librelist archives

« back to archive

integration with gnome-keyring

integration with gnome-keyring

From:
Anando Gopal Chatterjee
Date:
2013-03-20 @ 15:29

Hi,
  
Is if possible to take login username and password directly from a keyring
such as 'seahorse'.
It is very insecure to keep username and password in a text-file (the 
configuration file of redsocks) in a public computer.
But if kept in a keyring then all can use it securely.

Thank you,
Anando Gopal Chatterjee


Re: [redsocks] integration with gnome-keyring

From:
Leonid Evdokimov
Date:
2013-03-25 @ 08:03
On Wed, Mar 20, 2013 at 7:29 PM, Anando Gopal Chatterjee
<anandogc@iitk.ac.in> wrote:
> Is if possible to take login username and password directly from a 
keyring such as 'seahorse'.
> It is very insecure to keep username and password in a text-file (the 
configuration file of redsocks) in a public computer.
> But if kept in a keyring then all can use it securely.

Why is it more secure? What attack does it prevent and is this attack
really relevant to your case? Keyring is not magic powder making
things secure.

For socks4, socks5 and http-basic authorization you have to know
plain-text of the password, so it...
1) has to be stored somehow in plain-text (probably, encrypted)
2) has to be processed in plain-text for every new connection (so, it
has to be stored in plain-text at least at RAM)
3) is passed through network in plain-text for socks5, and http with
basic authorization scheme

Also, you often need root access to run redsocks, so it's not ordinary
"public computer", it's public computer with root access for everyone.
It usually means, that you can't trust it, doesn't it? :)

--
WBRBW, Leonid Evdokimov
xmpp:leon@darkk.net.ru && http://darkk.net.ru
tel:+79816800702 && tel:+79050965222

Re: [redsocks] integration with gnome-keyring

From:
Anando Gopal Chatterjee
Date:
2013-03-27 @ 03:58
> On Wed, Mar 20, 2013 at 7:29 PM, Anando Gopal Chatterjee
> <anandogc@iitk.ac.in> wrote:
>> Is if possible to take login username and password directly from a
>> keyring such as 'seahorse'.
>> It is very insecure to keep username and password in a text-file (the
>> configuration file of redsocks) in a public computer.
>> But if kept in a keyring then all can use it securely.
>
> Why is it more secure? What attack does it prevent and is this attack
> really relevant to your case? Keyring is not magic powder making
> things secure.
>
> For socks4, socks5 and http-basic authorization you have to know
> plain-text of the password, so it...
> 1) has to be stored somehow in plain-text (probably, encrypted)
> 2) has to be processed in plain-text for every new connection (so, it
> has to be stored in plain-text at least at RAM)
> 3) is passed through network in plain-text for socks5, and http with
> basic authorization scheme
>
> Also, you often need root access to run redsocks, so it's not ordinary
> "public computer", it's public computer with root access for everyone.
> It usually means, that you can't trust it, doesn't it? :)
>
> --
> WBRBW, Leonid Evdokimov
> xmpp:leon@darkk.net.ru && http://darkk.net.ru
> tel:+79816800702 && tel:+79050965222
>

If the password is stored in some configuration file like
'/etc/resocks.conf' then everybody will be able to see the password very
easily. Then may be this can be done:

1) we store an encrypted password.
2) whenever we run redsocks the password will be unencrypted and the
configuration file be made.
3) run the redsocks
4) delete the configuration file.

Then it will be a bit difficult to see the password.

regards,
-- 
Anando Gopal Chatterjee