8

I have this idea.... When I sign on the wallet is unlocked with my login credentials. It's encrypted that way. Then it reads all credentials in the wallet into memory and forgets my login creds. Pam module maybe?

And here it comes:
Now when a program ask KWallet about credentials KWallet looks into it's (proposed by me) database for this application. If the application is present, KWallet checks if it's entitled to get the crential it's asking for, or else KWallet asking me (graphicly) what I want to do: Give it access once, or forever, not now, or not forever. If the application is not in the database KWallet asks me if I would like to add it. (and then the other questions). (Alternativly, only the application how put the credentials in KWallet can fetch them from there)

In this way I don't have to write passwords all the time. KWallet still asks for permission, I'm in control. Bringing up the KWallet app-database lets me modify my previous decisions to allow or disallow apps.

This assumes two things which I really don't know **** about:
* KWallet have to have the means of making sure that an application realy is what it seems to be... it's really a developer thing, but since every antivirus program in windows manage it (and the firewall to) I can't be that hard.
* A program run as a user can't fiddle with another programs memory or windows or such. IF this would be possible the asking (rouge) app could take control over KWallet's dialog asking me for permession....

Well, I need input. It's brainSTORMING. Shoot.


I got this idea while reading this thread

This would be part of a single SSO solution, however it should be tied to your login somehow ( Kerberos authentication might help )

bcooksley wrote:This would be part of a single SSO solution, however it should be tied to your login somehow ( Kerberos authentication might help )

An easy way to tie KWallet to login would be a pam module (on most platforms?). If it don't work it would always be possible to fall back to manualy open the wallet.

I don't know about the Kerberos part.... If I understands things right it gives you a 'ticket' that is then sent to services to grant access. These services must be aware of the kerberos server too I assume? In my mind this is alot more work to implement than what I proposed.

My solution requires changes only to KWallet.

Edit: Just found this. Not a new idea at all. This is just for the first part of my suggestion. The second part, about the kwallet application database, is not there. (And I think KWallet would become much to unsecure without it)

:-$ , eeeehhh, everything but the single-sign-on bit seems implemented already. I'm sorry for not looking this up before posting this thread.

Since the kwallet single-sign-on thread is around there is no reason to keep this thread.

Moderator: Please move this thread to "already implemented" or delete it.