Hi Alessandro,
To be honest - I don't know much about this single sign-on on Windows. I
just noticed that with some software, one doesn't have to login a second
time. One Login into the Windows system is enough and the other software
can - somehow (I don't know how) - authenticate the user from the
Windwos-Login, without a second log-in. But I don't know how that works.
It is not super important, but would be somehow convenient, if it
doesn't sacrifice security. Maybe it isn't possible at all.
Andreas
Am 20.11.19 um 17:24 schrieb Alessandro Pasotti:
On Wed, Nov 20, 2019 at 5:10 PM Andreas Neumann <[email protected]
<mailto:[email protected]>> wrote:
Hi Jürgen,
I wouldn't know how this works. When I create a new PG connection,
it forces me to add a username and password. I can't create a new
connection without specifying one. Even if the Windows password
manager already knows my windows credentials, which are the same
as the PG credentials. As a "stupid user" I would either expect:
- not being asked for credentials (means that QGIS would
automagically forward the Windows credentials)
What if your DNS has been poisoned to hit evil.hacker.com
<http://evil.hacker.com> instead? Would you still want your
credentials to be automatically sent?
- or when creating a new auth-conf, having a choice like "use
windows credentials" and then not being asked for
username/password, because QGIS already knows it from Windows.
I don't get this point: when you enter you credentials in the OS
wallet (password manager) it does not leak them to QGIS, or that would
be another huge security hole.
But maybe I am just not correctly handling it.
The one thing I noticed is that the Windows password manager
automatically loads the master password of the QGIS password
manager. So that one seems to work.
That's the currently supported way to manage credentials: you store
them into the encrypted QGIS auth DB and (optionally) store the master
password in your OS wallet.
In any event, the QGIS auth system is plugin based (C++ plugins) and
other/custom auth methods could be developed if needed.
Cheers
--
Alessandro Pasotti
w3: www.itopen.it <http://www.itopen.it>
_______________________________________________
QGIS-Developer mailing list
[email protected]
List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
