Em Dom 20 Jul 2008, Timothy Murphy escreveu:

> Some kind soul pointed out that one could get rid

> of the demand by NM for a keyring password

> by deleting .gnome2/keyrings/default.keyring

> and then giving an empty password when requested.

>

> But that made me wonder what possible point

> the keyring password could have?

> Is it intended as some kind of security device?

> As far as I can see, you have to be logged in to run NM,

> and if you are logged in you can delete this file.

>

> I might say the same about the KDE wallet system.

> How does this make one's part of the system more secure,

> since it is open to you to change the wallet password,

> or even to make it empty?



Don't know about gnome keyring, but in KWallet you can change a wallet's password only if you know the previous one. If you delete the default wallet you can choose whatever password you like when it's recreated, of course. But if you do delete one of the wallets, then you loose all passwords stored in it, so I would say they are indeed protected. There's no way of recovering the passwords stored in a wallet without knowing the wallet's password.

I believe gnome keyring behaves the same way.



> I live in an old house with hundreds of locks

> on cupboard doors, etc, to which almost all the keys

> have long ago disappeared.

> It seems to me Fedora is getting a bit like that.

>

> I wish I felt there was someone whose job it was

> to make Fedora/Linux simpler to use

> rather than just adding more features

> with keys and passwords to fit.



The purpose of wallets and keyrings is to make your life easier by having to remember just one password, the one that opens your wallet. All the others can be securely stored in the wallet. However, if you loose the wallet's password, then you loose all passwords stored in it.



[]'s

Marcelo
--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

On Sun, 2008-07-20 at 15:26 +0100, Timothy Murphy wrote:
> Some kind soul pointed out that one could get rid
> of the demand by NM for a keyring password
> by deleting .gnome2/keyrings/default.keyring
> and then giving an empty password when requested.
>
> But that made me wonder what possible point
> the keyring password could have?
> Is it intended as some kind of security device?
> As far as I can see, you have to be logged in to run NM,
> and if you are logged in you can delete this file.
>
> I might say the same about the KDE wallet system.
> How does this make one's part of the system more secure,
> since it is open to you to change the wallet password,
> or even to make it empty?
>
> I live in an old house with hundreds of locks
> on cupboard doors, etc, to which almost all the keys
> have long ago disappeared.
> It seems to me Fedora is getting a bit like that.
>
> I wish I felt there was someone whose job it was
> to make Fedora/Linux simpler to use
> rather than just adding more features
> with keys and passwords to fit.

The point is to allow you to store large numbers of passwords or
encryption keys to be applied automatically when required (modulo the
collaboration of the password-requiring agent of course), so you don't
have to answer a challenge every time you use something that requires a
password or key.

As protection from intruders, it's considered wise to encrypt these
repositories in case they get stolen, hence the keyring/kwallet
"password" (actually a key).

NM is simply one of the agents that uses a keyring to hold its keys for
use with WPA or whatever. Evolution is another. Konqueror, Kmail etc.
use Kwallet and so on. It's a pity there are two competing systems, but
that's the way it is for now. Some agents (Firefox for example) have
their own private system, presumably because they're cross-platform.

poc

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

On Sun, 2008-07-20 at 11:16 -0300, Marcelo Magno T. Sales wrote:

> The purpose of wallets and keyrings is to make your life easier by
> having to remember just one password, the one that opens your wallet.
> All the others can be securely stored in the wallet. However, if you
> loose the wallet's password, then you loose all passwords stored in
> it.

(Sending this off-list).

Marcelo, the word you want here is "lose" (to misplace something). Note
that there is a different verb "to loose" (more usually "loosen") which
means to untie or free something. I know it's confusing.

Another one that confuses people is "choose" (present tense) versus
"chose" (past tense). English is not logical :-)

Cheers

poc

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

On Sun, 2008-07-20 at 10:39 -0430, Patrick O'Callaghan wrote:
> (Sending this off-list).

Ohhhhhh nooooo you didn't..... (panto voice) ;-)









'tis a pet hate of mine too, this losing the plot and being loose with
your words, so they lose their meaning, and understanding is lost.

--
Don't send private replies to my address, the mailbox is ignored. I
read messages from the public lists.



--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

On Mon, 2008-07-21 at 00:58 +0930, Tim wrote:
> On Sun, 2008-07-20 at 10:39 -0430, Patrick O'Callaghan wrote:
> > (Sending this off-list).
>
> Ohhhhhh nooooo you didn't..... (panto voice) ;-)

Sorry about that.

poc

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

Em Dom 20 Jul 2008, Timothy Murphy escreveu:

> Marcelo Magno T. Sales wrote:

> >> Some kind soul pointed out that one could get rid

> >> of the demand by NM for a keyring password

> >> by deleting .gnome2/keyrings/default.keyring

> >> and then giving an empty password when requested.

> >>

> >> But that made me wonder what possible point

> >> the keyring password could have?

> >> Is it intended as some kind of security device?

> >> As far as I can see, you have to be logged in to run NM,

> >> and if you are logged in you can delete this file.

> >>

> >> I might say the same about the KDE wallet system.

> >> How does this make one's part of the system more secure,

> >> since it is open to you to change the wallet password,

> >> or even to make it empty?

> >

> > Don't know about gnome keyring, but in KWallet you can change a

> > wallet's password only if you know the previous one. If you delete

> > the default wallet you can choose whatever password you like when

> > it's recreated, of course. But if you do delete one of the wallets,

> > then you loose all passwords stored in it, so I would say they are

> > indeed protected. There's no way of recovering the passwords stored

> > in a wallet without knowing the wallet's password.

> > I believe gnome keyring behaves the same way.

>

> ...

>

> > The purpose of wallets and keyrings is to make your life easier by

> > having to remember just one password, the one that opens your

> > wallet. All the others can be securely stored in the wallet.

> > However, if you loose the wallet's password, then you loose all

> > passwords stored in it.

>

> Thanks, I guess that makes quite a lot of sense.

>

> Actually, I use the same password for everything,

> as my great fear is I will forget some password and never be able

> to use kmail or whatever again.

> So the KDE wallet system is not really much use for me.



This is a possible solution, but not a very good one, if you take security in consideration. Specially if you use the same password for the important things (say, your bank account) and for the things that do not demand a high level of security (say, your bugzilla account, or mailing list password).

If one password is compromised, all of your secrets are in the open. Considering the multitude of sites and services we use that require passwords, if only one of them don't take good care of your password, you have a big problem.

It's better to use distinct passwords for most important things.

Also, there are services/applications that require you change your password every now and then. In this case, it's hard to keep all of your passwords synchronized when one of them have to be changed.



[]'s

Marcelo



[]'s

Marcelo


--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

Timothy Murphy wrote:


But what is the point of having large numbers of passwords,
if one password will open all the locks?

So if your password on one system gets compromised, it does not
compromise your password on other systems. As lone as your keyring
password does not get compromised, you only have problems with one
system. And your keyring password is less likely to get compromised
because it normally does not travel over the Internet. So you can
use a weaker, but more easily remembered password for the keyring,
and more complicated passwords for the other things. You also do not
have to try and remember all the different passwords, so you will
hopefully not use the same password for everything.


Mikkel
--

Do not meddle in the affairs of dragons,
for thou art crunchy and taste good with Ketchup!

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

Timothy Murphy wrote:

Patrick O'Callaghan wrote:

But that made me wonder what possible point
the keyring password could have?
Is it intended as some kind of security device?
As far as I can see, you have to be logged in to run NM,
and if you are logged in you can delete this file.

I might say the same about the KDE wallet system.
How does this make one's part of the system more secure,
since it is open to you to change the wallet password,
or even to make it empty?



The point is to allow you to store large numbers of passwords or
encryption keys to be applied automatically when required (modulo the
collaboration of the password-requiring agent of course), so you don't
have to answer a challenge every time you use something that requires a
password or key.


I'm almost convinced.

But what is the point of having large numbers of passwords,
if one password will open all the locks?



Gee Timothy. Do you lock all of the doors on your house with the same key? And
your auto? How about the office door(s)? All with the same key?


You 'lock' everything with the same key and then the key is stolen and/or
cracked. Does that mean that you are really, really open then? ;-)

--


David

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

Marcelo Magno T. Sales wrote:

>> Some kind soul pointed out that one could get rid
>> of the demand by NM for a keyring password
>> by deleting .gnome2/keyrings/default.keyring
>> and then giving an empty password when requested.
>>
>> But that made me wonder what possible point
>> the keyring password could have?
>> Is it intended as some kind of security device?
>> As far as I can see, you have to be logged in to run NM,
>> and if you are logged in you can delete this file.
>>
>> I might say the same about the KDE wallet system.
>> How does this make one's part of the system more secure,
>> since it is open to you to change the wallet password,
>> or even to make it empty?
>
> Don't know about gnome keyring, but in KWallet you can change a wallet's
> password only if you know the previous one. If you delete the default
> wallet you can choose whatever password you like when it's recreated, of
> course. But if you do delete one of the wallets, then you loose all
> passwords stored in it, so I would say they are indeed protected.
> There's no way of recovering the passwords stored in a wallet without
> knowing the wallet's password.
> I believe gnome keyring behaves the same way.
...
> The purpose of wallets and keyrings is to make your life easier by
> having to remember just one password, the one that opens your wallet.
> All the others can be securely stored in the wallet. However, if you
> loose the wallet's password, then you loose all passwords stored in it.

Thanks, I guess that makes quite a lot of sense.

Actually, I use the same password for everything,
as my great fear is I will forget some password and never be able
to use kmail or whatever again.
So the KDE wallet system is not really much use for me.





--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

Patrick O'Callaghan wrote:
>> But that made me wonder what possible point
>> the keyring password could have?
>> Is it intended as some kind of security device?
>> As far as I can see, you have to be logged in to run NM,
>> and if you are logged in you can delete this file.
>>
>> I might say the same about the KDE wallet system.
>> How does this make one's part of the system more secure,
>> since it is open to you to change the wallet password,
>> or even to make it empty?

> The point is to allow you to store large numbers of passwords or
> encryption keys to be applied automatically when required (modulo the
> collaboration of the password-requiring agent of course), so you don't
> have to answer a challenge every time you use something that requires a
> password or key.

I'm almost convinced.

But what is the point of having large numbers of passwords,
if one password will open all the locks?



--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list