Bug 94311

Summary: Use Kde password Wallet for keeping Nickserv's "identify" password's
Product: [Applications] konversation Reporter: Loic Jaquemet <loic.jaquemet>
Component: generalAssignee: Konversation Developers <konversation-devel>
Status: CONFIRMED ---    
Severity: wishlist CC: andrius, bjorn.bidar, bluedzins, EagleScreen, feth, hein, jmillan, kde, kde, loic, mariano.mollo, niels_ole, opensource, public, rjvbertin, tl, victor.stinner, zorael
Priority: NOR    
Version: 0.15   
Target Milestone: ---   
Platform: Debian testing   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:
Attachments: Use kwallet for storing passwords
Ask for password if bot is defined but password is not.

Description Loic Jaquemet 2004-12-03 08:23:51 UTC
Version:           0.15 (using KDE KDE 3.3.1)
Installed from:    Debian testing/unstable Packages
OS:                Linux

Several IRC networks ( freenode for one ) use services like Nickserv or Chanserv to manage user nicks and channels. 
Authentification is made through the use of a password, identifying a user for a nick.. a user for a channel's founder ..

In any case, there's always been a security issue raised by the use of those nickserv and chanserv commands ( typing " /nickserv identify mypass" instead of "/nickserv identify mypass" for example .. )
As this is a password, associated with a nickname/user, it might be really interesting to use the kdewalletmanager ( i'm not sure here ? ) to keep user/password, and to used it "inline" with little user interaction.

This should be an optionnal choice in a server's ( network ? ) configuration . Something like :
[X] Auto-identify on connection using kde wallet

with some degree of configuration for the identifying command mayebe ( not all nick service are name nickserv ... )
Comment 1 illogic-al 2004-12-07 12:22:22 UTC
We can already auto-identify in konversation. The option can be found in File -> Identities.
Comment 2 Ismail Donmez 2004-12-13 09:49:34 UTC
Ok so what you want is protecting password using KWallet?
Comment 3 Loic Jaquemet 2004-12-14 10:31:03 UTC
It's more about using Kwallet to keep services's passwords ...
Comment 4 Loic Pefferkorn 2005-11-02 18:09:28 UTC
I'm working on it :)
Comment 5 Peter Simonsson 2006-07-13 13:04:26 UTC
*** Bug 130762 has been marked as a duplicate of this bug. ***
Comment 6 Michael Skiba 2008-12-17 16:42:21 UTC
Is someone still working on it? (the status should be changed to assigned then)
Comment 7 Eike Hein 2009-07-30 14:55:01 UTC
#6: Not that I know of.
Comment 8 argonel 2010-06-11 17:18:53 UTC
*** Bug 241438 has been marked as a duplicate of this bug. ***
Comment 9 José Millán Soto 2010-06-20 13:58:05 UTC
Created attachment 48160 [details]
Use kwallet for storing passwords

Hi,
This patch adds two methods to Application class: readPassword and writePassword.
Application::writePassword try to write a password in a wallet if KWallet is avaliable. If not, user is asked if he wants the password to be stored in the config file.
Application::readPassword will obtain the password from the wallet if it was stored using writePassword and the wallet is avaliable. If not, it will obtain the password from the config file.
This patch also makes identities, servers and channels passwords to be stored and readed using readPassword and writePassword, so KWallet is used if avaliable.
Comment 10 José Millán Soto 2010-06-20 14:05:15 UTC
Created attachment 48161 [details]
Ask for password if bot is defined but password is not.

This patch may also be commited after the previous one.
This patch will make konversation ask the identity password is a bot is set but the password is not.
This would be a strange case before kwallet is used, but may happen now if the password was first stored in a wallet which is not avaliable now.
Comment 11 Eike Hein 2010-06-20 19:31:52 UTC
Thanks! Unfortunately time is a bit tight today, but I hope to get around to reviewing/merging this on Monday or Tuesday.
Comment 12 Eike Hein 2010-06-22 22:37:01 UTC
Three comments:

1) I don't think Application::writePassword() should do configGroup.writeEntry("PasswordInWallet", false) before you actually determine that you're going to write a password to the config file. It's unnecessary data when the value ends up being "", and the "false" default fallback value in readPassword() will catch the empty case anyway. It also means that if the user cancels the dialog asking him whether he wants to store the password insecurely, Konversation will go look in the insecure config file next time anyway, even though kwalletd may be available again, and with it the password stored there.

2) Please remove m_alwaysStorePass and m_askedIfStorePass and instead use KMessageBox. KMessageBox provides a standard "Don't ask again" checkbox. And please integrate it with config/warnings_config.cpp so the user can reenable it in the config dialog. However, you want to make sure that the user is only asked once per saveOptions() run, so the code would have to do something like this: After the first time the dialog is shown, check whether the user has set it to "Don't ask again". If he hasn't, make note of that, but override the pref not to ask anyway. Then at the end of saveOptions(), reset it to ask again next time (unless the user did that anyway, then obviously not).

3) Please follow the coding style of the surrounding code, i.e. put opening braces ({) on their own line.
Comment 13 Eike Hein 2010-06-22 22:44:32 UTC
To clarify, "unless the user did that anyway" == unless the user set it not to ask again.
Comment 14 Eike Hein 2010-06-23 04:43:51 UTC
Hmm. On further thought, a fundamental flaw with this approach might be that saveOptions() can be called at various times - including e.g. during application quit - and popping up the dialog to unlock the wallet at these times would be unacceptable, since there is no visible connection to password editing.
Comment 15 Martin Blumenstingl 2010-10-05 19:57:22 UTC
*** Bug 253334 has been marked as a duplicate of this bug. ***
Comment 16 José Millán Soto 2012-04-23 14:34:35 UTC
A new version of the patch was uploaded to reviewboard: https://git.reviewboard.kde.org/r/104699/
Comment 17 Eike Hein 2012-06-04 14:21:15 UTC
*** Bug 301118 has been marked as a duplicate of this bug. ***
Comment 18 José Millán Soto 2012-12-07 17:06:13 UTC
A new version of the patch was uploaded to https://git.reviewboard.kde.org/r/104699/
Comment 19 Tobias Leupold 2014-11-04 21:19:14 UTC
This has been around for almost 10 years(!) now ... still, the Nickserv passwords are stored as plain-text in konversationrc. Is anybody working on this? Would be really fine if kwallet support would be finally added to konversation!
Comment 20 Björn Bidar (Thaodan) 2015-08-06 01:52:16 UTC
Is there any infos about this, which changes are needed?
Comment 21 Andrius Štikonas 2018-07-16 18:12:32 UTC
I was going to file a bug on this issue but then noticed this 14 year old bug.
Comment 22 Fabio Forni 2018-11-25 17:37:29 UTC
I was about to add konversationrc to my public dotfiles repository, fortunately I discovered in time that my password were in plain-text.
Comment 23 argonel 2018-12-25 03:31:15 UTC
*** Bug 402497 has been marked as a duplicate of this bug. ***
Comment 24 Mariano 2020-11-19 19:41:26 UTC
This needs to be fixed.