Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature Request - Secure Password Storage #66

Closed
martin-css opened this issue Mar 24, 2014 · 3 comments
Closed

Feature Request - Secure Password Storage #66

martin-css opened this issue Mar 24, 2014 · 3 comments

Comments

@martin-css
Copy link
Contributor

I had a look at how Nagstamon was storing the password if the save password option is enabled. I noted that the password is stored in an obfuscated form in the config file which is better than plain-text. However, anyone with a moderate understanding of programming would be able to retrieve the password from a config file given that the software is open source.

I modified the source code of my local installed copy to use the Python keyring module. This was a very quick nasty hack (~4 lines of code) but has the password being stored securely on my system keyring implementation which stores the password in encrypted form on the disk using the login password as the key.

It would be useful if this could be properly integrated into the main code base. Keyring implementations exist for Windows, Linux and MacOS. This would obviously need to manage the python dependency and probably fall-back to obfuscated storage if a system keyring implementation is not available. If a keyring implementation is not available then it would probably be beneficial to warn the user so they can choose whether to proceed or not.

@HenriWahl
Copy link
Owner

Hi,
this sounds absolutely great. The key store has been just as is because it worked but you are totally right. Can you provide the changes you did for a first start? Might be needed to be enhanced regarding the GUI but seems not to be a huge task.
Thanks + regards

@martin-css
Copy link
Contributor Author

Please see above referenced pull request.

Further changes I would recommend considering:

  1. Saving proxy server password (as "proxy_username@proxyserver") in secure fashion
  2. Consider if autologin_key should be saved securely (wasn't sure what this was)
  3. Modify GUI to warn user if keyring module is not available and save password option ticked

Not related to the secure password storage but I would also recommend removing the obfuscation of the username (normal & proxy) options. This is not really sensitive like the passwords and if you use a configuration management tool like Chef, Puppet etc then this is a real pain in the neck when generating configuration file templates.

If you'd like any further assistance with any of the above please let me know.

@HenriWahl
Copy link
Owner

Considered stable with latest commit 595d414.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants