[PATCH] store passwords in the KDE Wallet

[mirabilos]

Hi,

I’ve written a CLI access tool to the KDE Wallet (tested with KDE 3 at the moment only, sorry), mostly for replacing ssh-askpass and pinentry, but also for making things like gajim and pidgin adhere to our boss’ policy that passwords must not be stored on the disc in plain text, but may be stored in the KWallet. (gnome-keyring is not an option on a KDE centric system – too many things doing the same thing.)

Here’s a patch adding support for kwalletcli in gajim (tested, with two accounts, one with password stored one not, migration is also working). gnome-keyring is still preferred if it exists, so there won’t be any change in pre-existing behaviour.

Note that kwalletcli is still beta (although I plan to release an 1.00 version by the end of the month; maybe someone who has KDE 4 could join the fun and test it), and as such, there is no homepage or anything yet, just this one:

$ dget https://eurynome.mirbsd.org/debs/dists/hardy/wtf/pkgs/kwalletcli/kwalletcli_0.91-1.dsc

Please apply the patch, it’s against hg from today. My employer is known for releasing stuff under the GPL, and as such I’m allowed to contribute.

[asterix]

I'm not against this patch, it's well written, with an option to enable it or not, but I just wonder if this program (kwalletcli) is included in KDE or is used by more than 2 people

[js]

Asterix, is there any reason not to include it if it's not interfering with anything else, even if only 2 users might use it?

[asterix]

it's some code we cannot maintain. so if it's not used at all, I prefer not including it.

[mirabilos]

kwalletcli is external. As soon as I find out whether it works with KDE 4, I'll submit an ITP to Debian and release an 1.00 version of it. It'll also be available via PPAs for Ubuntu LTS, and probably Debian Lenny. I know people from other distributions (from my work on mksh), so chances on it being widely available are quite good.

Because of the clean command-line interface, adding this patch wouldn't even add a dependency to gajim.

 http://www.mirbsd.org/cvs.cgi/kwalletcli/ points to the public source repository.

Thanks for admitting it's well written. In fact, I wrote it because I needed to polish up my Python, since I have to write another script tomorrow...

I also just committed a patch to kwalletcli to support a "-q" option, so that that nasty stderr handling will no longer be required. I'll provide an adjusted gajim patch later, still hoping I can persuade you by providing enough good arguments ;) Is there anything else to change in the patch?

[mirabilos]

Ah, speaking of the amount of people: when we deploy it at our company, there will be about one hundred persons possibly using it (it _does_ compete with Kopete and pidgin, though, once the latter is patched too), at a minimum.

While we do have an internal .deb file repository, I'd prefer keeping changes from upstream at a minimum, especially in cases such as this one where other people would benefit from it as well. (I could just have written kwalletcli in-house only and not release it, but I deci- ded to do it half at home, half at work, and publish it.)

[mirabilos]

 https://eurynome.mirbsd.org/debs/dists/hardy/wtf/pkgs/kwalletcli/ now contains a new snapshot of kwalletcli, with -q option added, and the patch has been reworked:

* use the -q option

* _really_ skip the KWallet lookup for empty passwords

Setting and migration have both been tested.

[Yann Leboulanger <asterix@…>]

(In [6c332dd9e7953f8eaed4c9ad44bfc58d5ad205f2]) [mirabilos] save password in kwallet is available. Fixes #5153

[Yann Leboulanger <asterix@…>]

(In [e07c087c2e4f97eaa5ce352a1206c266b3ec8880]) prevent traceback when kwalletcli is not available. see #5153