ff-3.0-gnome should store pw in the gnome keyring
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
firefox-3.0 (Ubuntu) |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: firefox-3.0
I think that passwords should not be stored in clear, but there should be an interaction between firefox and gnome keyring
In Mozilla Bugzilla #309807, Marius Scurtescu (marius-scurtescu) wrote : | #1 |
In Mozilla Bugzilla #309807, Martin Meyer (elreydetodo) wrote : | #2 |
I like the idea of integrating the password manager with Gnome, but is it possible to make it so that any password manager application could be made to plug into Firefox's password management system? It would be nice to use Norton Password Manager on Windows, or whatever comercial program the user happens to like and have Firefox use it directly. This would be a good thing for integration with operating environments and other applications.
In Mozilla Bugzilla #309807, Dolske (dolske) wrote : | #3 |
Now that the Login Manager rewrite has landed on trunk for Firefox 3, writing a module to implement this support should be much easier. Basically, someone needs to write a component implementing the nsILoginManager
This interface is described here: http://
This task isn't currently on my to-do list, but I'd be happy to help explain the Login Manager interaction if someone wants to take a shot at this.
In Mozilla Bugzilla #309807, Sylvain Pasche (sylvain-pasche) wrote : | #4 |
One potential issue I'm seeing is that nsILoginManager
I'm not completely sure, but I also have the feeling the OS X Keychain API blocks the calling thread while waiting for the password (SecKeychainFin
In Mozilla Bugzilla #309807, Sylvain Pasche (sylvain-pasche) wrote : | #5 |
I'm going to work on this, feel free to contact me if you want to help.
In Mozilla Bugzilla #309807, Sylvain Pasche (sylvain-pasche) wrote : | #6 |
Created an attachment (id=270527)
version 0.1
First version. There are some issues when used with the password manager, like asking to save password more that necessary, or not updating password if changed.
See the XXX for other things to improve. There is no caching involved, so there are round-trips to the gnome-keyring-
I can confirm the issue where the UI is frozen in case gnome-keyring daemon is asking for confirmation. I saw that this is also happening with Camino+Keychain, but that's less an issue on OS X as the window content is buffered, unlike on X11 where it is not refreshed if we move another window above (ok, that should not be the case when using a compositing window manager).
In Mozilla Bugzilla #309807, Sylvain Pasche (sylvain-pasche) wrote : | #7 |
Created an attachment (id=270611)
version 0.2
Forgot to unregister the category, and fixed an unused variable warning.
In Mozilla Bugzilla #309807, Sylvain Pasche (sylvain-pasche) wrote : | #8 |
This went low priority for me, feel free to take this over.
In Mozilla Bugzilla #309807, Dtownsend (dtownsend) wrote : | #9 |
*** Bug 410674 has been marked as a duplicate of this bug. ***
In Mozilla Bugzilla #309807, Jakub 'Livio' Rusinek (liviopl-pl) wrote : | #10 |
Does GNOME keyring replace Firefox internal password manager?
If not, it should.
In Mozilla Bugzilla #309807, Sylvain Pasche (sylvain-pasche) wrote : | #11 |
(In reply to comment #10)
> Does GNOME keyring replace Firefox internal password manager?
no
> If not, it should.
That's what this bug is about, but no one is working on it right now.
In Mozilla Bugzilla #309807, Jakub 'Livio' Rusinek (liviopl-pl) wrote : | #12 |
Exactly the same situation with some non-duped bugs I've filed.
Nicolò Chieffo (yelo3) wrote : | #13 |
Binary package hint: firefox-3.0
I think that passwords should not be stored in clear, but there should be an interaction between firefox and gnome keyring
Phil Sung (psung) wrote : | #14 |
It seems that people are talking about doing exactly this here:
https:/
Alexander Sack (asac) wrote : | #15 |
this will not happen before firefox-4 ... which is too far away to keep this bug open.
Changed in firefox-3.0: | |
status: | New → Won't Fix |
In Mozilla Bugzilla #309807, Dan-500 (dan-500) wrote : | #16 |
This bug is not only firefox related. It's a core bug.
In Mozilla Bugzilla #309807, Sylvain Pasche (sylvain-pasche) wrote : | #17 |
I agree, it should rather be toolkit related (password manager is in toolkit/
In Mozilla Bugzilla #309807, Dolske (dolske) wrote : | #18 |
There's been much discussion on reorganizing Bugzilla (eg, the thread rooted at http://
In Mozilla Bugzilla #309807, Me-at-work (me-at-work) wrote : | #19 |
(In reply to comment #1)
> Camino is doing exactly this, a similar implementation could be used.
>
That's a different bug, the mac only bug 106400.
In Mozilla Bugzilla #309807, Dolske (dolske) wrote : | #20 |
*** Bug 435207 has been marked as a duplicate of this bug. ***
In Mozilla Bugzilla #309807, Matt Lavin (matt-lavin) wrote : | #21 |
Created an attachment (id=336264)
Updated patch to compile against firefox 3
I've modified the patch lightly to get it to compile on Firefox 3.
In Mozilla Bugzilla #309807, Matt Lavin (matt-lavin) wrote : | #22 |
Created an attachment (id=336498)
Fixes for interaction with form login
While testing the latest path, I noticed that it didn't properly store and retrieve passwords saved in forms. I've attached an updated patch that works for me.
There are some more things that could be improved about the code, but what are the steps to get this included in Firefox proper?
In Mozilla Bugzilla #309807, Jakub 'Livio' Rusinek (liviopl-pl) wrote : | #23 |
I have simple question: does this include migration?
In Mozilla Bugzilla #309807, Matt Lavin (matt-lavin) wrote : | #24 |
The current code doesn't include any migration support.
In Mozilla Bugzilla #309807, Matt Lavin (matt-lavin) wrote : | #25 |
I've uploaded an installable version of this extension to https:/
In Mozilla Bugzilla #309807, Jensus (jensus) wrote : | #26 |
I've tried the extension.
When it's installed I'm unable to store passwords.
The prompt "Would you like firefox to remember this password" stays visible after I click on "save password". No passwords is added to my keyring.
How can I debug this?
In Mozilla Bugzilla #309807, Matt Lavin (matt-lavin) wrote : | #27 |
What are you using to verify that the password was added to the keyring? If you return to the same page again, is the password automatically filled in? Are there any errors in the Tools -> Error Console page?
In Mozilla Bugzilla #309807, Jensus (jensus) wrote : | #28 |
I get this exeption in the console:
Fel: uncaught exception: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsILoginManage
The password I tried to add does not appear in firefox password list, nor in seahorse (g-k-m frontend).
Im using Ubuntu 8.04 with a keyring that is automatically unlocked on login.
In Mozilla Bugzilla #309807, Sylvain Pasche (sylvain-pasche) wrote : | #29 |
(In reply to comment #19)
> There are some more things that could be improved about the code, but what are
> the steps to get this included in Firefox proper?
Hi Matt, thanks for your work on this. The steps would be to find someone to review this. There are instructions on http://
Another more general question is to know if this should be part of Firefox or should live as an extension.
On a more technical side, is the issue raised in comment 4 still there? That would be nice to have it addressed (it may not be trivial, if the API has to change to get asynchronous).
I was a bit worried about performance (comment 6). It could be interesting to see how having the addon enabled can impact performance when browsing pages with passwords (https:/
The current patch implements nsILoginManager
In Mozilla Bugzilla #309807, Dolske (dolske) wrote : | #30 |
I think I'd sort of like to see more experience with people using this as an extension, first. One of the things that I want to be cautious about is moving where we store things (mozStorage vs keyring/keychain) without compelling value... The pessimistic view here is that most users won't care, and it incurs code maintenance costs.
One variation that would also be interesting to pursue is leaving the password storage where it is now, but using the keyring/keychain for storing a decryption key (sort of like a master password). For users that don't want the annoyance of a master password (as we currently implement it), pulling a decryption key from a system DB that's secured with the user's *login credentials* would be an improvement.
In Mozilla Bugzilla #309807, Matt Lavin (matt-lavin) wrote : | #31 |
(In reply to comment #25)
> I get this exeption in the console:
I've uploaded a new version of the extension that enables some logging to get extra information about your failure. You can see the extra logging by running firefox from a command line like "NSPR_LOG_
You should see a message or two like:
-1211177280[
In the console, and that will help us figure out why you can't safe passwords.
In Mozilla Bugzilla #309807, Matt Lavin (matt-lavin) wrote : | #32 |
Thanks for all the feedback. I'll keep an eye on performance problems. About the screen repaint issue, I just got prompted to allow access to the keyring and Firefox had no problem repainting in the background.
I was personally motivated to fix get the gnome-keyring integration out there because I wanted to reduce the number of unencrypted passwords on my drive. Since that's my main goal, I don't mind if this feature lives as an extension or as part of the standard packaging as long as I can use it =).
As for the relative value of the keyring integration, it's all about security (although something like your suggestion would have worked as well). The argument that "that most users won't care" should really be re-phrased to say "that most users won't care, until they sell their machine and the buyer uses their passwords left on disk". Leveraging something like gnome-keyring to get the password encryption for free seemed like a easy win for me (and Sylvain had done most of the work already).
In Mozilla Bugzilla #309807, Sylvain Pasche (sylvain-pasche) wrote : | #33 |
(In reply to comment #27)
> One variation that would also be interesting to pursue is leaving the password
> storage where it is now, but using the keyring/keychain for storing a
> decryption key (sort of like a master password). For users that don't want the
> annoyance of a master password (as we currently implement it), pulling a
> decryption key from a system DB that's secured with the user's *login
> credentials* would be an improvement.
That seems a good way to go. At the time, I started writing an extension to store the master password in the Gnome Keyring (however I didn't finish it). The idea was to have an option when setting the master password like "Generate and store Master Password in Keyring". Then a component would set it automatically during startup.
In Mozilla Bugzilla #309807, Jensus (jensus) wrote : | #34 |
(In reply to comment #28)
> You can see the extra logging by running
firefox from a command line like "NSPR_LOG_
> -no-remote"
>
> You should see a message or two like:
> -1211177280[
>
> In the console, and that will help us figure out why you can't safe passwords.
I just tried this on another computer and it worked without any errors.
However, the passwords are only visible in firefox, not seahorse. Is that correct?
In Mozilla Bugzilla #309807, Matt Lavin (matt-lavin) wrote : | #35 |
(In reply to comment #31)
> However, the passwords are only visible in firefox, not seahorse. Is that
> correct?
That's because the passwords are stored in the 'default' keyring, and not the 'login' keyring. Apparently, Seahorse only shows the passwords in the 'login' keyring.
In Mozilla Bugzilla #309807, Jensus (jensus) wrote : | #36 |
(In reply to comment #32)
> (In reply to comment #31)
> > However, the passwords are only visible in firefox, not seahorse. Is that
> > correct?
>
> That's because the passwords are stored in the 'default' keyring, and not the
> 'login' keyring. Apparently, Seahorse only shows the passwords in the 'login'
> keyring.
Ah, I see!
The entry may look nicer to the user in the sehorse password listing if the type GNOME_KEYRING_
In Mozilla Bugzilla #309807, Devel-leo-von-klenze (devel-leo-von-klenze) wrote : | #37 |
Hello!
I've downloaded the patch and compiled it successfully under my 64-bit Ubuntu. After installation the extension is displayed by firefox as active extension.
I used the command from comment #28 but I don't see any log messages that might belong to the gnome keyring extension. The passwords are saved but I think they are saved by the firefox password manager, because I can't see them in seahorse, even after setting the keyring to 'login'.
Missed I something?
Thanks!
In Mozilla Bugzilla #309807, Legolas558-users (legolas558-users) wrote : | #38 |
This feature is a win-win! How long should it take before I can see it as an extension?
Thanks
In Mozilla Bugzilla #309807, Sylvain Pasche (sylvain-pasche) wrote : | #39 |
(In reply to comment #35)
> This feature is a win-win! How long should it take before I can see it as an
> extension?
Not very long: https:/
In Mozilla Bugzilla #309807, sekh (wlallemand) wrote : | #40 |
Hello !
I've installed the last 0.2 firefox plugin.
That doesn't seem to work.
I'm using firefox 3.0.5 on ubuntu 8.10.
NSPR_LOG_
-1210722624[
-1210722624[
-1210722624[
-1210722624[
-1210722624[
Gnome doesn't ask me to authorize firefox to use gnome-keyring.
When I click on "Add Password" on the bar, that do nothing, I have to click on "never" or "not now" for see the bar disappear.
In Mozilla Bugzilla #309807, Jze (jze) wrote : | #41 |
(In reply to comment #37)
> -1210722624[
>
Error code 4 means "no such keyring". The add-on uses the keyring "default" instead of Gnome's default keyring "login". You can create a new keyring using Gnome's seahorse program.
In Mozilla Bugzilla #309807, Jensus (jensus) wrote : | #42 |
Unfortunately, this extension does not play well with xmarks bookmarks and password synchronization extension (http://
If I install this extension after having used xmarks for a while, no stored passwords shows up and the master password for xmarks is gone.
In Mozilla Bugzilla #309807, John Vivirito (gnomefreak) wrote : | #43 |
Is this going to be implemented in Xulrunner or in an extension? I would like to not have to add extension to make this work. I dont use too many extensions but i know people with 10+ installed adn the risk of crashes is fairly high at that point adding another isnt the best way to fix this IMHO
In Mozilla Bugzilla #309807, Ciro-scognamiglio (ciro-scognamiglio) wrote : | #44 |
Created an attachment (id=388144)
Tarball to be extracted in mozilla source directory
Hi,
I tried to iron away some problems with the extension:
* I set it to use its own keyring, named mozilla. Since items' attributes are tailored to fit mozilla login manager, it seems to me this makes more sense than cluttering the default keyring. This way, one can also decide whether to unlock it on log in or not independently from the default keyring.
* Most importantly, I made the component create the keyring if it doesn't exist.
I think this should make it work for most of the people that were unable to save passwords.
* The item name is now the hostname for which the password is saved (makes more sense than "Mozilla keyring entry" for every item)
* I took the liberty to add Matt Lavin and myself to the contributors.
These are the most prominent issues that I feel should be addressed next:
* The component still builds with the mozilla build sistem, I'd like to make it a separate extension but I don't know how to do it...
* I still have to move to firefox 3.5, I don't know if it works with it.
* It would be very nice to be able to migrate logins from and back to the built-in login manager, maybe prompting the user whether they want to delete logins from the unused login manager.
* Even when using gnome-keyring as login manager, you still get asked for the master password if you want to see the passwords on the "saved passwords" window. This only happens if the master password is set. I think this is firefox's fault.
By now, what I think is most important is to build it as an extension and to make it compatible with firefox 3.5
Help is appreciated...
In Mozilla Bugzilla #309807, Ciro-scognamiglio (ciro-scognamiglio) wrote : | #45 |
Created an attachment (id=389136)
New verson for firefox 3.5
This is the new version for firefox 3.5, it doesn't work for firefox 3.0 because the interface has changed.
I plan to build an extension out of it and upload it on amo in the next days.
In Mozilla Bugzilla #309807, Matt Lavin (matt-lavin) wrote : | #46 |
Created an attachment (id=389159)
Firefox 3.5 extension packaged for building outside of Firefox source tree
Thanks for the updates to support 3.5. Sometime during the 3.5 cycle I made changes to my local files to support building outside of the Firefox development tree. I've attached a version of that build environment that includes your fixes. That should allow easier building of the extension by other people.
In Mozilla Bugzilla #309807, Ciro-scognamiglio (ciro-scognamiglio) wrote : | #47 |
Created an attachment (id=389337)
Makes keyring name customizable, fixes some possible leaks
The Makefile provided by Matt works perfectly, just note that if you compile for amd64 you need to add -fPIC to CPPFLAGS and put /Linux_
This new version makes keyring name customizable, you need to create a string preference entry named extensions.
Note that logins you've already saved will still be used, because gnome-keyring searches through all unlocked keyrings, not just the one we're using.
In Mozilla Bugzilla #309807, Matt Lavin (matt-lavin) wrote : | #48 |
I just started a github project that holds my source tree. I've added the changes from luca in comment 44, along with adding the -fPIC compile flag by default.
The github URL is http://
In Mozilla Bugzilla #309807, Guillermoadrianmolina (guillermoadrianmolina) wrote : | #49 |
Hello, I've created a new extension based on this one. It is useful to connect to kde's kwallet. My questions are:
Am I violating any license issue?, in other words, am i allowed to create a new extension based on this one?
Where do I commit this extension?, should I use https:/
Thanks in advance.
In Mozilla Bugzilla #309807, Jesse Glick (jesse-glick) wrote : | #50 |
(In reply to comment #27)
> leav[e] the password storage where it is now, but us[e] the keyring/keychain
> for storing a decryption key (sort of like a master password)
Agreed. I would rather have such an option than the current extension, even if it added a password migration feature (the lack of which prevents usage for someone like me with hundreds of entries). The built-in password manager is fine except for the need to type in a master password every session. Is there any interface for an extension to replace just the "Enter Master Password" dialog?
In Mozilla Bugzilla #309807, Paul-oshannessy (paul-oshannessy) wrote : | #51 |
(In reply to comment #47)
I filed bug 496660 (essentially what Dolske proposed in comment #27) a while ago. That's OSX specific, but no implementation is done. There's some work being done in other bugs to separate out the dependence on the master password as is.
In Mozilla Bugzilla #309807, Oleksij Rempel (olerem) wrote : | #52 |
Looks like this plugin do not working for me. Installed, but password are stored to mozilla storage - not to gnome-keyring.
Camino is doing exactly this, a similar implementation could be used.