83 KB, patch)
2009-01-15 20:13 EST, Bojan Smojver
no flags Details | Diff
Patch against 0.8 source: split keyring functionality into separate files (9.69 KB, patch)
2009-01-15 20:42 EST, Bojan Smojver
no flags Details | Diff
Enforce keyring password strength in gnome-keyring (3.60 KB, patch)
2009-01-18 06:40 EST, Bojan Smojver
no flags Details | Diff
Patch against 0.8 source: make keyring use optional (7.01 KB, patch)
2009-01-19 18:10 EST, Bojan Smojver
no flags Details | Diff
Patch against 0.8 source: make keyring use optional (12.61 KB, patch)
2009-01-19 18:18 EST, Bojan Smojver
no flags Details | Diff
Patch against 0.8 source: make keyring use optional (12.65 KB, patch)
2009-01-19 20:43 EST, Bojan Smojver
no flags Details | Diff
Patch against 0.8 source: delete passwords if krb5_get_init_creds_opt_set_pkinit returns error (13.06 KB, patch)
2009-01-25 01:05 EST, Bojan Smojver
no flags Details | Diff
Patch against 0.8 source: never use keyring when pkinit is used (12.74 KB, patch)
2009-01-25 01:54 EST, Bojan Smojver
no flags Details | Diff
Patch against 0.8 source: never use keyring when pkinit is used - take 2 (12.76 KB, patch)
2009-01-25 02:49 EST, Bojan Smojver
no flags Details | Diff
Patch against 0.8 source: avoid bogus debug info by checking use_keyring variable (12.86 KB, patch)
2009-01-30 23:46 EST, Bojan Smojver
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
GNOME Desktop 567701 None None None Never
GNOME Desktop 568218 None None None Never

  None (edit)
Description Bojan Smojver 2009-01-04 04:30:48 EST
Created attachment 328127 [details]
Patch, briefly tested

Description of problem:
This program keeps asking for password, although we have a perfectly good keyring manager available.

Version-Release number of selected component (if applicable):
0.7-7.fc9

How reproducible:
Always.

Steps to Reproduce:
1. Kerberos ticket expires, krb5-auth-dialog pops up to ask for password.

Additional info:
Patch attached. I'm neither a Gnome nor Kerberos programmer, so go easy. Maybe as a skeleton?
Comment 1 Bojan Smojver 2009-01-04 17:15:36 EST
Created attachment 328156 [details]
A slightly cleaner patch (passing keyring items using available mechanism)

Also briefly tested. Appears to work.
Comment 2 Bojan Smojver 2009-01-04 18:21:24 EST
Created attachment 328161 [details]
Avoid a segfault

That goto store may cause deallocation of items that have not been allocated. Fixed here.
Comment 3 Bojan Smojver 2009-01-13 19:33:50 EST
Created attachment 328935 [details]
Patch against 0.8 source
Comment 4 Bojan Smojver 2009-01-13 19:45:15 EST
Comment on attachment 328935 [details]
Patch against 0.8 source

This patch has been compiled and linked, but not tested.
Comment 5 Bojan Smojver 2009-01-13 20:42:30 EST
I've been running the patch against 0.7 on my F-10 systems for many days now without any problems.
Comment 6 Bojan Smojver 2009-01-13 22:46:50 EST
Created attachment 328942 [details]
Corrected patch against 0.8 source

This patch has been tested against 0.8 on F-10.
Comment 7 Bojan Smojver 2009-01-14 00:44:28 EST
Created attachment 328951 [details]
Patch against 0.8 source with better memory management

Tested on F-10.
Comment 8 Bojan Smojver 2009-01-14 02:01:12 EST
Created attachment 328956 [details]
Better patch against 0.8: attempt gnome keyring authentication once

Tested on F-10.

Instead of telling the user that the credentials have expired using the tray, we can try with gnome keyring stored password, which is also non-interactive. If that doesn't work (bad or no password in gnome keyring), just display they icon on the tray and wait for user to click it in order to provide password.
Comment 9 Bojan Smojver 2009-01-15 20:13:29 EST
Created attachment 329153 [details]
Patch against 0.8 source: split keyring functionality into separate files

Tested on F-10.
Comment 10 Bojan Smojver 2009-01-15 20:42:20 EST
Created attachment 329154 [details]
Patch against 0.8 source: split keyring functionality into separate files

OOPS! Git is different to svn. Take that into account when creating the patch.
Comment 11 Matěj Cepl 2009-01-17 16:44:59 EST
I am afraid, that this is whole bug is pretty bad idea -- the point of Kerberos is that it should be ultra-secure -- circumvention of the Kerberos process by using passwords which cannot be controlled by administrators (and thus are presumably weaker) seems to me like totally bad idea.

I would vote for WONTFIX.
Comment 12 Bojan Smojver 2009-01-17 17:19:57 EST
Well, that's already been circumvented if you're using Evolution and Exchange. Essentially, your Kerberos (AD) password will be stored in the keyring by Evolution.

What's the point of having a keyring if it cannot be trusted and you cannot store passwords in it?
Comment 13 Bojan Smojver 2009-01-17 18:36:01 EST
One more observation here: AFAIK, if network authentication is used, default keyring (which is used for this) will have network password.
Comment 14 Bojan Smojver 2009-01-17 20:42:20 EST
Had a look through gnome-keyring source and there is already a calculation of password strength there. Maybe the real solution is to use that calculation to enable system admins to enforce password strength on keyrings?

I think I should be able to whip up a patch along those lines...
Comment 15 Bojan Smojver 2009-01-18 06:40:27 EST
Created attachment 329298 [details]
Enforce keyring password strength in gnome-keyring

Something like this. I didn't even compile this, let alone test it. But, you get the idea.
Comment 16 Bojan Smojver 2009-01-19 18:10:12 EST
Created attachment 329408 [details]
Patch against 0.8 source: make keyring use optional

Given the objection that some system admins may not like this behaviour, here is a patch that makes the whole thing optional.
Comment 17 Bojan Smojver 2009-01-19 18:18:02 EST
Created attachment 329409 [details]
Patch against 0.8 source: make keyring use optional

For real this time.
Comment 18 Bojan Smojver 2009-01-19 19:20:29 EST
OK, I think I addressed the circumvention concern with two different improvements:

- enforcement of strong keyring passwords (for admins that choose to use keyring)
- keyring off by default (this can be enforced by mandatory profiles)

Matej,

Could you please comment on the above and if it passes the sanity test. If it doesn't, I'll close as WONTFIX.
Comment 19 Bojan Smojver 2009-01-19 20:43:33 EST
Created attachment 329417 [details]
Patch against 0.8 source: make keyring use optional

Stay away from deleting passwords if keyring items were not allocated.
Comment 21 Matěj Cepl 2009-01-20 09:45:56 EST
Would it be possible to add to this program something like applet functionality. I would love to have a green light in my taskbar turning red when ticket expires (is to expire?), and clicking on this equivalent of kinit would run. What do you think?
Comment 23 Tomas Mraz 2009-01-20 15:27:29 EST
Except when there is no UI to enable the keyring use nobody will really use this feature.
Comment 24 Christopher Aillon 2009-01-20 15:33:08 EST
I'm not really working on this anymore -- Colin, you've been somewhat active here, can you have a look, please?
Comment 25 Bojan Smojver 2009-01-20 16:22:22 EST
Regarding comment #21 - that's how 0.8 and above works already. There is an applet and the icon changes and you get notified that your ticket expired. When you click the icon, you get your credentials renewed. You can turn this on or off using gconf.

With the use of keyring, your credentials get refreshed automatically and you get notified that it happened. If the password in the keyring is bad and the authentication fails (after being tried only once), it is removed from the keyring and you get the "ticket expired" icon again. You then need to click the icon to get the dialog again and this then stores the good password into the keyring.

Of course, use of keyring is optional and can be prohibited by admins by using mandatory profiles.
Comment 26 Bojan Smojver 2009-01-25 01:05:30 EST
Created attachment 329924 [details]
Patch against 0.8 source: delete passwords if krb5_get_init_creds_opt_set_pkinit returns error

It seems to me that we should do this as well, so that we don't keep stale passwords in the keyring, which can cause authentication attempts with incorrect passwords. I have no way to test this - my system doesn't have krb5_get_init_creds_opt_set_pkinit() function.
Comment 27 Bojan Smojver 2009-01-25 01:54:50 EST
Created attachment 329925 [details]
Patch against 0.8 source: never use keyring when pkinit is used

This is probably the safest bet, so that we don't accidentally lock the smartcard.
Comment 28 Bojan Smojver 2009-01-25 02:49:21 EST
Created attachment 329931 [details]
Patch against 0.8 source: never use keyring when pkinit is used - take 2

pk_userid can also be blank (default), in which case we should not use keyring as well.
Comment 29 Bojan Smojver 2009-01-30 23:46:14 EST
Created attachment 330517 [details]
Patch against 0.8 source: avoid bogus debug info by checking use_keyring variable

See:

http://bugzilla.gnome.org/show_bug.cgi?id=567701#c17
Comment 30 Fedora Admin XMLRPC Client 2009-02-09 13:45:08 EST
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 31 Bojan Smojver 2009-04-27 21:26:46 EDT
Looks like no interest upstream. Closing as WONTFIX.

Note You need to log in before you can comment on or make changes to this bug.