On 2010-10-09T04:33:55, ext Patrick Ohly wrote: > On Fri, 2010-10-08 at 11:03 +0200, Patrick Ohly wrote: > > On Fri, 2010-10-08 at 08:28 +0100, Alberto Mardegan wrote: > > > On 10/07/2010 02:09 PM, Patrick Ohly wrote: > > > > There still is confusion around Accounts&SSO and what it does. > > > > Specifically, storing plain text passwords in it is under dispute. > > > > > > > > Alberto closed a corresponding feature request in the MeeGo 1.0 time > > > > frame, saying that it works and gave some example code: > > > > http://bugs.meego.com/show_bug.cgi?id=5017 > > > > > > > > But now Sateesh disagrees and says that "retrieving the credentials is > > > > something that is not officially supported or is going to be removed and > > > > is not going to be supported in > > > > future." (http://bugs.meego.com/show_bug.cgi?id=8027#c4) > > > > > > Retrieving the plain credentials is something we are discouraging, > > > because of > > > security reasons. [...] > > > > Okay, so that is probably what Sateesh was thinking of in his statement. > > For SyncML, the plain text password may be needed (basic auth method). > > For the MD5 hash method, an Accounts&SSO plugin might be able to do the > > necessary hashing. But given the time frames and that not all servers > > necessarily support the second method, we should focus on retrieving the > > password. Same applies to other apps, as you said. > > MeeGo's version of the Qt Messaging Framework (QMF) also uses the > "password" method to retrieve the plain text password back out of > Accounts&SSO. From H_2010W36-0maemo9-2-gc598718: > > src/plugins/messageservices/imap/imapclient.cpp: const QString ssoMethod = > QLatin1String("password"); > src/plugins/messageservices/smtp/smtpclient.cpp: session = > identity->createSession(QLatin1String("password")); > > $ grep -r -i credentialsId src/ > src/plugins/messageservices/imap/imapclient.cpp: const quint32 > credentialsId = account->credentialsId(); > src/plugins/messageservices/imap/imapclient.cpp: _identity = > SignOn::Identity::existingIdentity(credentialsId, this); > src/plugins/messageservices/smtp/smtpclient.cpp: const quint32 > credentialsId = account->credentialsId(); > src/plugins/messageservices/smtp/smtpclient.cpp: identity = > Identity::existingIdentity(credentialsId, this);
Regarding this QMF using the password method issue. For servers that support challenge/response authentication QMF shouldn't need to know the credentials for accounts. But there's still a bit more work required to make that happen in practice. Here's a quote from a mail that details the current status: <quote> ------------ Forwarded Message ------------ Date: Mon, 9 Aug 2010 12:13:51 +0200 From: Don Sanders <[email protected]> <cut> I've implemented CRAM-MD5 SASL authentication support, and updated the SMTP plugin so that it can use it. It seems to work fine testing with qtmail. I didn't enable IMAP CRAM-MD5 authentication support yet, but it should be simple to do if required. Also I've only add CRAM-MD5, it might not be too much work to do DIGEST-MD5 and NTLM if required. Looking at http://www.melnikov.ca/mel/devel/SASL_ServerRef.html all the servers that support an authentication type other than LOGIN/PLAIN also support CRAM-MD5. CRAM-MD5 definitely seems to be the standard authentication mechanism. The actual CRAM-MD5 implementation is in QMailAuthenticator, but please note the messageserver process is still accessing the account username and password. If the intention of QMailAuthenticator is to design secure accounts so that the message server can't access the account user name and password at all for these accounts then there's still some more Maemo/MeeGo Accounts & SSO integration work to do, including moving the CRAM-MD5 code into the secure process that QMailAuthenticator is meant to talk to. That's if I understand the QMailAuthenticator and Accounts & SSO design correctly. </quote> For servers that only support plaintext authentication it's not so simple to avoid QMF knowing the username and password, because QMF creates the tcp socket used to communicate with the server. > What I haven't found is where this credentials ID is set or where > identities are created. In other words, a grep for IdentityInfo comes up > empty. Isn't there an API that QMF apps can use to create accounts, > including credentials, which then need to be stored in a new identity? > Carl, what are you using in the handset mail app? > > Moises or Vitaly, can you help out and explain to me how these > identities in libsignon are created? I'll leave this to Moises and/or Vitaly to answer. Kind regards, Don Sanders _______________________________________________ MeeGo-dev mailing list [email protected] http://lists.meego.com/listinfo/meego-dev
