Hi all,

I have now a script that needs the user password and username to retrieve a webpage from another server.
For now the username and password are stored in the script itself and it has 700 as permissions.

I would now like to put that password in some sort of passwordmanager/keyring. So I want to be able to retrieve the password for the server with only giving the unlock password once every day for example.(so the user does not has to give the password every time)

Anyone has an idea what I can use for this? I want to control it from command line.
So it can be automated and the user will only be asked for the keyring/password mananger password when necessary.

Which desktop environment?
The solution may depend on the complexity you want to apply.
If you want an "not so beautiful" solution, you could store the md5 or pgp hash of the pair [login - password] in some file - but thats far from the ideal scenario. If multiple users are gonna log in through this method, you could install some small database system, like mysql, and use the same or an similar techique.

If you want to make an more integrated and robust solution, other suggestion could be look for gnome-keyring documentation (if gnome is the DE of your choice) and make your app interact directly with it (some C programming should be necessary). The disavantage is that your solution would be hard linked to gnome (if you want an more wide solution, test what are the actual desktop environment and take the necessary actions depending on it (interact with specific keyring managers, etc).
Take a look at this post for some previous discussion.

http://ubuntuforums.org/archive/inde...t-1086490.html

Hope it helped. At least for an initial brain storm process.

Hey..

If you want an authentication system to access some webapp, why not use your http server authentication capabilities?

You should give some more information, actually.

:P

I try to get this as independent as possible (to get low dependencies and in this way highering the portability). But if necessary gnome-keyring or kde can be installed to get this working.
As long as I can manage it through a script (or in worst case, using C/C++; note that I want to keep the implementation as open, as in easy to access/maintain/update/improve, as possible).

I will take a look at the link provided. Thanks!

I think you don't understand what I mean (and that can surely be because of me )
My script does use the http server authentication.
BUt I don't want the users of the script to have to type the password of the webserver over and over again (as this gets used a hundred times a day or more). So I don't want it in clear text file. So what I want is that the first time of that day, the user uses his password for the keymanager. After that the password from the webservice can be retrieved without user intervention (aka by the script) and used to retrieve some resources.


Maybe this can help. The authentication of the webserver uses an AD server to check if your request is valid.
Maybe there is a way with kerberos or something to also authenticate with the AD and that I can then retrieve the webpage without any credentials(but I could not yet find a way how this should work with passing the ticket to the webserver to show you are allowed there).


Thanks for your help!

In http://ubuntuforums.org/archive/index.php/t-320308.html, one guy (the first reply) talks about pam-keyring.
Actually, I have to sorry cause I've never interacted with keyring managers in a developer or sysadmin perspective, so I'm trying to help and learning at the same time.

:P

Backing to pam keyring. As I read, there's no need to work directly with gnome or other specific keyring. It looks to me that gnome, kde and other graphical keyrings only interact with him. So you could directly communicate with it (by shell scriptin as I can see from the last post I've sended - no need to use C/C++).

I guess you will only have problems with system not pam-based, like my loved slackware #). But thats worth some google's search.

I'm gonna make more profound search and give you some return.

I'm having problems looking for infos about libpam-keyring. Looks like there's very few (and hidden Oo) documentation about this.

As a last resource, you should consider lookin for an third party password manager. It's always healthy have a plan B.
The best option I saw was Password Gorilla (GPL). Apparently it uses blowfish algorithm and doesnt need to be installed to run.

I would try some info about pam-keyring and, after, look for interactions with specific DE's keyring (gnome, kde, etc). Im sure that there's a good documentation to these last mentioned. It will possibly add some complex to the solution's implementation, but it seems to me the cleaner and direct option.

Thanks alot for your great effort.
I will take a look if I can use pam-keyring.

THe password gorilla tool does not seems to be appropriate in this case as it doesn't seem to be scriptable.

I'll keep this thread up to date.

Check out pwsafe. It's a command line tool for managing passwords. It uses the de facto password safe file format which I believe Bruce Schneier invented.. or at least endorses. Your script can simply call pwsafe. You have the option of grabbing the password from stdout, or having it placed on the clipboard.

I am not sure, but I probably have to type the password of the password-db each time I want to access it. And that is what I do not want. Or for example that I have to give it each hour, and not each time I want to access it.

I found this and I think it is what I need:
http://www.gentoo-wiki.info/HOWTO_Us...SH_passphrases

There is some part of c code.
How to compile it is also on the page

It's text based and runs on the commandline, so your script can easily enter the master password.

True, but what is the use then? I dont want the password in a file. And I dont want that the user has to type it in over and over again each time he uses the tool

I think you need to write a small server, that you start at the beginning of the day, and pass the password to. It then stores it in mem, then the client app calls the server for the website passwd before calling the website.

A similar but different approach would be ssh-agent+ssh tunnelling to the website.

Thanks for your input!
That is also an option. However I like to use as much existing solutions.
So I think the way to go here is with a keyring manager (or kwallet for KDE).
I found a piece of code on the following site that allows me to access the keyring from the command line. Maybe I can program some little more that I don't need any gui at all.