Tuesday, November 11. 2008
KDE Wallet improvements in 4.2
Albeit having the kwallet category on my blog for quite a while now, I never really bothered to put anything in there. With the advent of KDE 4.2 I thought I'd share what I've been up to.
Bad news first...
Unfortunately I didn't quite get around improving the manager. I actually planned and started this but other things seemed more pressing. Thus KDE 4.2's kwalletmanager will continue to be not-quite-pretty
Good news for everyone
Some things have happened under the hood though. I've mostly been busy fixing bugs, including long withstanding ones like concurrency issues and lockups. Changes and fixes include:- kwalletd has moved from kdelibs/kio to kdebase/runtime (actually pretty much invisible to anyone but packagers)
- Improved open wallet calls: Open calls can no longer timeout, open Path uses asynchroneous transaction handling.
- Detect exiting/crashing applications: The daemon will now detect applications that exit without closing the wallet or even crash and automatically close the wallet.
Good news for some
Apart from that, good news for all KDE Windows users: Starting with KDE 4.1.3, KWallet works fine on Windows. Thanks go to Patrick Spendrin for helping me fix this (and helping me compile when my VirtualBox decided to crash instead of compile) and to Fujisan for providing me with the screenshot to prove it works:kwalletmanager on Windows
The outlook
One of the major tasks I have in mind for 4.3 is finally redoing the manager UI. Another thing I'm currently on about is making the GNOME Keyring and the KDE Wallet systems interoperable. Unfortunately that's still at a very early stage so I can't really tell you a lot about it yet. I'll keep you posted though.Trackbacks
Trackback specific URI for this entry
No Trackbacks
Comments
Display comments as
(Linear | Threaded)
Hi, nice to hear that interoperability with GNOME keyring is in the pipeline. What I would even more like to see is interoperability with Firefox. I use both browsers and it would be really great to have passwords stored in one location.
In fact I hope that by establishing common ground other desktop environments and applications will come aboard. afaik some webkit browser's developer was interested as well.
There's one thing I never understood about KDE Wallet... When you click the icon, you get the Wallet Manager, and in there you have the "kdewallet". Why this added complexity? I would guess that 98% of people use only one wallet, so why are people burdened with the Wallet Manager that spends it's time managing just one wallet?
And what use-cases there are for having several wallets? I can't really think of any.
Also, do we really need the icon in the systray? OS X has similar functionality, and it has no icon, and I have never encountered a situation where I need the icon. Well, maybe once or twice, when I wanted to check what my password is for some website, but in those cases I could manually open the keychain-utility and check the password.
The less icons we have in the systray, the better off we all are.
And what use-cases there are for having several wallets? I can't really think of any.
Also, do we really need the icon in the systray? OS X has similar functionality, and it has no icon, and I have never encountered a situation where I need the icon. Well, maybe once or twice, when I wanted to check what my password is for some website, but in those cases I could manually open the keychain-utility and check the password.
The less icons we have in the systray, the better off we all are.
The KDE wallet system has had support for multiple wallets right from the start. By default there's support for a "local" and a "network" (nonlocal) wallet though the default setting is to use the same wallet for all applications' passwords. This reason is mainly meant for security (use different passwords, only keep wallets currently needed open) but it can also be used to group passwords if you're using kwalletmanager as a manual password manager. However I don't like the UI approach either and I don't really know why it was changed from the 1-window approach either.
The systray can be disabled in kwallet's settings if you don't use it (I usually need it a lot.
The systray can be disabled in kwallet's settings if you don't use it (I usually need it a lot
.
Janne, I for one use more wallets, because kwallet can be used to store any kind of password. There are plenty of password-storing programs for other platform (say, Windows) and lots of people use them everyday.
Hi, just wanted to say that giving love to these "small" applications really matters. They're maybe less prestigious than say plasma and others, but they surely show up in everyday's work.
Saying that, I would like to see auto-generation of passwords and integration in konqueror for creating new (web-)accounts on the feature list (like seen in some Apple products), but bugzilla is currently kind of loaded with forgotten bugs, should I still put it up there?
Saying that, I would like to see auto-generation of passwords and integration in konqueror for creating new (web-)accounts on the feature list (like seen in some Apple products), but bugzilla is currently kind of loaded with forgotten bugs, should I still put it up there?
No need to file that one. It's on my wishlist as well Although I'm not quite sure if this should be implemented in kwallet or rather in konqueror.
Although I'm not quite sure if this should be implemented in kwallet or rather in konqueror.
Cool to see somebody working on kwallet!! Keep it going!
While you are at it, let me take the chance to tell you what's bothering me about kwallet
Looking at my current desktop I have 3 wallets open: KDE3 user wallet, KDE3 root wallet, KDE4 user wallet (once I even had a fourth wallet, KDE4 root). Apart from taking up valueable space in the systray, especially for new users this can be quite confusing ("... didn't I just open the wallet?"), or even a security risk (due to getting used to opening the wallets without further thinking, and just being annoyed). The KDE3 case is probably not fixable anymore, but for the future it would be cool to have this some how unified into a single wallet per user. Even for things the user runs with root permissions. Also one can't really visually distinct e.g. a KDE4 user and KDE4 root wallet ...
The other wish is an asynchronous kwallet open. I regularly have situations where one or more just apps seem dead, or even worse half dead. This might be due to concurrent access (with kopete or kmail failing entirely in this case, needing to be restartet), or in case of konqueror only a single app distributed across several desktops. Sometimes I even tried to restart KDE before I realized that simply a kwallet opening dialog silently appeared on some other desktop, blocking all apps trying to access it (or in case of konqueror all other windows of the process).
While you are at it, let me take the chance to tell you what's bothering me about kwallet
Looking at my current desktop I have 3 wallets open: KDE3 user wallet, KDE3 root wallet, KDE4 user wallet (once I even had a fourth wallet, KDE4 root). Apart from taking up valueable space in the systray, especially for new users this can be quite confusing ("... didn't I just open the wallet?"), or even a security risk (due to getting used to opening the wallets without further thinking, and just being annoyed). The KDE3 case is probably not fixable anymore, but for the future it would be cool to have this some how unified into a single wallet per user. Even for things the user runs with root permissions. Also one can't really visually distinct e.g. a KDE4 user and KDE4 root wallet ...
The other wish is an asynchronous kwallet open. I regularly have situations where one or more just apps seem dead, or even worse half dead. This might be due to concurrent access (with kopete or kmail failing entirely in this case, needing to be restartet), or in case of konqueror only a single app distributed across several desktops. Sometimes I even tried to restart KDE before I realized that simply a kwallet opening dialog silently appeared on some other desktop, blocking all apps trying to access it (or in case of konqueror all other windows of the process).
I fear with the current architecture there won't be much I can do about multiple wallets with different users as kwalletd is a per-user application. That said it usually shouldn't be necessary to run applications using kwallet as root and as a user side by side - at least not since unpriviledged accounts can access system services using DBus. I'm curious though.. which applications using the wallet do you still have to run using sudo?
As to asynchroneous open support - that has basically always been around and it's just gotten a little more async. However applications do have make proper use of these facilities. I second the thought about kwallet's open dialog not showing where it should (that is: where you can't miss it). I hope that's something I can still improve before the release.
As to asynchroneous open support - that has basically always been around and it's just gotten a little more async.
However applications do have make proper use of these facilities. I second the thought about kwallet's open dialog not showing where it should (that is: where you can't miss it). I hope that's something I can still improve before the release.
Currently I'm using only kvpnc (a VPN app), which has to be run as root and thus accesses the root wallet. The idea was that these kind of root apps are typically run by a real user from within their normal user account. So in reality it's a single user, and that expects a single wallet.
Actually the situation is even worse (not quite kwallets fault though). When resuming a session I enter 4 passwords: sudo for starting the app (kvpnc), sudo for starting the root wallet(manager?), password to open the root wallet and password to open the user wallet... this can be annoying in the long run
Probably the developers should separate their root needing apps in a frontend and a backend, but I fear in reality this is unlikely to happen...
The other issue: What means "a little more async"? Shouldn't real concurrent asynchronous access be the default? Why should a normal app be allowed to access a central resource exclusivly at all?
Konqueror (process with lots of windows spread across serveral desktops) will probably remain a problem, and nothing kwallet can fix, I admit. After all the opening dialog should also be tied to the "window" calling it. Simply appearing on the current desktop is probably also no solution. When you switch the desktop in that very moment, you still have a problem. Already now it's sometimes confusing who is requesting to open the wallet. My favourite message is "KDE is requesting to open the wallet"(or similar) ... Perhaps a notification bubble coming out of the wallet systray icon, to at least notify the user? With a button to jump to the desktop/dialog.
Actually the situation is even worse (not quite kwallets fault though). When resuming a session I enter 4 passwords: sudo for starting the app (kvpnc), sudo for starting the root wallet(manager?), password to open the root wallet and password to open the user wallet... this can be annoying in the long run
Probably the developers should separate their root needing apps in a frontend and a backend, but I fear in reality this is unlikely to happen...
The other issue: What means "a little more async"? Shouldn't real concurrent asynchronous access be the default? Why should a normal app be allowed to access a central resource exclusivly at all?
Konqueror (process with lots of windows spread across serveral desktops) will probably remain a problem, and nothing kwallet can fix, I admit. After all the opening dialog should also be tied to the "window" calling it. Simply appearing on the current desktop is probably also no solution. When you switch the desktop in that very moment, you still have a problem. Already now it's sometimes confusing who is requesting to open the wallet. My favourite message is "KDE is requesting to open the wallet"(or similar)
... Perhaps a notification bubble coming out of the wallet systray icon, to at least notify the user? With a button to jump to the desktop/dialog.
Oh yes, I remember kvpnc. I used that once as well (or rather tried to use it) but it didn't quite work out. Maybe the new NetworkManager frontend for KDE4 is going to support VPNs properly.
"a little more async" means:
Supporting asynchroneous operations in kwallet is not easy. After all the client has to be async (waiting for the daemon's answer) and the server has to handle reentrancy as well (still providing operations while waiting for the password to be entered). "a little more" means that I just fixed some issues that should make all of that work "a little better".
Having the tray icon notify you is actually a good idea. I'll see what I can do.
"a little more async" means:
Supporting asynchroneous operations in kwallet is not easy. After all the client has to be async (waiting for the daemon's answer) and the server has to handle reentrancy as well (still providing operations while waiting for the password to be entered). "a little more" means that I just fixed some issues that should make all of that work "a little better".
Having the tray icon notify you is actually a good idea. I'll see what I can do.
Ah most loved application
What would be really cool, but i know that it is not easy, would be to open kwallet on login, so that you don't have to retype your password (as an option of course). Are there any plans in that direction?
What would be really cool, but i know that it is not easy, would be to open kwallet on login, so that you don't have to retype your password (as an option of course). Are there any plans in that direction?
Yes there are. Unfortunately I didn't have time to get to that and there's currently some problems with making that as secure as it should be. I do however know that GNOME keyring has a PAM module to allow auto-opening a wallet and I hope we can benefit from that.
Apart from that I'm also thinking about Smartcards and Fingerprint sensors
Apart from that I'm also thinking about Smartcards and Fingerprint sensors
One thing I miss with kwallet is the ability to handle several accounts for the same page. In firefox I can record various gmail account and when I sign in I can pick the one I want by clicking on the login text field. With kwallet on konqueror I can only have one account per page and if I change one I lose the previous one. Please, add support for multiple account per app. Thanks.
Actually kwallet implemented many of the things needed to support this years ago. This is something which needs to be implemented in konqueror (I remember there's a wish on bugs.kde.org but I couldn't find the number).
The kwallet password box comes up when using a live cd etc. This is kinda pointless in these sorts of situations.
Is there a simple way to disable kwallet, for live-cds to use?
Is there a simple way to disable kwallet, for live-cds to use?
I'm pretty sure there is. However I'm not experienced enough with KDE's config system tweaks to know wether/how this can be done system-wide.
Great to see activity in KWallet too! This is one of those applications which is very important too IMHO, and important to get right. Thanks for your work!
I'd like to post a feature request too. The current "first setup" dialog is very confusing. A lot of text, and little substance (form fields). At work I've seen all my collegues click it away, and after that I had to configure kwallet manually for them.
Could this dialog be more simple? or even omitted? For example, silently create an empty wallet without a password by default. That's still more secure (and easier to upgrade), then forcing applications to store passwords outside kwallet.
I'd like to know what you think about this idea
This is one of those applications which is very important too IMHO, and important to get right. Thanks for your work!I'd like to post a feature request too. The current "first setup" dialog is very confusing. A lot of text, and little substance (form fields). At work I've seen all my collegues click it away, and after that I had to configure kwallet manually for them.
Could this dialog be more simple? or even omitted? For example, silently create an empty wallet without a password by default. That's still more secure (and easier to upgrade), then forcing applications to store passwords outside kwallet.
I'd like to know what you think about this idea
The most important issue should be PAM integration, not making it run in Windows!
This would make it so much more usable, especially for old people that really don't understand kwallet, it would be transparent yet still secure.
There is an open bug for this:
http://bugs.kde.org/show_bug.cgi?id=92845
This would make it so much more usable, especially for old people that really don't understand kwallet, it would be transparent yet still secure.
There is an open bug for this:
http://bugs.kde.org/show_bug.cgi?id=92845
Always wondered why KWallet shows a list of wallets instead of the applications list? Never saw anybody having more than one wallet I would recommend not to be possible to have more than one.
Just found this
http://www.info-svc.com/news/2008/12-12/pm-evaluator/
Kwallet in 3.5 performed quite well, better then any other browser. But there is still some room for improvements.
http://www.info-svc.com/news/2008/12-12/pm-evaluator/
Kwallet in 3.5 performed quite well, better then any other browser. But there is still some room for improvements.
As KeepassX is already written in Qt, cross platform, feature rich, and compatible with any program via both the clip board and auto-type, I think that KeepassX should replace kwalllet as the KDE password manager. It's also released under the gpl. Thus, rather than trying to add a bunch of new features to kwallet, why don't we add KDE integration to KeepassX?
I'm interested in offering whatever help I can. I know python, and I'm learning PyQt at the moment. We'll need a way to convert kwallet's database to the KeepassX format. Perhaps we could write this tool in python?
Any ideas?
I'm interested in offering whatever help I can. I know python, and I'm learning PyQt at the moment. We'll need a way to convert kwallet's database to the KeepassX format. Perhaps we could write this tool in python?
Any ideas?
I've had a quick look at KeepassX and it looks pretty solid. The problem however is that KWallet and KeepassX have (right now) two totally separate use cases. While KeepassX aims at personal (manual) password management, KWallet's original purpose was to provide a daemon that all other KDE programs can use to store passwords. For supporting a similar use-case you'd either have to adapt KeepassX' architecture to provide a similar daemon or make KeepassX use the KWallet daemon as a storage backend (which would probably be easier).
Any news on the KWallet Manager UI changes? Would be interesting to hear what kind of changes you're thinking of.
Using KWallet as a password manager for apps that don't integrate with KWallet is something I miss a lot. By combining window class and title information, KWallet would be able to pick the right password. Are features like this, or a UI that would be able to support it, planned for future versions of KWallet?
Michael, as you wrote earlier, adding KWallet support to KeePassX would be one way to solve this, but having both KWallet's tight integration with KDE + a more manual approach for non-kwallet apps would be even better.
As I take it, the big changes would be in the UI, right? KWallet's underlying structure seems solid.
Using KWallet as a password manager for apps that don't integrate with KWallet is something I miss a lot. By combining window class and title information, KWallet would be able to pick the right password. Are features like this, or a UI that would be able to support it, planned for future versions of KWallet?
Michael, as you wrote earlier, adding KWallet support to KeePassX would be one way to solve this, but having both KWallet's tight integration with KDE + a more manual approach for non-kwallet apps would be even better.
As I take it, the big changes would be in the UI, right? KWallet's underlying structure seems solid.
Unfortunately there haven't been any UI changes lately (apart from a notification that pops up to notify that an application requests the password in case the application isn't visible). I did a basic implementation of a wallet manager using model/view classes that currently only lives on my harddrive, but I haven't had time to put much effort into that. Instead I decided to push gnome-keyring integration and started working on that.
Of course kwalletmanager can be rewritten to use that new API (if it gets integrated) but every line of code I write with kwallet in mind might be a line of code I have to change later.
Of course kwalletmanager can be rewritten to use that new API (if it gets integrated) but every line of code I write with kwallet in mind might be a line of code I have to change later.
Hi
How is this project going?
I REALLY like the idea! I use KDE, but would like to use Evolution in there... This means gnome-keyring AND KDE Wallet
/morten
How is this project going?
I REALLY like the idea! I use KDE, but would like to use Evolution in there... This means gnome-keyring AND KDE Wallet
/morten
Unfortunately it seems to have somewhat stalled during the last month. I was hoping for a preliminary spec to be finished by know. I'll have to bug the Keyring maintainer to see what's going on.
How do i restart kwallet to the taskbar after closing it during my login
Sorry, all my blog comments recently landed up in my spam folder.
To get the systray icon back, just (re)start 'kwalletmanager'.
To get the systray icon back, just (re)start 'kwalletmanager'.
For me right now the only wish for kwallet in kde4 is that it can be opened automatically with pam or whatever means. Typing a login password and then the kwallet password seems to be an overkill, leaving an empty password for kwallet is also not really an option. So when can we expect something like this?
Yeah, it is planned for 4.4. I have a patch floating around for it already and hope to get it in in time.
I managed to get the API required for PAM SSO in the day of feature freeze. The PAM module will be developed and released separately for now, possibly going into 4.5 (although I don't see a real need to make it part of kdebase).
Hi,
Recently I have only been able to run kwalletmanager as root/su. I'm sure I used to be able to open my personal wallet without su privileges.
(I'm using Fedora 12).
Thanks,
Recently I have only been able to run kwalletmanager as root/su. I'm sure I used to be able to open my personal wallet without su privileges.
(I'm using Fedora 12).
Thanks,
Check the file permissions in ~/.kde/share/apps/kwallet. It seems your kwl-files might be owned by root and inaccessible by your account.
Hi Michael,
That was the first thing I checked and they are RW for me only. If I start kwalletmanager in a console then I get different messages if I start as root or start as myself.
Thanks,
That was the first thing I checked and they are RW for me only. If I start kwalletmanager in a console then I get different messages if I start as root or start as myself.
Thanks,
Hi,
Please forget my comments, I've found out what was wrong.
Thanks for your suggestions.
Please forget my comments, I've found out what was wrong.
Thanks for your suggestions.
Calendar
|
March '10 | |||||
| Mon | Tue | Wed | Thu | Fri | Sat | Sun |
| 1 | 2 | 3 | 4 | 5 | 6 | 7 |
| 8 | 9 | 10 | 11 | 12 | 13 | 14 |
| 15 | 16 | 17 | 18 | 19 | 20 | 21 |
| 22 | 23 | 24 | 25 | 26 | 27 | 28 |
| 29 | 30 | 31 | ||||
