In the last days, I was working in Tiamat and faced the need to store SSH and Telnet passwords. I don’t even hesitated, one name came to my mind: Gnome Keyring. It’s easy, it’s secure and have Python binding, what was missing?! Know how to use it. Before we start bending, I’d like to discuss a little about how some applications store your passwords.
It’s common to find applications that stores passwords "incorrectly" and "insecurely". It’s easy to find IM (Internet Messengers), e-mail and other clients that stores the user’s password in a hidden config file in the user’s home. Isn’t hard to find out that the passwords are in plain text. Some times this password config file receives a "little protection", it’s applied a password to the password. This means that the password is obfuscated with a reversible algorithm by a "master password". This isn’t correct! It gives us the felling of false security, they seem to be encrypted but aren’t! With a little brutal force is possible to unveil the user’s passwords.
A perfect example is Pidgin. The famous IM client stores your password at /home/<username>/.purple/accounts.xml. Don’t believe me?! Look here. Still don’t believe yeah? The pidgin development team spoke about it here. Let me quote the first paragraph:
Purple does not now and is not likely to encrypt the passwords in the accounts.xml file, nor is it likely to be encrypted in a future release. This is somewhat controversial in Windows, especially Windows 98 due to its weak file protections, but that’s the way things are.
So, because of a fault in Windows, all other users are affected. In my point of view, solve this problem is very simple: Protect the users when possible, if Windows don’t provide any means, keep it insecure. But the Pidgin Development Team made four suggestions:
- Store passwords behind a password;
- Obscure a passwords;
- Store the password in plain text and control access to the file;
- Lastly, you can not store passwords at all.
I won’t make any observation about the four suggestions, I’m full of this. This is one of the reasons why I’m moving to Empaphy. I hope someone from Pidgin Development Team read this.
Let’s start bending…
What is Gnome Keyring
Gnome Keyring is a daemon application which holds user’s credentials. The sensitive data is encrypted and stored in a keyring file in the users home folder. Applications can store and request passwords to the Gnome Keyring Daemon using the libgnome-keyring library. The Gnome Keyring Python Bindings are provided by the python-gnomekeyring package. You can browser through stored data in Gnome Keyring using Seahorse.
Gnome Keyring is very complex and well structured, there is plenty documentation about it here. Let’s focus in our objective:
Create a module to securely stores user’s authentication informations, such as username, password, protocols and others.
Let’s start from the beginning and try to understand how Gnome Keyring Works. In advance, Python bindings for Gnome Keyring lacks documentation’s so we will use the C documentation available here. Last but not least, Python bindings for Gnome Keyring are still incomplete and some functions isn’t available.
Using Gnome Keyring Through Seahorse
Gnome Keyring manage and stores user’s authentication information in one or more encrypted databases. These database are called keyring. Let’s see how to create a keyring (here named as MyKeyring) and how does it work.
First open Seahorse. Then click at File->New. Choose "Password Keyring" and press continue. Inform a name and a password to the keyring:
The Keyring password you’ve defined is used to encrypt and decrypt its items. Using the Gnome Keyring terms, with this password you can lock (encrypt) and unlock (decrypt) the keyring items. These items will store some sensitive informations according to your will. In this example, lets store the username Magnun and it’s SSH password to the server Neptune.
Click in File->New. Choose "Stored Password" and click continue. Fill the "Add Password" Dialog like the following:
Done, now we stored securely my SSH username and password to the Neptune server. We can check it here:
But it still useless, I won’t open it every time I need to remember this password. We need to have some integration, we will do this in the next post.