Re: can emacs use the mac os x keychain?

Re: can emacs use the mac os x keychain?

[Ted Zlatanov]

On Mon, 26 Jul 2010 08:47:27 -0500 Ted Zlatanov <tzz@lifelogs.com> wrote: 

TZ> On Sat, 24 Jul 2010 20:36:18 -0700 (PDT) vm user <emacs_user@hotmail.com> wrote: 
vu> On Jul 1, 12:20 pm, Ted Zlatanov <t...@lifelogs.com> wrote:

>>> Unless there's a helper program or support inside Emacs (the latter is
>>> unlikely IMO) it's not possible to query this API from within Emacs.

vu> I am quite an ignorant in these things, but does the following help?
vu> http://log.scifihifi.com/post/55837387/simple-iphone-keychain-code

TZ> That seems useful.  I think auth-source needs a general protocol to talk
TZ> to helper applications when Emacs itself doesn't support it.  This can
TZ> be tricky because of the security implications of passing passwords.
TZ> EPG does it well but I don't know the specifics.  So there's really
TZ> three parts:

TZ> 1) define a helper protocol to pass auth request parameters in the
TZ> environment somehow

TZ> 2) read the password back securely

TZ> 3) write an implementation that works with the Mac OS X keychain

Adrian, is there any chance that the NS Emacs port can provide those
keychain functions through an ELisp layer?  It would make it easier and
more secure to get user passwords, plus users wouldn't need to install
the helper program.

I don't know if there are any linking issues with that, so cc-ing
emacs-devel as well.

Thanks
Ted

Re: can emacs use the mac os x keychain?

[Adrian Robert]

> TZ> 1) define a helper protocol to pass auth request parameters in the
> TZ> environment somehow
> 
> TZ> 2) read the password back securely
> 
> TZ> 3) write an implementation that works with the Mac OS X keychain
> 
> Adrian, is there any chance that the NS Emacs port can provide those
> keychain functions through an ELisp layer?  It would make it easier and
> more secure to get user passwords, plus users wouldn't need to install
> the helper program.

A useful-sounding idea but seems mainly like something that would be a third-party package or maybe part of Aquamacs.  Are there any platform-independent parts of the needed functionality that the NS port lacks and Emacs on X11 or W32 has?

Re: can emacs use the mac os x keychain?

[Stefan Monnier]

TZ> 1) define a helper protocol to pass auth request parameters in the
TZ> environment somehow
TZ> 2) read the password back securely
TZ> 3) write an implementation that works with the Mac OS X keychain
>> Adrian, is there any chance that the NS Emacs port can provide those
>> keychain functions through an ELisp layer?  It would make it easier and
>> more secure to get user passwords, plus users wouldn't need to install
>> the helper program.
> A useful-sounding idea but seems mainly like something that would be
> a third-party package or maybe part of Aquamacs.

Why do you think so?  I think access to the system's standard keychain
facility would be good to have in general, on all systems.


        Stefan

Re: can emacs use the mac os x keychain?

[Ted Zlatanov]

On Thu, 29 Jul 2010 07:31:43 +0300 Adrian Robert <adrian.b.robert@gmail.com> wrote: 

TZ> 1) define a helper protocol to pass auth request parameters in the
TZ> environment somehow
>> 
TZ> 2) read the password back securely
>> 
TZ> 3) write an implementation that works with the Mac OS X keychain
>> 
>> Adrian, is there any chance that the NS Emacs port can provide those
>> keychain functions through an ELisp layer?  It would make it easier and
>> more secure to get user passwords, plus users wouldn't need to install
>> the helper program.

AR> A useful-sounding idea but seems mainly like something that would be
AR> a third-party package or maybe part of Aquamacs.  Are there any
AR> platform-independent parts of the needed functionality that the NS
AR> port lacks and Emacs on X11 or W32 has?

A third-party package wouldn't get the C-level bindings that are
necessary to make it reasonably secure.  The platform-independent part
is auth-source.el, which I have tried to hook into Emacs wherever
authentication is needed.  See auth.texi for more details.

On Thu, 29 Jul 2010 15:01:50 +0200 Stefan Monnier <monnier@iro.umontreal.ca> wrote: 

SM> I think access to the system's standard keychain facility would be
SM> good to have in general, on all systems.

Thanks for Michael Albinus' work on auth-source.el, it now supports the
Secrets API which is supposed to become the standard where D-Bus is
available (so Emacs can interact with this API without helper apps if it
has D-Bus support configured).  auth.texi hasn't been updated with the
Secrets API info because it's still experimental.  

Assuming we get the NS port access to the Mac OS X keychain, that leaves
W32 as the only major platform lacking keychain support.  I don't
believe W32 has a standard keychain so that may be OK.

Ted

Re: can emacs use the mac os x keychain?

[David Reitter]

On Jul 29, 2010, at 9:17 AM, Ted Zlatanov wrote:
> 
> AR> A useful-sounding idea but seems mainly like something that would be
> AR> a third-party package or maybe part of Aquamacs.  Are there any
> AR> platform-independent parts of the needed functionality that the NS
> AR> port lacks and Emacs on X11 or W32 has?
> 
...
> Assuming we get the NS port access to the Mac OS X keychain, that leaves
> W32 as the only major platform lacking keychain support.  I don't
> believe W32 has a standard keychain so that may be OK.

I principle, the C part would be fairly simple.  There are separate functions for "internet passwords", which retrieve and store passwords for a host/port/account combination.

Am I right assuming that we would need an API paralleling that provided by secrets.el?

There are a few issues as far as I can see:

- The user is prompted via a graphical dialog to unlock a keychain (i.e., to provide a password protecting all the passwords).  When in TTY, we shouldn't do this, but unlock the keychain ourselves, i.e., read a password from the user via a (password) minibuffer.  This sort of interaction would have to be handled by an extra Lisp layer.  (Once the application is trusted, this prompt would go away.)   How is this done in GNOME?

- Any passwords that we obtain would probably have to be copied so we can return them as a Lisp string.  What provisions are in place in order to protect the copy and guarantee its deletion after use?


http://developer.apple.com/mac/library/documentation/Security/Reference/keychainservices/Reference/reference.html#//apple_ref/c/func/SecKeychainFindInternetPassword

Re: can emacs use the mac os x keychain?

[Ted Zlatanov]

On Thu, 29 Jul 2010 14:52:14 -0400 David Reitter <david.reitter@gmail.com> wrote: 

DR> On Jul 29, 2010, at 9:17 AM, Ted Zlatanov wrote:
>> 
AR> A useful-sounding idea but seems mainly like something that would be
AR> a third-party package or maybe part of Aquamacs.  Are there any
AR> platform-independent parts of the needed functionality that the NS
AR> port lacks and Emacs on X11 or W32 has?
>> 
DR> ...
>> Assuming we get the NS port access to the Mac OS X keychain, that leaves
>> W32 as the only major platform lacking keychain support.  I don't
>> believe W32 has a standard keychain so that may be OK.

DR> I principle, the C part would be fairly simple.  There are separate
DR> functions for "internet passwords", which retrieve and store
DR> passwords for a host/port/account combination.

DR> Am I right assuming that we would need an API paralleling that
DR> provided by secrets.el?

It can be different.  auth-source.el folds the various backends under a
common interface, so I think it's best to provide simple mappings to the
underlying calls and let auth-source.el worry about the rest.  The
internet keychain calls, for instance, should be separated.

DR> There are a few issues as far as I can see:

DR> - The user is prompted via a graphical dialog to unlock a keychain
DR> (i.e., to provide a password protecting all the passwords).  When in
DR> TTY, we shouldn't do this, but unlock the keychain ourselves, i.e.,
DR> read a password from the user via a (password) minibuffer.  This
DR> sort of interaction would have to be handled by an extra Lisp layer.
DR> (Once the application is trusted, this prompt would go away.)  How
DR> is this done in GNOME?

IMHO it's acceptable to unlock only from the GUI but I'm not opposed to
what you describe.  GNOME's Seahorse works only in X, not in the TTY.

DR> - Any passwords that we obtain would probably have to be copied so
DR> we can return them as a Lisp string.  What provisions are in place
DR> in order to protect the copy and guarantee its deletion after use?

None from auth-source.el.  I don't know if ELisp has any variable tags
to do this protection but looking at the manual, I don't believe so.

Ted

Re: can emacs use the mac os x keychain?

[YAMAMOTO Mitsuharu]

>>>>> On Wed, 28 Jul 2010 09:53:03 -0500, Ted Zlatanov <tzz@lifelogs.com> said:

> Adrian, is there any chance that the NS Emacs port can provide those
> keychain functions through an ELisp layer?  It would make it easier
> and more secure to get user passwords, plus users wouldn't need to
> install the helper program.

Mac OS X 10.3 or later comes with a command line interface
/usr/bin/security for keychains.  Did you try it?  Or do you mean it
was not sufficient with respect to functionality or security?

A merit of the use of an external program is that we can use it
regardless of several builds on the platform including TTY-only and
X11.

				     YAMAMOTO Mitsuharu
				mituharu@math.s.chiba-u.ac.jp

Re: can emacs use the mac os x keychain?

[Richard Stallman]

What does the "mac os X keychain" do?

Re: can emacs use the mac os x keychain?

[Stuart Hacking]

On 30 July 2010 10:17, Richard Stallman <rms@gnu.org> wrote:
> What does the "mac os X keychain" do?
>
>

It provides a central facility for storing secure information.

from Wikipedia:
"A Keychain can contain various types of data: passwords (Websites,
FTP servers, SSH accounts, network shares, wireless networks,
groupware applications, encrypted disk images), private keys,
certificates and secure notes."

Re: can emacs use the mac os x keychain?

[Ted Zlatanov]

On Fri, 30 Jul 2010 09:13:22 +0900 YAMAMOTO Mitsuharu <mituharu@math.s.chiba-u.ac.jp> wrote: 

>>>>>> On Wed, 28 Jul 2010 09:53:03 -0500, Ted Zlatanov <tzz@lifelogs.com> said:
>> Adrian, is there any chance that the NS Emacs port can provide those
>> keychain functions through an ELisp layer?  It would make it easier
>> and more secure to get user passwords, plus users wouldn't need to
>> install the helper program.

YM> Mac OS X 10.3 or later comes with a command line interface
YM> /usr/bin/security for keychains.  Did you try it?  Or do you mean it
YM> was not sufficient with respect to functionality or security?

YM> A merit of the use of an external program is that we can use it
YM> regardless of several builds on the platform including TTY-only and
YM> X11.

I didn't know about this helper app.  Thank you for mentioning it.  I
expected to have to write a special one (see the original post in this
thread).  If it pops up the GUI dialog when possible, it's sufficient in
terms of UI functionality, but we also have to worry about X11 and TTY
modes (and what if you log in remotely over SSH?).

If /usr/bin/security can handle regular and internet keychains (the two
types David Reitter mentioned) then it's sufficient in terms of backend
functionality.  I don't think it can ever be as secure, however, as a
direct C call, so for security I'd rather use direct C calls if that's
an option.

I am far from expert on Mac OS X issues so I'll go with whatever you,
David Reitter, and Adrian Robert (and other experts on that platform)
decide.

Ted

Re: can emacs use the mac os x keychain?

[Ted Zlatanov]

On Fri, 30 Jul 2010 05:17:08 -0400 Richard Stallman <rms@gnu.org> wrote: 

RS> What does the "mac os X keychain" do?

To add to Stuart Hacking's description: the GNOME analogue is Seahorse;
KDE's is KWallet I believe.  On Mac OS X the keychain is more deeply
integrated with the OS, though, so for instance the unlock dialog is
always presented the same way and only when necessary.

Ted

Re: can emacs use the mac os x keychain?

[Richard Stallman]

    "A Keychain can contain various types of data: passwords (Websites,
    FTP servers, SSH accounts, network shares, wireless networks,
    groupware applications, encrypted disk images), private keys,
    certificates and secure notes."

This is a sufficiently minor thing that it is ok of Emacs can use it.

Re: can emacs use the mac os x keychain?

[YAMAMOTO Mitsuharu]

>>>>> On Fri, 30 Jul 2010 08:24:28 -0500, Ted Zlatanov <tzz@lifelogs.com> said:

> If /usr/bin/security can handle regular and internet keychains (the
> two types David Reitter mentioned) then it's sufficient in terms of
> backend functionality.  I don't think it can ever be as secure,
> however, as a direct C call, so for security I'd rather use direct C
> calls if that's an option.

One drawback of the use of /usr/bin/security would be that the user
might grant the generic command `security' access to the item by
adding it to the "trusted applications" list in order to avoid the
application access confirmation dialog.

http://developer.apple.com/mac/library/documentation/Security/Conceptual/keychainServConcepts/02concepts/concepts.html#//apple_ref/doc/uid/TP30000897-CH204-SW5

It might be desirable to call Keychain API directly rather than via
the `security' command so that the keychain can know which application
wants to access the item in a more specific way.

				     YAMAMOTO Mitsuharu
				mituharu@math.s.chiba-u.ac.jp

Re: can emacs use the mac os x keychain?

[Ted Zlatanov]

On Sun, 01 Aug 2010 10:44:35 +0900 YAMAMOTO Mitsuharu <mituharu@math.s.chiba-u.ac.jp> wrote: 

>>>>>> On Fri, 30 Jul 2010 08:24:28 -0500, Ted Zlatanov <tzz@lifelogs.com> said:
>> If /usr/bin/security can handle regular and internet keychains (the
>> two types David Reitter mentioned) then it's sufficient in terms of
>> backend functionality.  I don't think it can ever be as secure,
>> however, as a direct C call, so for security I'd rather use direct C
>> calls if that's an option.

YM> One drawback of the use of /usr/bin/security would be that the user
YM> might grant the generic command `security' access to the item by
YM> adding it to the "trusted applications" list in order to avoid the
YM> application access confirmation dialog.

YM> It might be desirable to call Keychain API directly rather than via
YM> the `security' command so that the keychain can know which application
YM> wants to access the item in a more specific way.

Thank you for your explanation.  Since we are in agreement on using the
C API directly, I hope you, David, or Adrian (or someone else willing to
contribute) find the time to implement these calls and provide an ELisp
layer on top.

Thank you
Ted