Ir al contenido principal

Ralsina.Me — El sitio web de Roberto Alsina

python-keyring está muy bueno

Es­tá bue­no cuan­do un pro­gra­ma pue­de re­cor­dar la pa­ssword que le da­s.

Es me­jor cuan­do al­ma­ce­na esa pa­ssword de for­ma se­gu­ra. Sin em­bar­go, no es tri­vial ha­cer­lo si te im­por­ta que el pro­gra­ma sea multi pla­ta­for­ma.

O al me­nos no lo era has­ta que Kang Zhang es­cri­bió py­thon ke­y­ring, un mó­duo que abs­trae el me­ca­nis­mo de al­ma­ce­na­mien­to de cla­ves de KDE, GNO­ME, OSX y Win­do­ws (y tie­ne un par de ba­cken­ds con ar­chi­vos por las du­da­s).

¿Có­mo fun­cio­na?

Se ins­ta­la de la for­ma ha­bi­tua­l. Si no es­tá dis­po­n­ble pa­ra tu dis­tro­/­sis­te­ma ope­ra­ti­vo, usá ea­s­y_ins­ta­ll:

easy_install keyring

Tam­bién se pue­de ob­te­ner via mer­cu­ria­l:

hg clone http://bitbucket.org/kang/python-keyring-lib/

La API es la sim­pli­ci­dad mis­ma. Así se guar­da un se­cre­to:

import keyring
keyring.set_password('keyring_demo','username','thisisabadpassword')

Tal vez te mues­tre es­te diá­lo­go (o al­go si­mi­lar en otras pla­ta­for­ma­s):

keyring1

Y aquí es­tá la prue­ba de que se guar­dó co­rrec­ta­men­te (es el ad­mi­nis­tra­dor de cla­ves de KDE):

keyring2

¿Y có­mo re­cu­pe­ra­mos el se­cre­to?

import keyring
print keyring.get_password('keyring_demo','username')

Y fun­cio­na así:

$ python load.py
thisisabadpassword

Co­mo se pue­de ve­r, la API es tan fá­cil co­mo pue­de se­r. Has­ta eli­gió el ba­ckend KWa­llet au­to­má­ti­ca­men­te por­que es­toy en KDE!

Py­tho­n-ke­y­ring es un mó­du­lo que re­suel­ve un pro­ble­ma rea­l, así que un aplau­so pa­ra Kang Zhang y Ta­rek Zia­dé (que tu­vo la idea).

chaica / 2009-12-21 19:48:

Python-keyring is available on Debian, should be available in Ubuntu in ... some months I guess.

Roberto Alsina / 2009-12-21 22:32:

It's also available in Arch.

elpargo / 2009-12-22 05:16:

Thanks for the link

Thomas / 2009-12-24 08:16:

Using python is a bit of a silly idea; I can see a virus searching for your python app in your homedir and modify it to email all passwords it can harvest from the kwallet (since the user gave it an 'ok its safe!').

This may even be the case if the python stuff is installed as root, simply because its easy to place new python code in your homedir and make it be executed instead of the packages-installed app.
And the same problem happens; the user gives an ok because the user is unable to detect the difference.

I seriously think using any scripting language is just wrong for this kind of work.

Roberto Alsina / 2009-12-24 11:48:

The "app X is asking for permission to open wallet" is trivial to overcome, since the app name is simply a parameter in QApplication construction.

If you are depending on that for your security, you are screwed.

It *may* be non-trivial if kwallet (or gnome-keyring) checked whih process is asking, looked for the binary location via /proc and refused to work if it's not a system binary, but even that kinda sucks in other ways.

Cam / 2010-01-03 21:59:

Perhaps if the wallet stored an MD5 for the approved application this scenario could be handled. I think the majority of python apps would be installed through package management which means the virus would need root privileges to modify them anyway.

Oben Sonne / 2010-02-13 00:13:

Yes, MD5 sums would increase security from a technical point of view. The application name alone is quite insufficient. For instance in Gnome you could write a malicious app which calls gobject.set_application_name("trusted_app") and then inherits the rights of "trusted_app" (correct me if I'm wrong).

Anyway, in daily use MD5 sums would fail too. Consider some packaged application which gets updated regularly. Each time the question "Application X is requesting access to ..." would reappear and users would tend to blindly acknowledge, also because they mostly cannot decide if the MD5 change has been caused by a regular package update or by hijacking the application name.


Contents © 2000-2020 Roberto Alsina