Hello Michał,
thanks for your message. Unluckily - it's beyond my abilities to
implement it. But your approach sounds pretty smart. I cannot really
estimate the security level - but certainly much better than without
any password, I guess.
I still think that there is a great demand for something like that -
the many requests for "auto login without password" seem to be an
indicator.
I'd strongly appreciate if your solution would be evaluated, optimized,
probabely enhanced - and merged into GNOME. What can we do to achieve
this?
Cheers,
Wolf
Am Donnerstag, den 08.06.2017, 09:14 +0200 schrieb Michał Górny:
> Hi,
>
> I'm sorry about not sending it earlier. Here's patch I was talking
> about. As I said, it's pretty dumb. Set a random keyring password
> first,
> then encrypt it in a file <keyring_name>.gpg and put into keyrings
> dir,
> e.g. if your keyring is 'login.keyring' in ~/.gnome2/keyrings:
>
> umask 077
> echo mypassword > ~/.gnome2/keyrings/login
> gpg -e ~/.gnome/keyrings/login
>
> It will ask about your user ID, you select to encrypt to yourself
> and after building gnome-keyring with the patch you should get GPG
> password dialog (to decrypt the password) before the normal dialog
> (asking for password).
>
> ---
> pkcs11/wrap-layer/gkm-wrap-prompt.c | 66
> +++++++++++++++++++++++++++++++++++++
> 1 file changed, 66 insertions(+)
>
> diff --git a/pkcs11/wrap-layer/gkm-wrap-prompt.c b/pkcs11/wrap-
> layer/gkm-wrap-prompt.c
> index 71bc14da..4bba2997 100644
> --- a/pkcs11/wrap-layer/gkm-wrap-prompt.c
> +++ b/pkcs11/wrap-layer/gkm-wrap-prompt.c
> @@ -165,11 +165,77 @@ auto_unlock_object_digest (CK_ATTRIBUTE_PTR
> attrs, CK_ULONG n_attrs)
> }
>
> static gchar*
> +auto_unlock_try_gpg (CK_ATTRIBUTE_PTR attrs, CK_ULONG n_attrs)
> +{
> + CK_ATTRIBUTE_PTR attr;
> + gchar* directory;
> + gchar* path;
> + gchar* argv[4];
> + gchar* password;
> + gint exitst;
> + GError* err;
> +
> + attr = gkm_attributes_find (attrs, n_attrs, CKA_ID);
> + if (attr == NULL)
> + return NULL;
> +
> + directory = gkm_util_locate_keyrings_directory();
> + path = g_strdup_printf("%s/%s.gpg", directory, (gchar*)attr-
> >pValue);
> + g_free(directory);
> +
> + if (!g_file_test(path, G_FILE_TEST_IS_REGULAR))
> + {
> + g_free(path);
> + return NULL;
> + }
> +
> + argv[0] = "gpg";
> + argv[1] = "-d";
> + argv[2] = path;
> + argv[3] = NULL;
> +
> + if (!g_spawn_sync(NULL, argv, NULL,
> + G_SPAWN_SEARCH_PATH|G_SPAWN_CHILD_INHERITS_S
> TDIN,
> + NULL, NULL,
> + &password, NULL,
> + &exitst, &err))
> + {
> + fprintf(stderr, "Error spawning key decrypt: %s\n",
> + err->message);
> + g_free(path);
> + return NULL;
> + }
> +
> + g_free(path);
> +
> + if (!g_spawn_check_exit_status(exitst, &err))
> + {
> + fprintf(stderr, "Key decrypt exit abnormally: %s\n",
> + err->message);
> + g_free(password);
> + return NULL;
> + }
> +
> + g_strchomp(password);
> + if (!*password)
> + {
> + g_free(password);
> + return NULL;
> + }
> +
> + return password;
> +}
> +
> +static gchar*
> auto_unlock_lookup_keyring (CK_ATTRIBUTE_PTR attrs, CK_ULONG
> n_attrs)
> {
> gchar *location;
> gchar *password;
>
> + password = auto_unlock_try_gpg(attrs, n_attrs);
> + if (password)
> + return password;
> +
> location = auto_unlock_keyring_location (attrs, n_attrs);
> if (location == NULL)
> return NULL;
_______________________________________________
gnome-keyring-list mailing list
gnome-keyring-list@gnome.org
https://mail.gnome.org/mailman/listinfo/gnome-keyring-list
