Mining Bits and Knowledge
Bending Gnome Keyring with Python – Part 1
17/03/10
 |
Este post também está disponível em Português |
In the last days, I was working in Tiamat and faced the need to store SSH and Telnet passwords. I don’t even hesitated, one name came to my mind: Gnome Keyring. It’s easy, it’s secure and have Python binding, what was missing?! Know how to use it. Before we start bending, I’d like to discuss a little about how some applications store your passwords.
It’s common to find applications that stores passwords “incorrectly” and “insecurely”. It’s easy to find IM (Internet Messengers), e-mail and other clients that stores the user’s password in a hidden config file in the user’s home. Isn’t hard to find out that the passwords are in plain text. Some times this password config file receives a “little protection”, it’s applied a password to the password. This means that the password is obfuscated with a reversible algorithm by a “master password”. This isn’t correct! It gives us the felling of false security, they seem to be encrypted but aren’t! With a little brutal force is possible to unveil the user’s passwords.
A perfect example is Pidgin. The famous IM client stores your password at /home/<username>/.purple/accounts.xml. Don’t believe me?! Look here. Still don’t believe yeah? The pidgin development team spoke about it here. Let me quote the first paragraph:
Bending Gnome Keyring with Python – Part 2
20/03/10
|
Este post também está disponível em Português |
In the last post we started introducing how the Gnome Keyring works. I showed how to create a keyring and its items using Seahorse, now I’m going to show how to do it using Python. In order to interact with Gnome Keyring from Python we need python-gnomekeyring installed. Let’s start bending…
Exploring Gnome Keyring
As a first step, I’ll show how to “explore” Gnome Keyring. A good start is ensure that the Gnome keyring Daemon is available using the is_available method. To search through existing keyrings we can use the list_keyring_names_sync method. If you test this from a Python Console you will notice an recurrent warning “g_set_application_name not set”, an example:
>>> import gnomekeyring as gk >>> gk.list_keyring_names_sync() ** (process:1737): WARNING **: g_set_application_name not set. ['login', 'MyKeyring', 'session'] >>>
This happens because the daemon requests information about which application is trying to access the Gnome Keyring info and as a Python Console we don’t have any application name. To solve this, we can import the gobject library and use the method set_application_name. Below, there is a simple keyring listing example:
Bending Gnome Keyring with Python – Part 3
24/03/10
|
Este post também está disponível em Português |
In the last post I’ve shown how to create keyrings using python and mentioned a slightly difference from the “seahorse password storing process”. Well, it happens that, when we start to dig this difference isn’t so small. Using seahorse every keyring item is created with the “Update if Exists” flag as False, so you can create identical keyring items. This is not a safe approach and can result in an inconsistent keyring. But as we use the “Update if Exists” flag set as True, something unexpected happens:
#!/usr/bin/env python
import gnomekeyring as gk
import glib
APP_NAME = 'MyApp'
KEYRING_NAME = 'MyKeyring'
glib.set_application_name(APP_NAME)
keyrings = gk.list_keyring_names_sync()
# If this keyring already exist, let's remove it
if KEYRING_NAME in keyrings:
# Gnome Keyring Daemon may ask for a password here
gk.delete_sync(KEYRING_NAME)
# If anyone asks, the password is 'mypasswd'
gk.create_sync(KEYRING_NAME, 'mypasswd')
id = gk.item_create_sync(KEYRING_NAME, gk.ITEM_GENERIC_SECRET, 'magnun@Neptune:22', {'application':APP_NAME}, 'passwd', True)
print 'New host added (key=%i)'%(key)
id = gk.item_create_sync(KEYRING_NAME, gk.ITEM_GENERIC_SECRET, 'guest@Neptune:22', {'application':APP_NAME}, 'passwd', True)
print 'New host added (key=%i)'%(key)
id = gk.item_create_sync(KEYRING_NAME, gk.ITEM_GENERIC_SECRET, 'magnun@Jupiter:22', {'application':APP_NAME}, 'passwd', True)
print 'New host added (id=%i)'%(id)
Save this as my_keyring_creator.py and run it.
Bending Gnome Keyring with Python – Part 4
31/03/10
|
Este post também está disponível em Português |
Keeping the last subject, today I’ll write a little about the Gnome Keyring security. As presented in the last post, the Gnome Keyring is responsible for storing users sensitive information in encrypted databases called keyrings. I’ve shown how to create an Keyring and store some secrets. But now I ask, are those information secure? They may be or not, it’s up to you.
There is a recurrent discussion about the Gnome Keyring behavior. When we log on, the Session Manager unlock the default keyring with your logon password to prevent many popups asking the user if they wan’t to grant access to a certain application. Many people may say this is a security flaw, I don’t totally agree. Gnome Keyring also uses the application name to ensure the permission. Let’s see an example. I’ll suppose we’re developing an certain application called ‘MyApp’ and it will create a simple keyring. The following snippet would do the trick:
Bending Gnome Keyring with Python – Part 5
14/05/10
|
Este post também está disponível em Português |
Following the last line from my preview post, there is a secure flaw in the Gnome Keyring. Hopefully there is a security mechanism that brings us some peace. The Gnome Keyring API (ligbnome-keyring) give us a way to lock an specific keyring using the following methods: set_lock_on_idle and set_lock_timeout.
According to the libgnome-keyring API documentation (only available in C) the set_lock_on_idle method receives a boolean value (True of False), which define if the defined keyring should or shouldn’t be locked when idle. The set_lock_timeout method defines after how many seconds the keyring should be considered idle. Since I couldn’t find any usage example and I couldn’t get any help with the community/developers I assumed that the correct usage for this method should be something like this:
Bending Gnome Keyring with Python – Part 6
27/05/10
|
Este post também está disponível em Português |
Following my last post lines, I’ll show today how we can implement a wrapper class to “control” the Gnome Keyring. This isn’t the most secure way, since we store the keyring password in a variable. But is better then let your keyring open for all other applications.
First we need to create a class that creates a “Keyring Manager”, responsible for:
- consulting the existing keyrings;
- create keyrings;
- delete keyrings;
- set the default keyring;
- lock all keyrings.
Secondly, we need a wrapper for the Keyring. Since the keyring has many features and is not my intention to wrap all those I’ll just show the essentials. My keyring wrapper is able to:
- lock the keyring;
- unlock the keyring;
- show if the keyring is locked
- list it’s item ids;
- give access to the GnomeKeyringInfo;
- change the keyring password;
- list the keyring’s item attributes;
- show the keyring’s item secret.
Bending Gnome Keyring with Python – Part 7
02/06/10
|
Este post também está disponível em Português |
In a couple of posts ago I talked about two ways to solve a Gnome Keyring issue in Python. The fist way (demonstrated here), was to create o simple class that wraps the libgnome-keyring and in each request it lock and unlock the Gnome Keyring. It wasn’t perfect and had some security issues but at least kept your Keyring securely locked. The second solution, and also the most elegant, is to create a class that wraps the libgnome-keyring and mimics the idle timeout.
In this post I’ll show an example of implementation. The code presented here is based in my last post code. I just changed a few lines and added a GTK Window that mimics an application. Let’s see the code:
