Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

linux-keyutils credentials are lost after reboot #271

Closed
dfoxfranke opened this issue May 8, 2024 · 3 comments
Closed

linux-keyutils credentials are lost after reboot #271

dfoxfranke opened this issue May 8, 2024 · 3 comments

Comments

@dfoxfranke
Copy link
Contributor

dfoxfranke commented May 8, 2024
edited
Loading

#270 made linux-keyutils the default credential builder on Linux in order to resolve errors for users who do not have gnome-keyring installed. However, unlike gnome-keyring, linux-keyutils does not persist credentials on disk. They are stored in kernel memory only, are lost on reboot, and also time out after a configurable period of non-use. linux-keyutils is designed primarily around the needs of cloud-based virtual machine instances which themselves have no persistence and are provisioned at boot by some sort of key distribution server. It isn't a good fit for dev desktops, or at least not on its own.

There's no free lunch here, really. If credentials are going to survive across reboots, they need to be stored on disk somewhere. If they're stored in plaintext, that has the obvious security drawbacks, and there's no advantage to using the keyring crate at all rather than just using the filesystem. If they're stored encrypted, then the decryption key has to come from somewhere, so either you have to prompt for a password or it has to be already available from an agent, in which case the agent has to get it from somewhere. If you want decryption to appear seamless, then the only good option is to derive the key from the user's login password at the time of login, which is exactly what gnome-keyring does. But that can only work if the system is set up for it, having gnome-keyring installed and pam_keyring configured. So basically, you're going to have to choose between:

  1. Storing keys in plaintext, or
  2. Needing to prompt for a password at least sometimes,
  3. Requiring some system infrastructure which isn't universally available,
  4. Giving up on persistence altogether and requiring the user to regularly repeat the authorization workflow.

Ideally, you'd pick a sensible default (probably 3, maybe 2), but make it configurable.
@dfoxfranke
Copy link
Contributor Author

We should discuss this further at the SIG-Registries weekly, but my proposal to fix this is:

  1. Immediately revert fix for linux keyring issues #270 and yank 0.4.2 so people's keys don't disappear.
  2. Keep secret_service as the default credential provider on Linux, but upon connection failure, give a friendlier error message explaining how to fix it.
  3. Add an option to config.json to override the default provider.
  4. Implement (and possibly upstream) a new credential provider that stores credentials in plaintext in $XDG_CONFIG_HOME. This should be the default nowhere but available everywhere.
  5. Eventually, implement some further credential providers in order to get to feature parity with cargo-credential, e.g. a provider that calls out to a configurable command line tool.

@calvinrp calvinrp mentioned this issue May 8, 2024
Closed
@calvinrp
Copy link
Collaborator

calvinrp commented May 8, 2024
edited
Loading

Released v0.4.3 that reverts #270

@dfoxfranke dfoxfranke mentioned this issue May 10, 2024
Merged
4 tasks
calvinrp pushed a commit that referenced this issue May 13, 2024
@dfoxfranke
Configurable keyring backends (#278)
c941934 
Makes keyring backends user-selectable, as discussed in
#271 (comment).

- [x] Refactor `client::keyring` functions into a `Keyring` struct which
can be instantiated with a backend selection.
- [x] Add a config option to control what backend is used.
- [x] Improve error reporting when the `secret-service` backend isn't
working.
- [ ] Add a `flat-file` backend that stores keys in plaintext alongside
the config file.
@calvinrp
Copy link
Collaborator

#287 and #278 were merged and should resolve. @dfoxfranke Thank you again

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@calvinrp @dfoxfranke