-
Notifications
You must be signed in to change notification settings - Fork 94
Store credentials in OS keyring? #149
Comments
Hi @njfox! You're 100% correct. I'm not sure how to develop this feature exactly. Here are the problems:
I haven't worked with OS keyrings before, but I believe it would be difficult to integrate it. I'm not sure. Maybe we can have the issue open for community thoughts and feedback? |
Maybe I can add macOS support for such feature. I will look into it in the coming days. |
This library looks simple and would support a wide range of platforms, Here is an example using the CLI, which would be pretty easy to do from the main script:
Here is the entry in Maybe we can fall back to the current setup if the user doesn't want to or can't install it? Note that I have not done extensive testing of this library--I'm just throwing out some ideas. There are probably other solutions that could work as well or better for this use-case. |
This tool is a cli tool, it will probably not be used by someone that does not have an understanding of the terminal. For this reason (and simplicity too) I would like to suggest the use of pass (https://www.passwordstore.org/) or gopass (https://www.gopass.pw/) to store the credentials. Gopass allows you to create a store only for protonVPN which would be useful to separate protonvpn credentials from another pass or gopass store used by the user. MacOS is also supported by those two tools. EDIT: All other important informations (plan, last server, etc) could also be stored in the pass/gopass store I currently don't have the time to do a PR but I could try to implement that for the beginning of 2019. |
The dependencies for gnome-keyring seem to be roughly the same weight as for pass (at least on Arch), but I think pass/gopass are interesting ideas I hadn't thought of. How much overhead would these add for the user? I think the purpose of storing the creds on disk in the first place is to prevent the user from having to enter their OpenVPN credentials every time, but if they have to unlock a keyring or GPG key everytime for pass/gopass then we might as well not store them at all IMO. I'm just asking because I've never used either package, so I'm not sure what the flow would look like. |
Hi @njfox @illambias These are really nice ideas! as far as I understood, keyring implementation can be distro-oriented (not sure, maybe keyring python package overcome these issues), where using a password manager like pass would be better from compatibility perspective. Another part is, almost all apps currently store config credentials on disk. filezilla, mailing clients, browsers, etc.. There is another concern when using a password manager or keyring: We need to write the file on disk at some point and keeping it on the disk while OpenVPN is running. This unfortunately have us get back to point 1. Maybe there is a way to overcome this OpenVPN issue? |
Do we? I thought the point of keyrings/password managers was to keep the file encrypted on disk and just keep it decrypted in memory once unlocked. I may be misunderstanding the question though since I haven't looked at the protonvpn-cli code in awhile. My understanding was that it only needs the credentials when the user first connects, which could be grabbed from pass. |
@njfox If there is a need to retry connecting, such as connection was lost, recovering connection, etc..., then the file is grabbed by Openvpn internally. Maybe there is a way to overcome this, but I haven't seen other ways to do so and no one posted a way to do the authenticated connection without |
Ahh I see--that makes sense. Would it be possible to grab the output from pass/gopass and pipe it into |
Hi all, Very interesting discussion... I would also share with you some ideas...
|
Hi @Picea ! Nice idea!! But the problem is,
Maybe a PR would be cool! |
Hey @mazen160,
I've noticed this project is catching a lot of flak on Reddit for storing the OpenVPN credentials in plaintext on disk. I know it's only accessible by root but I was wondering if the team had considered integrating protonvpn-cli with the OS keyring (e.g.
gnome-keyring
,kde-wallet
, etc.) instead. This seems to be how some other Linux packages manage credential storage and it seems sensible enough to me. Do you have any thoughts on how feasible this would be? I believe Python can usegnome-keyring
pretty easily for example but I'm not sure about bash.The text was updated successfully, but these errors were encountered: