gmane.comp.gnome.apps.seahorse.user

Re: Is there any way to kill a seahorse?

Chris Green — 2012-05-03T15:44:09

I run xubuntu and I have always had the OP's problem, seahorse simply
does not integrate correctly with the xubuntu startup sequence so that
my login password isn't used to unlock the keyring.

I soon (again like the OP) got fed up with this so I explicitly sort out
the issue in my .xprofile which gets run at X startup as follows:-

    eval $(gnome-keyring-daemon --start)
    export SSH_AUTH_SOCK
    export GNOME_KEYRING_SOCKET
    echo export SSH_AUTH_SOCK=$SSH_AUTH_SOCK >~/tmp/sock

I don't think this issue worries 99% of users, they either never use ssh
or they put up with the occasional request for a password or they
generate ssh keys with no pass-phrase.

(by the way I don't think that final line writing to ~/tmp/sock is still
necessary, I used it for something else that wanted SSH_AUTH_SOCK)

Some questions

Mike Walton — 2012-04-23T01:50:04

Hi,
I'm using Seahorse 3.2.2 with Fedora 16.
I admit that I don't know anything about seahorse or gnome keyrings.
I have some questions though. I don't understand why its not possible
to move a password from one keyring to another within seahorse.
Furthermore shouldn't programs that use seahorse plugins, give me an
option of what keyring to save passwords in. I am saying this because
some information, such as banking passwords, I would like to keep
in a separate keyring that's locked 99% of the time, and the login
keyring is unlocked the whole time i'm logged in. (I do this this,
but I had to unpassword protect and manually manipulate the keyring
files which seemed unsatisfactory)

Please tell me if I am misunderstanding things and what
documentation i should read to get a correct understanding.

With thanks,
  Mike W.

Re: Is there any way to kill a seahorse?

Bruce Korb — 2012-04-09T20:33:25

Hi Adam,

Thanks for your reply:


I'd be happy doing that, but for the fact it keeps asking over
and over and over and over.  If I did that and it went away,
I'd have not chased this down.  Anyway, I've not had any need
of keyrings up until now, so if there is a compelling reason
for having it do its helpful task, then it needs to be helpful
in a quiet, non-intrusive way.  That, or be shot dead.

 >> I didn't ask for it and there is no plainly obvious way. ...
 >> I am looking for a clean, big, bright button saying, "DISABLE"
 >> and it is not to be found.
 >
 > Because disabling the key ring management makes no sense.

I have been okay without it for about 40 years.  But also
pestering me over and over makes no sense either.


Well, then, that's the problem.  For whatever reason, it isn't
hooked up properly and I need it to either go away or work
correctly.  I don't care which, but one or the other.

So how do I run down the misconfiguration?  Once I have it
figured out, I'll send you grist for your FAQ.

Re: Some questions

Adam Tauno Williams — 2012-04-25T15:01:35

On Mon, 2012-04-23 at 19:36 -0400, Mike Walton wrote: 

It could just not be implemented, in some cases there may be encryption
issues.

You possibly could script that
<http://www.mindbending.org/bending-gnome-keyring-with-python-part-2/>


Seems reasonable, at least as an option.  But most applications try to
do this as unobtrusively as possible.


Once upon a time I vaguely remember reading something about keyrings and
environment variables [?????].  But at least
<http://live.gnome.org/GnomeKeyring/RunningDaemon> mentions no such
thing.


_______________________________________________
seahorse-list mailing list
seahorse-list< at >gnome.org
http://mail.gnome.org/mailman/listinfo/seahorse-list

Some questions

Mike Walton — 2012-04-23T23:36:03

Hi mailing list,
Sorry if you end up geting this message twice. I sent essentially the
same message without subscribing first and I don't know where that went.

I'm using Seahorse 3.2.2 with Fedora 16.
I admit that I don't know anything about seahorse or gnome keyrings.
I have some questions though. I don't understand why its not possible
to move a password from one keyring to another within seahorse.
Furthermore shouldn't programs that use seahorse plugins, give me an
option of what keyring to save passwords in (this isn't
necessarily a seahorse problem per se but its a related
ecosystem problem which isn't addressed in any program that I use,
such as evolution, epiphany, pigdin, you name it). 
I am saying this because
some information, such as banking passwords, I would like to keep
in a separate keyring that's locked 99% of the time, and the login
keyring is unlocked the whole time i'm logged in. (I did manage to do this,
but I had to unpassword protect and manually manipulate the keyring
files which seem

ANNOUNCE: seahorse 3.4.1

Stef Walter — 2012-04-16T12:58:15

Seahorse is the GNOME application for managing encryption keys and
passwords. This is an stable release.

Highlights between 3.4.0 and 3.4.1:
===================================

 * Fix crash during failed HKP exports
 * Fix memory errors when searching for keys
 * Updated translations
 * Build fixes


Details between 3.4.0 and 3.4.1:
================================

Ahmad Gharbeia (1):
      Updated Arabic translation

Andika Triwidada (1):
      [l10n] Updated Indonesian translation

Aurimas Černius (1):
      Updated Lithuanian translation

Bruce Cowan (1):
      Updated British English translation

Carles Ferrando (1):
      [l10n]Updated Catalan (Valencian) translation

Chandan Kumar (1):
      Updated HINDI translation

Changwoo Ryu (1):
      Updated Korean translation

Debarshi Ray (1):
      Don't complete the hkp_source_export operation on an error

Jordi Serratosa (1):
      [l10n] Fixes on Catalan translation

Khaled Hosny (1):
      Updated Arabic translation

Kjartan Maraas (1):
      Updated

ANNOUNCE: libcryptui 3.4.1

Stef Walter — 2012-04-16T11:33:36

libcryptui is a library used to list GnuPG keys. It is gradually being
replaced by the GCR library, and will soon be deprecated.

This is a stable release.


Changes between 3.4.0 and 3.4.1:
================================

 * Better build of .service files


Detailed change log between 3.4.0 and 3.4.1:
============================================

Stef Walter (2):
      Better build of .service files
      Release 3.4.1


Downloads:
==========

http://download.gnome.org/sources/libcryptui/3.4/

fad4addf5c5b6588f492a720edce59f925190e4cdf3672984f53b25327f10fd5
libcryptui-3.4.1.tar.xz


Cheers,

Stef Walter

Re: Is there any way to kill a seahorse?

Michael Stephenson — 2012-04-13T17:52:39

What if the robotic intruder decided to add an ssh key to ~/.ssh and add a
cronjob to wget a certain php script somewhere out there on the web to show
the attacker your ip?
I can now manually ssh in to your user and you can be damn sure I'll find
your text file!
_______________________________________________
seahorse-list mailing list
seahorse-list< at >gnome.org
http://mail.gnome.org/mailman/listinfo/seahorse-list

Re: Is there any way to kill a seahorse?

Adam Tauno Williams — 2012-04-13T12:50:00

Quoting Bruce Korb <bkorb< at >gnu.org>:

It doesn't actually work that way.  Your machine communicates with  
other hosts all the time, and those hosts *can* use the out-bound  
connections you create.  But this isn'tthe forum to discuss basic  
network security;  just know that I've sat through numerous  
presentations and demos about how to exploit machines that do not  
permit inbound connections -  it is often easier than you think.


So when applications and websites demand passwords of you - you  
cut-n-paste them from a text file?  How is that easier [or more  
secure] than entering a password at login and permitting the rest of  
your passwords to be stored in an encrypted database accessed via a  
consitent API?

You can do it your way - but it does *not* make any sense.

And I have no idea what "I-know-better-than-you-do password manager"  
implies other than it knows to encrypt the data and allow you to  
control access to it.


Yes.


Nope.


See, gnome-keyring is optional! :)

Re: Is there any way to kill a seahorse?

Bruce Korb — 2012-04-12T17:35:35

I just wanted to know how to disable the keyring.
I refuse to believe that I must have and use something
I know I don't want.


Maybe he got tired of fighting the issue and his ultimate
irritation showed through too readily.  Sorry about that.
I just wanted it disabled.  It shouldn't have been so hard.

Thank you.  Regards, Bruce

Re: Is there any way to kill a seahorse?

Bruce Korb — 2012-04-12T16:32:50

There are two flavors of security:  Physical and electronic.
I am completely unconcerned about someone physically sitting
down and seeing post-it notes with passwords.  I am not
concerned with folks ssh-ing into my machine since the only
account open to ssh has a "shell" that does nothing except
open a tunnel into _their_ machine, but even it is disabled
now.  Everything else is stopped at the router.

So my security model is now and has always been to physically
secure my machine, block all external probes, use software
that is as reliable as I know how to get it, and use a text
database of passwords for the web sites I need to gain access
to.  I do not password protect it because I am certain no
robotic intruder is going to guess my /path/to/my/password/db.txt
file and also be able to map allusory names to real web sites.

In the end, I do not want to have passwords demanded of me
by some I-know-better-than-you-do password manager,
either when I login or when I visit web sites.


I didn't know at the star

Re: no saving of passphrases

Stef Walter — 2012-04-12T12:50:32

The GPG agent is provided by gonme-keyring. It should be listed in
gnome-session-properties. Is that what you used to list your 'start-up
environment' above?

Cheers,

Stef

Re: Is there any way to kill a seahorse?

Stef Walter — 2012-04-12T11:35:09

Done ... although it looks like the mailing list ate my subject line :S

http://mail.gnome.org/archives/gnome-keyring-list/2012-April/msg00002.html

Bugs filed for Fedora (which is running on my machine):

https://bugzilla.redhat.com/show_bug.cgi?id=811921

https://bugzilla.redhat.com/show_bug.cgi?id=811925

https://bugzilla.redhat.com/show_bug.cgi?id=811928

https://bugzilla.redhat.com/show_bug.cgi?id=811930

https://bugzilla.redhat.com/show_bug.cgi?id=811931

https://bugzilla.redhat.com/show_bug.cgi?id=811945

Cheers,

Stef

Re: Is there any way to kill a seahorse?

Adam Tauno Williams — 2012-04-12T10:30:06

What you want to remove is the GNOME keyring; Seahorse is just a
front-end for managing GNOME keyrings.


I'd assume dependency checks would require you to do so.


+1
_______________________________________________
seahorse-list mailing list
seahorse-list< at >gnome.org
http://mail.gnome.org/mailman/listinfo/seahorse-list

Re: Is there any way to kill a seahorse?

Stef Walter — 2012-04-12T10:25:10

Hmmm. Interesting question. Normally GNOME is taken a whole. But if I
was in your situation I might do one of:

$ sudo yum remove gnome-keyring
$ sudo apt-get remove gnome-keyring
$ (your choice of package manager remove command)

This removes the gnome-keyring-daemon which stores the passwords. You
can also remove the gnome-keyring-pam package.

Applications will probably have some errors if they can't store
passwords. But in those cases applications would need to be individually
fixed. You could file bugs or patches against applications that
misbehave when they get back an error after trying to store their passwords.

It also looks like the package managers for gnome-keyring have gotten
the dependencies wrong. Applications should depend on the
libgnome-keyring package, and not gnome-keyring itself. Although it's
not strictly my responsibility, I can help solve this filing some bugs
and/or alerting package maintainers.

But in the mean time you may need to persuade your package manager to
remove gnome-keyr

Re: no saving of passphrases

Boris — 2012-04-12T10:14:15

Encryption and
"A supported
already running."


Hi David,

I had a similar problem with my GPG passphrase not being cached in Ubuntu 11.04,
running Gnome Dekstop 2.32.1.

The problem was solved by launching System | Preferences | Passwords and
Encryption Keys. On the Passwords tab I expanded the Passwords:login list and
found several entries for "PGP Key: [Your Name] <[your< at >email_address.com]>".

Once I deleted all these entries, caching starting working again as it should.

hth,

-boris

Re: Is there any way to kill a seahorse?

Michael Stephenson — 2012-04-12T10:04:05

Hi

Bruce is right in that, if you are going to store passwords unencrypted,

What I don't understand is that Bruce wants passwordless log ins for
convenience, but is happy to type his password for every website he logs in
to and never click "remember my password" on websites.
He is happy to type passwords for 14 different accounts whenever he uses
his computer, but he'll be damned if he has to type one on log in?
Frankly it seems he wants the moon on a stick!

Michael.
_______________________________________________
seahorse-list mailing list
seahorse-list< at >gnome.org
http://mail.gnome.org/mailman/listinfo/seahorse-list

Re: Is there any way to kill a seahorse?

Dimitrios Siganos — 2012-04-12T03:16:13

I think you are both arguing just for the sake of arguing. Bruce makes a 
valid point but just doesn't seem to know how to put it across without 
offending people. Michael also makes valid points but I think he doesn't 
quite understand Bruce's argument.

Bruce is right in that, if you are going to store passwords unencrypted, 
the last thing you want to do, is collect them all in one standard 
well-known place. However, that is an unfair remark against seahorse 
because seahorse is clearly not intended to be used in such a way. 
Clearly, seahorse is meant to be used with a password.

I think the only valid question is: can seahorse be (easily) disabled 
without destroying the rest of the Gnome experience?

Dimitris

On 11/04/12 22:11, Michael Stephenson wrote:

_______________________________________________
seahorse-list mailing list
seahorse-list< at >gnome.org
http://mail.gnome.org/mailman/listinfo/seahorse-list

Re: Is there any way to kill a seahorse?

Michael Stephenson — 2012-04-12T02:11:26

So suddenly you care about securitry again?
I don't know whether over the course of these exchanges you actually
developed an understanding of what seahorse/gnome-keyring does.
But it means when you sign in it carries over the password you typed as an
encryption key to decrypt the password you saved, if it differs from your
log in password it will prompt you for that password.
The crucial thing here is to make it secure it does not store the
decryption key on your system so you cant be compromised without someone
knowing your password or a supercomputer.
In your confused head you want rid of this system because it is
inconvenient, having to enter a password all the time.
But at the same time you worry about a virus compromising your system and
getting your password... You can't have both!
There are two ways to be secure, either you have one password which acts as
a key to encrypt and unlock your other passwords, or you log in every time
you open your e mail client or log in to a website.
If you have experien

Re: Is there any way to kill a seahorse?

Bruce Korb — 2012-04-11T23:36:51

One slight drawback:  If, say, some app that I use were to become
a virus vector, where I keep my database of sites and passwords
is pretty much unguessable.  An unencrypted, standardized tool's
database is not so obscure.  So, I don't want seahorse keeping my
passwords, thank you very much.  I'll "vi" my private database.

I now go back to my initial question, how do I get this beast
off of my system forever?

Re: Is there any way to kill a seahorse?

Michael Stephenson — 2012-04-11T20:55:07

Seahorse requires your password to decrpyt the stored passwords. Without the password decypting the stored passwords is impossible.
However if you have a blank password for gnome keyring the stored passwords will not be encrypted. Since you log in with no password and don't seem to be concerned about the security of the passwords stored in your home folder you might swell open seahorse and change the password to a blank one.