0

I am using CentOS 7. I have certain password quality requirements set up in pwquality.conf (related to the libpwquality package). In addition to these complexity constraints being applied to user logins, I'd like them to be applied to a Password Keyring's master passwords, as accessed e.g. via seahorse and the gnome-keyring-daemon, so that users cannot use weak passwords to protect their keyrings. I'm not concerned about the passwords inside the keyrings, just the passwords for the keyrings themselves.

I have figured out how to make a call to the libpwquality API, particularly pwquality_check is the function I want. However, I am having difficulty retrieving the password in plaintext in the code, in order to pass it to pwquality_check. For example, in the code near gkd-secret-create.c line 211, if I try to capture the password that should be returned by gcr_prompt_password_finish, I only get a NULL.

gchar *password;

password = gcr_prompt_password_finish (GCR_PROMPT (source), result, &error);

// password is NULL

I've stepped through all the code I can find in a debugger and am coming up empty: the password seems to be obscured away very well, or already hashed and discarded by this point. How can I get the password from this prompt and send it to libpwquality? Or is there a better way to enforce password complexity on GNOME's password manager/keyring?

Tim S.
  • 55,448
  • 7
  • 96
  • 122
  • I don't have a full answer but a suggestion of what you could consider. 1) Despite `gcr_prompt_password_finish` returning null, could it be modifying some global variables that hold the password, or populating/modifying a struct that is passed in? 2) Have you tried debugging the program with a specific password as an argument, and then looking for the bytes of that password/ the bytes of the hash of the password in the address space of the program using gdb? – vasia Jan 25 '18 at 17:27
  • I think you need to modify [`daemon/dbus/gdk-secret-create.c:create_collection_with_secret()`](https://github.com/GNOME/gnome-keyring/blob/master/daemon/dbus/gkd-secret-create.c#L101), and refuse to create the collection if the master secret is too weak. Note that gnome-keyring is deprecated, so you might wish to switch to libsecret: in which case I think you should hook into [`libsecret/secret-prompt.c:secret_prompt_perform_finish()`](https://git.gnome.org/browse/libsecret/tree/libsecret/secret-prompt.c#n516). I think; haven't tested this. – Nominal Animal Jan 26 '18 at 05:23
  • @vasia 1) I'm not seeing any global variables or values in structs, no. 2) I tried to do it on your suggestion, but there are a lot of separate pieces of memory to look through and I don't have a particular address to look for, so that's proving to be a little difficult... – Tim S. Jan 26 '18 at 16:13
  • @NominalAnimal in `create_collection_with_secret()`, I can't tell if the master secret is weak or not, I don't see the password at that point. (the `master` variable contains a couple of pointers and sizes labeled `parameter` and `value`, but I don't see readable text at the addresses) Unless there's anything you can point me to that I'm missing? Regarding libsecret: would I have to switch all of seahorse over to use that? That sounds pretty daunting and would likely be beyond the scope of what I'm trying to do here. Thanks to both of you for your help so far! – Tim S. Jan 26 '18 at 16:16
  • @TimS. you can search the memory of a virtual address space using the gdb command `find`: https://www-zeuthen.desy.de/unix/unixguide/infohtml/gdb/Searching-Memory.html. Have you tried using it? – vasia Jan 26 '18 at 16:52
  • @vasia yes, that's what I found researching this - the issue is that it wants an address range to search, which led me to `info proc map`. On my gnome-keyring-daemon process, this command gives dozens of address spaces to search through, and I don't know which to look in (I looked around some addresses I saw while debugging, with no luck). I could probably script a way to `find` in each of them, just haven't gotten there yet... – Tim S. Jan 26 '18 at 18:42
  • @TimS. sounds like an adventure :) – vasia Jan 26 '18 at 19:33
  • @TimS. [Seahorse already uses libsecret](https://mail.gnome.org/archives/gnome-keyring-list/2012-June/msg00000.html). As to the collection password, I believe the secret is already encrypted at that point. You might have to create a graph (use Graphviz) of the function chain, to see how the raw password in the ui prompt gets eventually used. Or you might ask the maintainers for pointers/help. After all, you only need an additional hook, where you can fail the create-collection operation, if the secret is too weak. – Nominal Animal Jan 26 '18 at 19:42
  • @vasia I've written just such a script, and could not find the string within the app. So that appears to be a deadend, unfortunately. – Tim S. Jan 29 '18 at 18:21
  • @NominalAnimal 1. I'm not finding a way to generate such a graph. Do you have any pointers that would make that easy? 2. Best as I can tell, `SecretPrompt`s are only instantiated by a method that's not exposed outside of `libsecret`, so I can't use it for just this prompt. I'd have to at least change out the code to use `libsecret` to create the collection/keyring. – Tim S. Jan 29 '18 at 18:41
  • @TimS.: 1. No, it's just investigation work, to find out which functions get called in practice. I often dribble custom logging everywhere. What version of GnomeKeyring do you use? (And precise version of CentOS 7, in case I set up a virtual machine?) – Nominal Animal Jan 29 '18 at 21:09
  • @NominalAnimal Ok. I'm on CentOS 7.4.1708 and gnome-keyring 3.20.0-3 – Tim S. Jan 29 '18 at 21:59

0 Answers0