Mailing List Archive

Copy-paste in pinentry-qt4
Hi,

Preferring strong passwords generated and stored in KeyPassX, I'd be really
happy if I could copy and paste the strong passwords into the entry field from
/usr/bin/pinentry-qt4. But that doesn't work. And typing strong passwords
sucks.

Is there a security reason for not allowing copy/paste?

Cheers,
Koos

--
http://www.malarianomore.org
For $10 a mosquito net + distribution + education + monitoring + evaluation.

_______________________________________________
Gpa-dev mailing list
Gpa-dev@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gpa-dev
Re: Copy-paste in pinentry-qt4 [ In reply to ]
Koos Pol <kp2010 <at> koospol.nl> writes:

>
> Hi,
>
> Preferring strong passwords generated and stored in KeyPassX, I'd be really
> happy if I could copy and paste the strong passwords into the entry field from
> /usr/bin/pinentry-qt4. But that doesn't work. And typing strong passwords
> sucks.
>
> Is there a security reason for not allowing copy/paste?
>
> Cheers,
> Koos
>

I see this behaviour in many programs that do no accept copy/paste passwords and
they really piss me off, because they play "daddy" with the user.

I do the exact same thing with you (using keepassX) and I'm tremendously annoyed
by this "habit". To answer your question, there is no security reason for no
copy paste, it is an "opinion" of the programmer. It assumes that looking on a
paper or a screen window for a password that you will type via keyboard (mine is
wireless!) is safer than clipboard. Well, their opinion is imposed on the user
on the assumption the programmer knows better. I call this microsoft windows
you-are-stupid-we-know-better.

Other than that, I was greatly annoyed as well, that I had to install seahorse,
which in turn installed pinentry, to figure out why gpa 0.8.0 was giving me
"general error" from library gpgme, since in fedora 12, somebody forgot to put
pinentry as a resolved dependency for installing gpa.

All these little loose ends, kind of sloppiness, in the whole "story" does not
exactly help me trust crypto as a business plan.




_______________________________________________
Gpa-dev mailing list
Gpa-dev@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gpa-dev
Re: Copy-paste in pinentry-qt4 [ In reply to ]
On 05/24/2010 02:12 AM, Georgios Dimitropoulos wrote:
> I see this behaviour in many programs that do no accept copy/paste passwords and
> they really piss me off, because they play "daddy" with the user.

There can only be one default, but security considerations are different from
environment to environment. I can understand that the default pinentry
settings are not optimal for your security requirements. However, we will
never get to a state where the same defaults are appropriate for everyone.
GNU/Linux distributions usually handle the integration issues to give a
seamless user experience for a specific target user group, you should take the
issue of the right default up with your preferred distribution.

Moving away from the default discussion, there are several things I want to
point out to you which may address your issues at different levels:

* Pinentry always supported the option "--no-grab" to prevent grabbing the
keyboard and screen for more compatibility.

* There are several implementations of pinentry, which offer different
integration strategies (Curses, Gtk 1, Gtk 2, Qt 3, Qt 4).

* The pinentry protocol is specified and easy to reimplement. The pinentry
package contains a self-contained implementation of everything necessary to
build your own pinentry that integrates with your preferred environment.

As an example, we have found that the existing pinentry-qt4 with its custom
secure text entry widget does not work on the Maemo platform, so we made a
custom pinentry-qt that uses the standard QLineEdit widget, which integrates
better into the customised Maemo environment. A good programmer can do this
in a couple of hours even if he had no previous experience with pinentry, qt,
or maemo. There is nothing stopping distributions from doing the same
integration work, if there is demand for it.

> Other than that, I was greatly annoyed as well, that I had to install seahorse,
> which in turn installed pinentry, to figure out why gpa 0.8.0 was giving me
> "general error" from library gpgme, since in fedora 12, somebody forgot to put
> pinentry as a resolved dependency for installing gpa.

The popular distributions have not yet made the transition to a completely
functional GnuPG 2 architecture yet. There are various reasons for that, but
the default settings of pinentry should not be any concern in this matter.

> All these little loose ends, kind of sloppiness, in the whole "story" does not
> exactly help me trust crypto as a business plan.

Usability of cryptography does not seem to be a major focus of popular
GNU/Linux distribution. For example, the enigmail plugin for thunderbird in
the beta version of Ubuntu 10.04 was broken for several weeks just prior to
the release (it was then fixed shortly before the official release). That's
just how it is, and to change it you'll have to invest time or money or both.
With free software, you get the good and the bad, with full transparency, and
an invitation for participation to make it even better. What you don't
necessarily get with free software is a hand-tailored package to support your
specific business plan. That's what development and support contracts are for.

Thanks,
Marcus

_______________________________________________
Gpa-dev mailing list
Gpa-dev@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gpa-dev
Re: Copy-paste in pinentry-qt4 [ In reply to ]
Koos Pol <kp2010 <at> koospol.nl> writes:

> Preferring strong passwords generated and stored in KeyPassX, I'd be really
> happy if I could copy and paste the strong passwords into the entry field from
> /usr/bin/pinentry-qt4. But that doesn't work. And typing strong passwords
> sucks.

Well, there has been the occasional discussion about the wishfulness of
copy-pasting strong passwords. But it still itches.
Being a non-C++ developer I'm not sure that my solution is the best, but
hey, it works:

Here is a patch against pinentry-0.8.1 to enable copy-pasting to
pinentry-qt4. Works everywhere pinentry-qt4 is used: kgpg, Enigmail,
etc. I'm happy ;-)

http://koospol.nl/cms/index.php/computer/pinentry-qt4-en

Enjoy!
Koos


--
For your and my privacy I prefer encrypted private email.

http://www.malarianomore.org
For $10 a mosquito net + distribution + education + monitoring + evaluation.

_______________________________________________
Gpa-dev mailing list
Gpa-dev@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gpa-dev