From kde-core-devel Mon Jun 11 20:40:56 2001 From: George Staikos Date: Mon, 11 Jun 2001 20:40:56 +0000 To: kde-core-devel Subject: Re: Persistent password caching (.netrc and .kionetrc) X-MARC-Message: https://marc.info/?l=kde-core-devel&m=99229523000644 On Monday 11 June 2001 05:13, Dawit Alemayehu wrote: > In terms of security, for reading from the file we follow the same > requirements set on the ".netrc" file, which is basically that the file > must exist and only have "rw" permission for the user. We also check to > see if the current geteuid() matches the uid set on the file. Also these > file must be in the right location of course. That is ".netrc" must be in > while ".kionetrc" must be under the "config" directory in $KDEHOME... > > Anyways, in the long run the idea is to unify password caching for all > applications that need it. For example, kmail can store any login info > provided in the account area in ".kionetrc" using the "preset" keyword and > setting the type file. This makes it easier to allow the user to manage > his (her) password from a single control panel config module (when it is > designed!). Also we can store webbased login information and provide > similar facilities as Mozilla and IE do in this regards with a very small > overhead. > > Oh BTW, all of this of course is optional as with everything else and will > be off by default for the very obvious reasons... > > What do you all think ? Comments, opinions, ideas ? Is it a good idea to > provide a centralized location for storing persistent passwords ? I've been pondering this too, because it's basically essential to SSL support. Users will not be pleased to have to type in their password every time KDE uses a certificate. However I won't implement the code to save the password until there is an encrypted password registry. It's just not safe. I do have the code for 16 rounds blowfish with variable key length checked into koffice and I was planning to abstract it more to make a good crypto infrastructure for 2.3. If you want, we could temporarily move this code into a "private" class in kdelibs to use for this. Then a user would input the global password once and all apps could then read the passwords. Ideally this should go in the KConfig layer (I think...) but I guess it could go anywhere. What do you think about something along those lines? -- George Staikos