Secure Password Storage Example

[martin-css]

As per issue 66.

Below is a working example of the changes I made to implement secure password storage. The changes have been tidied up to not be such a nasty hack.

The keyring_available flag is set if the keyring module is available for import on the user's system AND a suitable default implementation for secure storage of credentials exists.

The main load & save server config sections have been modified to use the keyring module for secure password storage if available (ensuring an empty string is written to the config file for the password). If the module is not available then the current obfuscation implementation will be used. If the user does not enable the save password option then nothing will be stored using either method.

Note the or "" on line 326 is necessary for Nagstamon to handle the case where the keyring should be used but no password has yet been saved to the user's credential store. As a matter of personal preference I've disabled storage of empty password values to the keyring.

[HenriWahl]

Using your changes in a GNOME3 environment from command line I get a command line prompt to create a new keyring password. Do you know more about how to use existing keyring technologies?

[HenriWahl]

Regarding the python-keyring web pages I try:
python -c "import keyring.util.platform_; print(keyring.util.platform_.config_root())"
And get:
/home/user/.local/share/python_keyring
This doesn't look like a GNOME keyring. How does your environment behave?

[martin-css]

I'm using Ubuntu 13.10 Desktop (x86_64). I had installed the Python keyring service using the python-keyring system package. This was all that was required to get this configured and working with the native Gnome keyring manager (Seahorse in Ubuntu 13.10).

The basic premise of the system keyring is that credentials are securely stored in encrypted form with the key being derived from a password entered by the user. This is most useful when your login password is automatically used as the password which is what many Linux distros (& Windows) offer.

We don't want to get into the realms of keyring config as the software should simply use what the OS offers. However, it may be necessary to tweak the keyring detection if it is not picking up that a system keyring service is not available.

Would you be able to test in a virtual machine? A fresh install of Ubuntu 13.10 would mirror my set-up and all you should need to do is install the keyring package mentioned above.

[HenriWahl]

Yes, it should stay as simple as possible. I also did not check all options of python-keyring. Their website looks pretty promising.

[HenriWahl]

I tried on a fresh Ubuntu 13.10 and get this:

henri@ubuntu1310:~/Schreibtisch/Nagstamon-master/Nagstamon$ ./nagstamon.py
ERROR:dbus.proxies:Introspect error on :1.18:/org/freedesktop/secrets/aliases/default: dbus.exceptions.DBusException: org.freedesktop.Secret.Error.NoSuchObject: The '/org/freedesktop/secrets/aliases/default' object does not exist
Traceback (most recent call last):
File "./nagstamon.py", line 45, in
from Nagstamon.Config import Config
File "/home/henri/Schreibtisch/Nagstamon-master/Nagstamon/Nagstamon/Config.py", line 30, in
import keyring
File "/usr/lib/python2.7/dist-packages/keyring/init.py", line 9, in
from core import (set_keyring, get_keyring, set_password, get_password,
File "/usr/lib/python2.7/dist-packages/keyring/core.py", line 166, in
init_backend()
File "/usr/lib/python2.7/dist-packages/keyring/core.py", line 65, in init_backend
keyrings.sort(key = lambda x: -x.supported())
File "/usr/lib/python2.7/dist-packages/keyring/core.py", line 65, in
keyrings.sort(key = lambda x: -x.supported())
File "/usr/lib/python2.7/dist-packages/keyring/backends/SecretService.py", line 23, in supported
secretstorage.Collection(bus)
File "/usr/lib/python2.7/dist-packages/secretstorage/collection.py", line 43, in init
self.collection_props_iface.Get(COLLECTION_IFACE, 'Label')
File "/usr/lib/python2.7/dist-packages/secretstorage/util.py", line 27, in function_out
raise ItemNotFoundException(e.get_dbus_message())
secretstorage.exceptions.ItemNotFoundException: The '/org/freedesktop/secrets/aliases/default' object does not exist

I am investigating, but anyway - do you have any idea what this means or what other preconditions have to be met?

[martin-css]

It was working pretty much OOB for me. Default install of Ubuntu 13.10. Make sure the user account has a password. Login to your X11 desktop. Check seahorse is present as application and loads OK.

Installed keyring package with "sudo apt-get install -y python-keyring"

That was pretty much all I needed to run Nagstamon. If you still have issues I could see about setting up a Vagrantfile to provision a test environment if you have Vagrant available?

[HenriWahl]

python-keyring was already installed. Googling the error message I found https://bugs.launchpad.net/backintime/+bug/1241979 - seems to be a bug in python-secretstorage. Do you have python-secretstorage installed? Uninstalling it is the workaround suggested there.

[HenriWahl]

Removing python-secretstorage I am at least able to start nagstamon.py. Now it crashes due to some GUI stuff... looks like some other problem, not keyring-related.

[martin-css]

Good that it's working for you now. I do have version 1.0.0-1 of python-secretstorage installed on my system and have no issues.

[HenriWahl]

Now it kind of runs... raised some GUI bug but this is another issue. I get this line again on command line:

Please set a password for your new keyring:

Maybe this would look differently if run only GUI-wise. How it should behave? Or, how do you run it? From commandline?

[HenriWahl]

Running the 0install unstable without command line also does not show up any keyring dialog. :-(

[HenriWahl]

Just one idea... what other somehow keyring-related packages do you have installed?

[martin-css]

I've uploaded a VM image (OVA format) with a working system keyring. This is a install of Ubuntu 13.10 (64 bit) with default options. The description field contains details of the steps I took to get it setup (only about 5). You can download from:

http://www.campbellsoftware.co.uk/downloads/NagstamonTest.ova

Please give this a try.

[HenriWahl]

OK I run it. The steps you did where the same as I did. Only the python-keyring package already was installed. I note the following differences:

• I have autologin enabled - maybe this prevents creating the needed secret storage?
• my secret storage in seahorse is COMPLETELY empty. No entry at all.

After I reinstalled python-secretstorage (which I removed yesterday because WITH it nagstamon.py did not start at all) and disabled autologin after a reboot and password-based login magically the nagstamon entry appeared in seahorse when being set in nagstamon settings.
So the conclusion is:

• python-keyring in nagstamon works if no autologin is set. At least in Ubuntu.
• In my default non-autologin-Fedora I have to install python-SecretStorage and finally it works there too!
  Under the assumption thas no admin will use an autologin desktop keyring might be used. I will test with Windows and MacOSX. Anyways a capability detection should be included to decide if there are any usable backends and if not, fall back to the legacy obfuscation.

[HenriWahl]

I tested with MacOS X and Windows. After manually installing Python keyring it works on both platforms. So only some more finish is needed:

• migrate from old to new storage smoothly without presenting an empty password field
• check on Linux if all prerequisites are available
• offer option to use old storage

[martin-css]

The auto-login would prevent the secret storage from providing the automatic Login keyring. This is unlocked automatically by the system using your login password which obviously isn't entered if the auto-login is enabled. Hence it would need a manually set up keyring which is why you were getting the prompt to create a new keyring.

Glad it's working though. I've removed the VM image since it's no longer required. I agree some more work to tidy this up is required, this was mainly a proof of concept to show it working but also fall-back to the current obfuscation method if a keyring was not available. I'd also recommend you consider whether anything else should be securely stored (e.g. the proxy password).

For linux it might be worth adding the python-keyring as a dependency to the DEB package. The python-keyring package depends on python-secretstorage so if python-keyring is installed then this should be to.

[HenriWahl]

I was able to remove python-secretstorage without interfering with python-keyring on ubuntu and Fedora, so a dependency would be necessary. I will check with Debian too but think their latest incarnation with GNOME3 should have the secretstorage.

[HenriWahl]

Finally I think I finetuned your feature enough. Commit 8cbaf8e brings the seamless migration from old storage to new one. Windows and OSX get the keyring module integrated within Nagstamon, Linux should have it by distribution and if not, the keyring won't be used. If you can try it on other systems to see if it works reliable.