| Summary: | IMAP password is not saved | ||
|---|---|---|---|
| Product: | [Applications] trojita | Reporter: | Jono Bacon <jono> |
| Component: | Ubuntu | Assignee: | trojita-ubuntu-bugs |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | dpniel, trojita-bugs |
| Priority: | NOR | ||
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Platform: | unspecified | ||
| OS: | Linux | ||
| Latest Commit: | http://commits.kde.org/trojita/3e54d6c527ada1d4de2832cc618dd0e44e6e01b5 | Version Fixed In: | |
|
Description
Jono Bacon
2014-04-02 22:57:48 UTC
Hi Jono, that's pretty much expected at this point. There's some upcoming work for merging the last year's GSoC results, and part of them are plugins for saving passwords in some secure storage. Is there some Ubuntu-specific backend for password storage which can be used? I'm very strongly against saving passwords on disk in cleartext. I can think of a couple of ways we can secure the password by either using 1) The Ubuntu.OnlineAccounts provider, which i believe mzanetti is going to be looking into ( see http://developer.ubuntu.com/api/qml/sdk-14.04/Ubuntu.OnlineAccounts/) 2) storing the password with SHA1 encryption in a U1DB document. ( for reference Nekelesh used this in his flash back app http://bazaar.launchpad.net/~cliffhanger-dev/cliffhanger/trunk/view/head:/backend/sha1.js) My opinion is to go for online accounts, but i don't know how difficult that currently would be to implement (In reply to comment #2) > 2) storing the password with SHA1 encryption Nope, hashing != encryption. An IMAP client needs the actual plaintext of a password in a general case. You cannot get around that requirement by any creative use of hashing, sorry. On Thu Apr 3 09:10:42 2014 Dan Chapman wrote: > I can think of a couple of ways we can secure the password by either > using > > 1) The Ubuntu.OnlineAccounts provider, which i believe mzanetti is going > to be looking into ( see > http://developer.ubuntu.com/api/qml/sdk-14.04/Ubuntu.OnlineAccounts/) > Is not Ubuntu using gnome-keyring for secure password storage? > 2) storing the password with SHA1 encryption in a U1DB document. ( for > reference Nekelesh used this in his flash back app > http://bazaar.launchpad.net/~cliffhanger-dev/cliffhanger/trunk/view/head:/backend/sha1.js) > I think that you should use some native platform way for secure password storing and not invening something new (which can be insecure). Maybe we can provide some trojita password plugin for securely storing password (e.g encrypted with master password) on platforms where is no native password storage... > My opinion is to go for online accounts, but i don't know how difficult > that currently would be to implement > You can look at trojita password plugin interface header file what is needed for implementing new password plugin: https://projects.kde.org/projects/extragear/pim/trojita/repository/revisions/master/entry/src/Plugins/PasswordPlugin.h Note that trojita could not use password plugins yet (I need to rebase and maybe modify my patches for it). (In reply to comment #4) > On Thu Apr 3 09:10:42 2014 Dan Chapman wrote: > > I can think of a couple of ways we can secure the password by either > > using > > > > 1) The Ubuntu.OnlineAccounts provider, which i believe mzanetti is going > > to be looking into ( see > > http://developer.ubuntu.com/api/qml/sdk-14.04/Ubuntu.OnlineAccounts/) > > > > Is not Ubuntu using gnome-keyring for secure password storage? Only on Ubuntu desktop, as far as i know phone and tablet don't have access to any system resources other than what's available via the sdk api or has been built into the application. > > Maybe we can provide some trojita password plugin for securely storing > password (e.g encrypted with master password) on platforms where is no > native password storage... > > > My opinion is to go for online accounts, but i don't know how difficult > > that currently would be to implement > > > > You can look at trojita password plugin interface header file what is needed > for implementing new password plugin: > > https://projects.kde.org/projects/extragear/pim/trojita/repository/revisions/ > master/entry/src/Plugins/PasswordPlugin.h > > Note that trojita could not use password plugins yet (I need to rebase and > maybe modify my patches for it). I think this might be the best solution atm unless, we can create a generic IMAP/SMTP plugin for online accounts similar to that found in GNOME desktop's online-accounts. But that may take a huge chunk of work to implement since i believe on oauth services are supported through the accounts provider Some more info on the Accounts provider https://wiki.ubuntu.com/OnlineAccounts https://docs.google.com/document/d/1UwAQTXgEyZSD3di6fAUS0W18rKxh8TXb1TwsmkgbGG0/edit#heading=h.2s0rnc8nwg9k This may raise some issues though, if say the user wants to use there gmail account which would result in possibly using XOAUTH2 for authentication, which I don't even know is currently possible in trojita. I believe that Online Accounts is the right way to go here. This way you authenticate via Online Accounts and different services can be exposed there. So, for example, I authenticate with Google in Online Accounts and then I would tap Mail and Calendar as services I want to consume and Trojita and the Calendar app will receive content from that account. This will work across all Ubuntu devices. Also, API docs are at http://developer.ubuntu.com/api/qml/sdk-14.04/Ubuntu.OnlineAccounts/ Git commit 3e54d6c527ada1d4de2832cc618dd0e44e6e01b5 by Dan Chapman. Committed on 28/05/2014 at 15:27. Pushed by jkt into branch 'master'. Ubuntu: Implements PasswordWatcher for imap access Now uses the passwordWatcher. When authRequest signal is received it either auto connects or if no password saved ask user to enter password. REVIEW: 118130 Related: bug 333965 Removed using an anonymous function to call a reloadPassword slot M +1 -1 CMakeLists.txt M +3 -0 src/Ubuntu/main.cpp M +21 -4 src/Ubuntu/qml/trojita/ImapSettings.qml M +10 -2 src/Ubuntu/qml/trojita/InfoDialog.qml M +48 -16 src/Ubuntu/qml/trojita/SettingsTabs.qml M +14 -2 src/Ubuntu/qml/trojita/main.qml http://commits.kde.org/trojita/3e54d6c527ada1d4de2832cc618dd0e44e6e01b5 |