debconf best practices: how to ask for a password? - Debian

This is a discussion on debconf best practices: how to ask for a password? - Debian ; (Please CC me on your replies) What is the best way to ask for a password in a debconf prompt? I've got a package (email-reminder) which asks for the SMTP login and password. I'm using a debconf of type "password" ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: debconf best practices: how to ask for a password?

  1. debconf best practices: how to ask for a password?

    (Please CC me on your replies)

    What is the best way to ask for a password in a debconf prompt?

    I've got a package (email-reminder) which asks for the SMTP login and
    password. I'm using a debconf of type "password" and output the result of
    that in a config file (only readable by root).

    Now the problem (see bug #462658) is that if you ever put a non-empty
    password there, then, you can no longer get rid of it after
    dpkg-reconfiguring the package. debconf seems to be ignoring empty password
    fields and still returns the previous value.

    I found two non-ideal solutions:

    1- change the question type to a clear-text field
    2- do a "db_reset question" before asking for the question

    Obviously I prefer to hide the password as it is being entered by the user
    so solution 1 is not my preferred one.

    With solution 2, it works as expected, but since I reset the question in the
    postinst script, right after the db_get call, that means that every package
    install/upgrade must ask this question again.

    So I was wondering what the best way to handle a password in debconf is. I
    guess that it's a bit more secure not to store the password at all in the
    debconf DB, but it's also inconvenient for users to be forced to type their
    password everytime they upgrade (especially if they don't need a password
    for their SMTP server).

    Francois


    --
    To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

  2. Re: debconf best practices: how to ask for a password?

    Francois Marier wrote:
    > Now the problem (see bug #462658) is that if you ever put a non-empty
    > password there, then, you can no longer get rid of it after
    > dpkg-reconfiguring the package. debconf seems to be ignoring empty password
    > fields and still returns the previous value.


    This is a deficiency in debconf's UIs for prompting for password. Since
    there's generally no sane way to display the old password as the default
    and allow users to change it or delete the password entirely, debconf
    instead displays no password, and if the user enters nothing, assumes
    they meant to enter the old password unchanged.

    I think that the best approach is to clear your password value out of
    debconf's database after it has prompted for the password, to avoid
    storing a copy of the password there, and to avoid re-asking for the
    password if one is configured in the file.

    BTW, your package's postinst writes the password to $CONFIG_FILE before
    running chmod 600 $CONFIG_FILE, which is a small security hole. Your
    package also seems to use debconf as a registry -- when upgraded or
    dpkg-reconfigured it ignores the content of the config file and replaces
    it with the values from the debconf database.

    --
    see shy jo

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.6 (GNU/Linux)

    iD8DBQFHm86Ld8HHehbQuO8RAkFLAJ4zEpRCdO+EZVqwPnT1gC RC1FH+8gCglXuZ
    KR9P3nJoBqIlLnWGb90m7Lk=
    =5QxM
    -----END PGP SIGNATURE-----


  3. Re: debconf best practices: how to ask for a password?

    Quoting Francois Marier (francois@debian.org):
    > (Please CC me on your replies)
    >
    > What is the best way to ask for a password in a debconf prompt?



    Not a direct answer but jumping in the train as it is passing in front
    of me (hint: Frenglish probability high in this sentence).

    I still dream of someone working on a nice "debconf-common" package
    which would include some code and common debconf templates for such
    common operations....like prompting for a password, confirming it and
    warn users when both don't match.

    Of course, there could then be more such common templates for other
    very generic stuff.

    The initial idea would be sharing the *wording* and maybe go further
    and share some code.

    The common templates could then be used with the nice (and underused)
    debconf REGISTER command. See dbconfig-common for an implementation.

    Anyone feeling like trying to start such package?


    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.6 (GNU/Linux)

    iD8DBQFHnCTE1OXtrMAUPS0RAt2zAKC7XNCXWzCS09pWM4aEkh 8ZILydQgCfTdY4
    A4fptkhhahwZGepFoFkcZy0=
    =wKRN
    -----END PGP SIGNATURE-----


  4. Re: debconf best practices: how to ask for a password?

    >>>>> "Joey" == Joey Hess writes:

    Joey> Francois Marier wrote:
    >> Now the problem (see bug #462658) is that if you ever put a non-empty
    >> password there, then, you can no longer get rid of it after
    >> dpkg-reconfiguring the package. debconf seems to be ignoring empty password
    >> fields and still returns the previous value.


    Joey> This is a deficiency in debconf's UIs for prompting for password. Since
    Joey> there's generally no sane way to display the old password as the default
    Joey> and allow users to change it or delete the password entirely, debconf
    Joey> instead displays no password, and if the user enters nothing, assumes
    Joey> they meant to enter the old password unchanged.

    This is really confusing UI. To me, as a user, it would appear there
    is no way of reusing the old password, and it would appear that
    pushing enter will result in the password being truncated. In fact
    this is what probably would happen if the system has forgotten the
    password entered for some reason (maybe it was never entered via
    debconf before).

    In the past I have almost filled bug reports against certain packages
    because I have had to reenter the passwords on every upgrade, even
    though it already knows the details. There is no way for a user to
    know if debconf has an old password on record or not.

    Can you replace the password with stars? This way you can see if there
    is a password or not, and you get visual feedback when entering a
    password that it is being received too (another issue I have had in
    the past; not sure why it confused me so much now).
    --
    Brian May


    --
    To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

  5. Re: debconf best practices: how to ask for a password?

    On Tue, Jan 29, 2008 at 08:38:53PM +1100, Brian May wrote:
    > >>>>> "Joey" == Joey Hess writes:

    > Joey> Francois Marier wrote:
    > >> Now the problem (see bug #462658) is that if you ever put a non-empty
    > >> password there, then, you can no longer get rid of it after
    > >> dpkg-reconfiguring the package. debconf seems to be ignoring empty password
    > >> fields and still returns the previous value.

    >
    > Joey> This is a deficiency in debconf's UIs for prompting for password. Since
    > Joey> there's generally no sane way to display the old password as the default
    > Joey> and allow users to change it or delete the password entirely, debconf
    > Joey> instead displays no password, and if the user enters nothing, assumes
    > Joey> they meant to enter the old password unchanged.
    >
    > This is really confusing UI. To me, as a user, it would appear there
    > is no way of reusing the old password, and it would appear that
    > pushing enter will result in the password being truncated. In fact
    > this is what probably would happen if the system has forgotten the
    > password entered for some reason (maybe it was never entered via
    > debconf before).


    What about this:
    if there's a non-empty password, present the user with a magic value (8
    stars, one star, "[old password]", etc). If the debconf dialog returns the
    magic value, keep the password unchanged. If it's anything else (including
    an empty value), use whatever is provided.

    As long as no one tries to set the password to the magic value, this should
    do the trick.


    In an unrelated note, I have several users who haven't changed their
    passwords after I set it to "Leave it empty". Hey, it was them who said it
    should be that way in the first place

    --
    1KB // Microsoft corollary to Hanlon's razor:
    // Never attribute to stupidity what can be
    // adequately explained by malice.


    --
    To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

+ Reply to Thread