New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Feature Request] Keyring-rs to store secrets #2
Comments
Why couldn't it be an optional dependency configured at build-time with a feature flag? |
I've already though about this possibility, but I've decided not to opt for it. How many of them will enable the keyring feature in the build? Considering that not all the linux distros support the service used by the d-bus, it's really not worth it to implement the keyring for linux. |
This is a bit unfair. All of the major distributions (Debian, Ubuntu, Fedora, CentOS, RHEL, Arch, etc) use systemd, and systemd has a hard dependency on dbus. Gentoo users are used to compiling things themselves, so adding/removing compile-time flags is no big deal there. That's the majority of users covered, and I know for Arch at least, maintainers absolutely would enable the keyring feature at build-time. Dismissing the addition of an optional feature because there exists at least one distribution that wouldn't use that feature is a disappointing attitude. |
The problem is not with D-Bus, but is that a service which provides I will repeat myself: this feature is completely useless afterall. It doesn't add anything to the user experience, it's just an additional security layer, I've implemented it on MacOs and Windows because it was "free".
I just have my point of view, and before defining someone's attitude as |
For what it's worth, KeepassXC also provides https://archlinux.org/todo/gnome-keyring-dependency-replacement-with-orgfreedesktopsecrets/ |
I'll make some tests with it when I have some spare time using keyring-rs to see if it works fine. Once I'll be come back with a definitive analysis in implementing keyring storage for linux I will eventually re-open this issue to link a PR for termscp 0.6.0 (I guess, there's still a lot to do for 0.5.0). Thanks |
# This is the 1st commit message: Use containers to test file transfers # This is the commit message #2: Container setup # This is the commit message #3: Container setup # This is the commit message #4: tests with docker-compose # This is the commit message #5: these tests won't work with containers # This is the commit message #6: ftp tests with containers; removed crap servers; tests only lib # This is the commit message #7: hostname for github # This is the commit message #8: booooooh # This is the commit message #9: fixed recursive remove FTP
Issue closed, for updates and linux implementation, please refer to issue #48 |
Premise
TermSCP uses an AES 256 byte key to encrypt secrets/passwords in bookmarks.
At the moment the AES key is stored in one of the following paths, based on the user's operating system:
/home/alice/.config/termscp/.ssh/
/Users/Alice/Library/Application Support/termscp/.ssh/
C:\Users\Alice\AppData\Roaming\termscp\.ssh\
This method is quite safe, since anyway, keys are located in a path which is accessible only by the current user.
The Keyring solution
The optimal solution to store the secret would probably be to use keyring-rs which allows the user to store the termscp secret in the operating system vault.
The solution is actually quite simple, since just in a few lines of code, this crates provides a way to do so:
Unfortunately, if on one side this makes safer to handle secrets, at the same time adds a lot of issues.
The BSD compatibility break
Keyring-rs just doesn't support BSD, which would break the compatibility with it. So it must be a feature for BSD
The D-BUS dilemma
On Linux keyring-rs uses D-BUS and requires a service which provides
org.freedesktop.secrets
. And there are three issues with that.org.freedesktop.secrets
service. As a Manjaro/KDE user, I wasn't able to find any service running which provides it, making me unable to use it. I haven't checked how many DE actually supports it, GNOME supports it for sure.rust-keyring
. I'm not 100% sure this means the only service you can use is actuallyrust-keyring
, but if it so, for me it's totally a big no no.Implementation
After the analysis of the issues introduced by the crate, I haven't given up in implementing this feature, indeed I've actually decided I will implement it in 0.3.1/0.3.2.
The implementation consists in adding a new trait
Keystorage
which provides these methods:and I will implement two providers:
KeyringStorage
which useskeyring-rs
andFileStorage
which uses the current implementation.The keyring-rs crate will be available on Windows and MacOS only, while on Linux, at least until libdbus will be required, I won't be supported. I know it's a pity, considering that probably a big slice of the audience of termscp are Linux/WSL users, but this would introduce many compatibility issues and would remove the coverage for many users (wsl users in particular).
The text was updated successfully, but these errors were encountered: