Re: [PATCH] Saving only the group password in keyring
On Tue, 2008-10-21 at 23:53 -0400, Mathieu Trudel-Lapierre wrote: Dan, I finally got something together, following some of the ideas you pointed out. I've also done a slight change to the auth dialog to not show the passwords that are already known in the keyring, unless it's in a reprompt situation (although I haven't been able to test it without manually calling nm-vpnc-auth-dialog...), and to always prompt for a password that is marked as otp although it may already be saved in the keyring. It's a pretty crude patch, I realize it will need some rework, but if someone could test it out and let me know what parts to look at.. :) Right now, I really don't think the unused cases work properly, but I'm still looking into it -- I just don't have an easy way to test that case. Fixed up and committed, thanks! Dan Patch is attached, one gziped file and one .patch: 01-password-types.patch.gz 01-vpnc-auth-password-types.patch / Matt On Sun, Oct 12, 2008 at 10:04 PM, Dan Williams [EMAIL PROTECTED] wrote: On Sat, 2008-10-11 at 11:22 -0400, Mathieu Trudel-Lapierre wrote: Dan, Actually one other little question. How much use do you think there is for this kind of feature? Do you regularly hear about this, or is it more a user here and there? There are open bug reports for both of these and I've heard about interactive auth mode and hybrid auth support from a number of people. It was certainly on my list to do when I had the time. But hey, if patches show up first... :) Dan / Matt On Thu, Oct 9, 2008 at 12:05 PM, Dan Williams [EMAIL PROTECTED] wrote: On Thu, 2008-10-09 at 09:15 -0400, Mathieu Trudel-Lapierre wrote: Hi, First, my apologies for pushing for this, since I believe the interested parties are probably already notified through bugzilla on this... So the reason this didn't get merged in the first place is that when this is used, the auth dialog looks like ass. Having _3_ buttons there has confused every user I've ever seen, and makes me read things a few times whenever I get the dialog. It's just bad UI. Plus, it's not something you can change in the connection editor out-of-band from authentication. That's not to say it doesn't fill a need and fix the bug, but the solution is not one I'd like to have upstream. Instead, we need a better solution. We have two passwords, the user password and the group password. Each password has 3 different types: u s e r | static | unused | OTP --|--|--|-- g static| Y|Y | Y r --|--|--|-- o unused| Y|X | ? u --|--|--|-- p OTP | Y|Y | ? --|--|--|-- Legend: Y = I've heard of it being used X = Pointless ? = I don't know if this is used by anyone The cases where you don't want to save passwords in the keyring are the OTP/RSA and the unused cases. Here's my solution: for each of the group and user password entries, have a small popup menu behind each on in the main config dialog like so: .. .. User Password: | i4mvrl1337^% | | Default |V| `' `' .. .. Group Password: | my-GrOuP-PassWORD | | Default |V| `' `' Where the combo box has the following items: Default (ie, static password that rarely changes) Interactive (ie, RSA dongles) Unused (ie, no password required and nothing saved to keyring) It always defaults to Default (ie, static) so most peoples configs will work, but you have to option to change it for your config. Note that Interactive authentication can't be used yet anyway because we don't support challenge-based authentication that it requires, which will come after 0.7 when I can rework the VPN cleanup patch I've talked about before, and will require If somebody came up with the UI patch to do this, that would be awesome and I'd commit it. It would additionally mean adding two keys to the vpnc plugin's GConf data (user-password-type and group-password-type) which would then have to be added to the nm-vpnc-service's validation code and used internally if required, but that's pretty easy. These keys would store the password type (as a string) so that the auth dialog would know when to save which passwords and which password entry widgets to disable/desensitize when the user had selected unused. Thoughts? Next, we get to add authentication types to the client to support Hybrid Auth mode. Not sure if you can use all the normal Xauth
Re: [PATCH] Saving only the group password in keyring
Dan, I finally got something together, following some of the ideas you pointed out. I've also done a slight change to the auth dialog to not show the passwords that are already known in the keyring, unless it's in a reprompt situation (although I haven't been able to test it without manually calling nm-vpnc-auth-dialog...), and to always prompt for a password that is marked as otp although it may already be saved in the keyring. It's a pretty crude patch, I realize it will need some rework, but if someone could test it out and let me know what parts to look at.. :) Right now, I really don't think the unused cases work properly, but I'm still looking into it -- I just don't have an easy way to test that case. Patch is attached, one gziped file and one .patch: 01-password-types.patch.gz 01-vpnc-auth-password-types.patch / Matt On Sun, Oct 12, 2008 at 10:04 PM, Dan Williams [EMAIL PROTECTED] wrote: On Sat, 2008-10-11 at 11:22 -0400, Mathieu Trudel-Lapierre wrote: Dan, Actually one other little question. How much use do you think there is for this kind of feature? Do you regularly hear about this, or is it more a user here and there? There are open bug reports for both of these and I've heard about interactive auth mode and hybrid auth support from a number of people. It was certainly on my list to do when I had the time. But hey, if patches show up first... :) Dan / Matt On Thu, Oct 9, 2008 at 12:05 PM, Dan Williams [EMAIL PROTECTED] wrote: On Thu, 2008-10-09 at 09:15 -0400, Mathieu Trudel-Lapierre wrote: Hi, First, my apologies for pushing for this, since I believe the interested parties are probably already notified through bugzilla on this... So the reason this didn't get merged in the first place is that when this is used, the auth dialog looks like ass. Having _3_ buttons there has confused every user I've ever seen, and makes me read things a few times whenever I get the dialog. It's just bad UI. Plus, it's not something you can change in the connection editor out-of-band from authentication. That's not to say it doesn't fill a need and fix the bug, but the solution is not one I'd like to have upstream. Instead, we need a better solution. We have two passwords, the user password and the group password. Each password has 3 different types: u s e r | static | unused | OTP --|--|--|-- g static| Y|Y | Y r --|--|--|-- o unused| Y|X | ? u --|--|--|-- p OTP | Y|Y | ? --|--|--|-- Legend: Y = I've heard of it being used X = Pointless ? = I don't know if this is used by anyone The cases where you don't want to save passwords in the keyring are the OTP/RSA and the unused cases. Here's my solution: for each of the group and user password entries, have a small popup menu behind each on in the main config dialog like so: .. .. User Password: | i4mvrl1337^% | | Default |V| `' `' .. .. Group Password: | my-GrOuP-PassWORD | | Default |V| `' `' Where the combo box has the following items: Default (ie, static password that rarely changes) Interactive (ie, RSA dongles) Unused (ie, no password required and nothing saved to keyring) It always defaults to Default (ie, static) so most peoples configs will work, but you have to option to change it for your config. Note that Interactive authentication can't be used yet anyway because we don't support challenge-based authentication that it requires, which will come after 0.7 when I can rework the VPN cleanup patch I've talked about before, and will require If somebody came up with the UI patch to do this, that would be awesome and I'd commit it. It would additionally mean adding two keys to the vpnc plugin's GConf data (user-password-type and group-password-type) which would then have to be added to the nm-vpnc-service's validation code and used internally if required, but that's pretty easy. These keys would store the password type (as a string) so that the auth dialog would know when to save which passwords and which password entry widgets to disable/desensitize when the user had selected unused. Thoughts? Next, we get to add authentication types to the client to support Hybrid Auth mode. Not sure if you can use all the normal Xauth stuff (like interactive) with the hybrid auth mode as well, but I have to assume you can. Dan -- Mathieu Trudel [EMAIL PROTECTED] 01-password-types.patch.gz Description: GNU Zip compressed data
[PATCH] Saving only the group password in keyring
Hi, First, my apologies for pushing for this, since I believe the interested parties are probably already notified through bugzilla on this... Anyway, regarding bugzilla #363918 (http://bugzilla.gnome.org/show_bug.cgi?id=363918) Only save group password in keyring for the VPNC plugin to NetworkManager; I looked at Denis Leroy's initial patch submission, and also at the updated patch that was posted for Fedora 8, and I've tried to apply the same concepts and fixes to fix the problem in Ubuntu, since moving from 0.6.x to 0.7 the previous patches couldn't be applied. I've attached my results. I'm taking much of the code changes that initially came from Denis' patch, with some additional changes I had to come up with to the get_secrets function, and two new functions in keyring-helpers to allow retrieving, independently, the user password or the group password from the keyring. The patch was initially written against a svn snapshot from September 28th (coming from the Ubuntu package done by Alexander Sack), so I did check against a snapshot from today and the patch seems to apply cleanly (with -p1). I couldn't actually test it on the recent snapshot, I seem to constantly have trouble understanding how to build NetworkManager from SVN :) This is the exact same patch attached to bug 363918. Thanks, -- diff -Nur -x '*.orig' -x '*~' network-manager-vpnc-0.7~~svn20080928t225540/auth-dialog/gnome-two-password-dialog.c network-manager-vpnc-0.7~~svn20080928t225540.new/auth-dialog/gnome-two-password-dialog.c --- network-manager-vpnc-0.7~~svn20080928t225540/auth-dialog/gnome-two-password-dialog.c 2008-09-29 16:42:05.0 -0400 +++ network-manager-vpnc-0.7~~svn20080928t225540.new/auth-dialog/gnome-two-password-dialog.c 2008-10-07 23:28:46.0 -0400 @@ -70,6 +70,7 @@ GtkWidget *remember_session_button; GtkWidget *remember_forever_button; + GtkWidget *remember_group_forever_button; GtkWidget *radio_vbox; GtkWidget *connect_with_no_userpass_button; @@ -466,11 +467,15 @@ gtk_check_button_new_with_mnemonic (_(_Remember passwords for this session)); password_dialog-details-remember_forever_button = gtk_check_button_new_with_mnemonic (_(_Save passwords in keyring)); + password_dialog-details-remember_group_forever_button = + gtk_check_button_new_with_mnemonic (_(Sa_ve group password in keyring)); gtk_box_pack_start (GTK_BOX (vbox), password_dialog-details-remember_session_button, FALSE, FALSE, 0); gtk_box_pack_start (GTK_BOX (vbox), password_dialog-details-remember_forever_button, FALSE, FALSE, 0); + gtk_box_pack_start (GTK_BOX (vbox), password_dialog-details-remember_group_forever_button, + FALSE, FALSE, 0); gnome_two_password_dialog_set_username (password_dialog, username); gnome_two_password_dialog_set_password (password_dialog, password); @@ -689,9 +694,11 @@ if (show_remember) { gtk_widget_show (password_dialog-details-remember_session_button); gtk_widget_show (password_dialog-details-remember_forever_button); + gtk_widget_show (password_dialog-details-remember_group_forever_button); } else { gtk_widget_hide (password_dialog-details-remember_session_button); gtk_widget_hide (password_dialog-details-remember_forever_button); + gtk_widget_hide (password_dialog-details-remember_group_forever_button); } } @@ -699,30 +706,38 @@ gnome_two_password_dialog_set_remember (GnomeTwoPasswordDialog *password_dialog, GnomeTwoPasswordDialogRemember remember) { - gboolean session, forever; + gboolean session, forever, group; session = FALSE; forever = FALSE; + group = FALSE; if (remember == GNOME_TWO_PASSWORD_DIALOG_REMEMBER_SESSION) { session = TRUE; } else if (remember == GNOME_TWO_PASSWORD_DIALOG_REMEMBER_FOREVER){ forever = TRUE; + } else if (remember == GNOME_TWO_PASSWORD_DIALOG_REMEMBER_GROUP){ + group = TRUE; } gtk_toggle_button_set_active (GTK_TOGGLE_BUTTON (password_dialog-details-remember_session_button), session); gtk_toggle_button_set_active (GTK_TOGGLE_BUTTON (password_dialog-details-remember_forever_button), forever); + gtk_toggle_button_set_active (GTK_TOGGLE_BUTTON (password_dialog-details-remember_group_forever_button), + group); } GnomeTwoPasswordDialogRemember gnome_two_password_dialog_get_remember (GnomeTwoPasswordDialog *password_dialog) { - gboolean session, forever; + gboolean session, forever, group; session =
Re: [PATCH] Saving only the group password in keyring
On Thu, 2008-10-09 at 09:15 -0400, Mathieu Trudel-Lapierre wrote: Hi, First, my apologies for pushing for this, since I believe the interested parties are probably already notified through bugzilla on this... So the reason this didn't get merged in the first place is that when this is used, the auth dialog looks like ass. Having _3_ buttons there has confused every user I've ever seen, and makes me read things a few times whenever I get the dialog. It's just bad UI. Plus, it's not something you can change in the connection editor out-of-band from authentication. That's not to say it doesn't fill a need and fix the bug, but the solution is not one I'd like to have upstream. Instead, we need a better solution. We have two passwords, the user password and the group password. Each password has 3 different types: u s e r | static | unused | OTP --|--|--|-- g static| Y|Y | Y r --|--|--|-- o unused| Y|X | ? u --|--|--|-- p OTP | Y|Y | ? --|--|--|-- Legend: Y = I've heard of it being used X = Pointless ? = I don't know if this is used by anyone The cases where you don't want to save passwords in the keyring are the OTP/RSA and the unused cases. Here's my solution: for each of the group and user password entries, have a small popup menu behind each on in the main config dialog like so: .. .. User Password: | i4mvrl1337^% | | Default |V| `' `' .. .. Group Password: | my-GrOuP-PassWORD | | Default |V| `' `' Where the combo box has the following items: Default (ie, static password that rarely changes) Interactive (ie, RSA dongles) Unused (ie, no password required and nothing saved to keyring) It always defaults to Default (ie, static) so most peoples configs will work, but you have to option to change it for your config. Note that Interactive authentication can't be used yet anyway because we don't support challenge-based authentication that it requires, which will come after 0.7 when I can rework the VPN cleanup patch I've talked about before, and will require If somebody came up with the UI patch to do this, that would be awesome and I'd commit it. It would additionally mean adding two keys to the vpnc plugin's GConf data (user-password-type and group-password-type) which would then have to be added to the nm-vpnc-service's validation code and used internally if required, but that's pretty easy. These keys would store the password type (as a string) so that the auth dialog would know when to save which passwords and which password entry widgets to disable/desensitize when the user had selected unused. Thoughts? Next, we get to add authentication types to the client to support Hybrid Auth mode. Not sure if you can use all the normal Xauth stuff (like interactive) with the hybrid auth mode as well, but I have to assume you can. Dan ___ NetworkManager-list mailing list NetworkManager-list@gnome.org http://mail.gnome.org/mailman/listinfo/networkmanager-list
Re: [PATCH] Saving only the group password in keyring
I wasn't aware of the confusing factor of having that specific checkbox on the auth dialog, although I have to admit the difference between the session keyring and the permanent one of the two checboxes that are already there did throw me off a bit. I'll see if I can put something together to implement your solution. It does sound like a pretty good idea to me, especially since that could also have the potential of requesting only the OTP passwords where necessary. / Matt On Thu, Oct 9, 2008 at 12:05 PM, Dan Williams [EMAIL PROTECTED] wrote: On Thu, 2008-10-09 at 09:15 -0400, Mathieu Trudel-Lapierre wrote: Hi, First, my apologies for pushing for this, since I believe the interested parties are probably already notified through bugzilla on this... So the reason this didn't get merged in the first place is that when this is used, the auth dialog looks like ass. Having _3_ buttons there has confused every user I've ever seen, and makes me read things a few times whenever I get the dialog. It's just bad UI. Plus, it's not something you can change in the connection editor out-of-band from authentication. That's not to say it doesn't fill a need and fix the bug, but the solution is not one I'd like to have upstream. Instead, we need a better solution. We have two passwords, the user password and the group password. Each password has 3 different types: u s e r | static | unused | OTP --|--|--|-- g static| Y|Y | Y r --|--|--|-- o unused| Y|X | ? u --|--|--|-- p OTP | Y|Y | ? --|--|--|-- Legend: Y = I've heard of it being used X = Pointless ? = I don't know if this is used by anyone The cases where you don't want to save passwords in the keyring are the OTP/RSA and the unused cases. Here's my solution: for each of the group and user password entries, have a small popup menu behind each on in the main config dialog like so: .. .. User Password: | i4mvrl1337^% | | Default |V| `' `' .. .. Group Password: | my-GrOuP-PassWORD | | Default |V| `' `' Where the combo box has the following items: Default (ie, static password that rarely changes) Interactive (ie, RSA dongles) Unused (ie, no password required and nothing saved to keyring) It always defaults to Default (ie, static) so most peoples configs will work, but you have to option to change it for your config. Note that Interactive authentication can't be used yet anyway because we don't support challenge-based authentication that it requires, which will come after 0.7 when I can rework the VPN cleanup patch I've talked about before, and will require If somebody came up with the UI patch to do this, that would be awesome and I'd commit it. It would additionally mean adding two keys to the vpnc plugin's GConf data (user-password-type and group-password-type) which would then have to be added to the nm-vpnc-service's validation code and used internally if required, but that's pretty easy. These keys would store the password type (as a string) so that the auth dialog would know when to save which passwords and which password entry widgets to disable/desensitize when the user had selected unused. Thoughts? Next, we get to add authentication types to the client to support Hybrid Auth mode. Not sure if you can use all the normal Xauth stuff (like interactive) with the hybrid auth mode as well, but I have to assume you can. Dan ___ NetworkManager-list mailing list NetworkManager-list@gnome.org http://mail.gnome.org/mailman/listinfo/networkmanager-list