Re: [dev] Application credentials input API (non-OS related)

From: Jacob Todd <jaketodd422_AT_gmail.com>
Date: Sun, 13 Mar 2011 12:13:51 -0400

auth/factotum from plan9 (or plan9port on unix).
On Mar 13, 2011 11:31 AM, "Ciprian Dorin Craciun" <ciprian.craciun_AT_gmail.com>
wrote:
> Hello all!
>
> I would like to ask the Suckless community about how they
> generally solve -- or would like to solve -- the problem of user
> credentials input in their applications. To be more clear, I'm not
> referring to actually authenticating / authorizing users (i.e.
> checking the credentials for correctness), but just about how does an
> application obtain the credentials from the users. For example let's
> say that we build a chat application that needs to have the users
> credentials (i.e. username / password) so it can pass it -- plain text
> or a cryptographic transformation -- to the server; but how does the
> application request the user for such credentials?
>
> My main questions are about:
> a) what kind of API would the developer expect to have? (is there
> such an API already?)
> b) what kind of method should actually be used? (read it from TTY,
> spawn a reader process, etc?)
>
> For example I'm aware of a couple existing methods -- some are
> pretty good solutions, some are just hacks -- but none of them have
> something which resembles an API:
> * for example some applications check the `*_ASKPASS` environment
> variable (or another argument) and execute that application passing in
> some unstructured text, and receiving unstructured text (by
> unstructured text I mean it can't be reliably processed to
> automatically provide the correct password (by looking up in a
> database for example), and we can't input two elements at the same
> time as username and password);
> * Plan9's Factotum which exposes a pretty good protocol, but is
> not used in either Linux or other Linux targeting projects; (there is
> only a login prototype);
> * systemd's password agents, which come up with a more Linux-ish
> "fs-oriented protocol", but which again doesn't offer any API
> proposal;
>
> Any ideas, proposals?
> Ciprian.
>
> P.S.: I'm interested in this because until now the only "password
> manager" that I can trust to use are GPG encrypted text files, which
> I'm decrypting when I need them, and then I copy paste the information
> manually. (Actually I've created recently a tool that "generates" X
> events to eliminate the copy pasting.) But I would be happier if there
> would be a more "sane" solution for this problem -- like PAM solves
> for user login.
>
Received on Sun Mar 13 2011 - 17:13:51 CET

This archive was generated by hypermail 2.2.0 : Sun Mar 13 2011 - 17:24:02 CET