> Hm... or maybe only the 'password' type fields should be stored in
> keychain and every other form field can be provided on the command
> line? Those ones aren't secret, after all.

Yeah, I agree. Keychain should only fill the password type field.

> We do still need to allow for the fact that there might be multiple
> passwords though (and one day, maybe some saveable and some not, for
> example a password and a separate OTP). But specifying on the command
> line which password(s) to save would be OK, I think?

Yes, that's why I mentioned in previous email asking user to save it
or not in Keychain,
but giving it as an argument would be better option.
I knew it because for my personal usage, the form requires two passwords and
one is for OTP as exactly what you described.
Let me change a little bit more on my patch.

> FWIW what I'd *really* like to see is SSL certificate support using the
> keychain...

Looks like GnuTLS has common API that is for supporting system key
store, however,
according to their documents, it’s at this moment only supporting Windows one.
I think it may be not much difficult to use Keychain to lookup
certificates and keys
like what current `ANDROID_KEYSTORE` does.
Let me try after implementing above changes for passwords.


Yoshimasa Niwa

openconnect-devel mailing list

Reply via email to