PolicyKit

Authentications in Ubuntu

Registered by komputes

What is this session about?
In this session we will discuss authentication customization on a user, system and deployment level.

What are some issues that currently exist within the realm of authentications?
- Polcykit GUI : There is currently no simplified utility to customize policies
- GNOME Keychain: Upgrading, changing passwords, encrypted wifi requires passphrase if autologin
- Timeout: For every administrative utility used authentication is required. There is a demand for time-based caching (like sudo does) as we are currently requesting that users enter passwords too often.
- Software Center: Password is asked too often (install then remove, install applications in sequence)
- Policykit security flaw: Dialog doesnt block out the entire screen. Can cause unwanted exposing of the password.

Who should attend this session?
- Ubuntu users and developers concerned about policykit authentication issues present in the last few releases.
- Developers with the experience and interest in policykit.
- Ubuntu security team.

Blueprint information

Status:
Not started
Approver:
None
Priority:
Undefined
Drafter:
komputes
Direction:
Needs approval
Assignee:
None
Definition:
Discussion
Series goal:
None
Implementation:
Unknown
Milestone target:
None

Related branches

Sprints

Whiteboard

Work items:
[mpt] Design an interface for configuring PolicyKit privileges across user accounts and across machines, publish it and invite implementation: TODO
[repete] Talk with Canonical Corporate Services about whether they want to implement the interface for configuring PolicyKit privileges: TODO
[robert-ancell] rework the keyring creation dialog to be less confusing and only list secure and unsecure options: TODO
[seb128] talk to gnome-keyring upstream about unlocking all pending authentification requests when a password is entered in any of those: TODO
[mpt] Check and report bug about USC using separate permissions for install vs. remove: TODO
[mpt] Design integration of user account icon into the PolicyKit dialog: TODO
[robert-ancell] Implement the design of the user account icon in the PolicyKit dialog: TODO

== UDS session notes ==

Policykit GUI : There is currently no simplified utility to customize policies
  - PolicyKit upstream is against something as complex as policykit-1's "Authorizations" window
  - command-line interface is available, but too hard to use for many customers
    - "hire a consultant!"
  - Landscape is a possibility, but is expensive if this is all you want to do with it

GNOME Keychain: Upgrading, changing passwords, encrypted wifi requires passphrase if autologin
  - Now, if you use Users & Groups to change your password, it will change your keyring password too
    - previously, this didn't work
    - fix this for people upgrading (e.g. patch gnome-keyring)
 - The first time you connect to encrypted wi-fi, you're asked to set up a keyring
   - if you cancel, it will use unsafe storage
   - Two dialog boxes are shown, with "Cancel" button meaning use unsafe storage. Dialogs should be combined with clear buttons.
 - some people want to log in to Ubuntu automatically, but still encrypt their wi-fi password

Timeout: For every administrative utility used authentication is required. There is a demand for time-based caching (like sudo does) as we are currently requesting that users enter passwords too often.
 - If you log in to Ubuntu automatically, multiple applications may ask for your keyring password simultaneously
 - Authenticating once doesn't clear the other authentication requests

Software Center: Password is asked too often (install then remove, install applications in sequence)
 - Currently asks for password again if you uninstall something while installing something else

- Policykit security flaw: Dialog doesn't block out the entire screen. Can cause unwanted exposing of the password.
 -- Should implement auto locking the screen. No focus change and no keyboard cathing change. Something like UAC in Windows Vista.
 - this is the worst case of focus-stealing, can be reduced the same ways as other focus stealing
 - one solution: make the PolicyKit prompt system-modal
   - drawback: prevents referring to other applications (e.g. browser, IM) while prompt is up
 - another solution: add an API to PolicyKit so the prompt can be modal to its parent window
   - drawback: upstream is hostile to this solution
 - Someone said that he had seen a presentation when someone entered the password to the wrong window and the audience had seen it.
 -- Solution maybe?: When a PolicyKit window appears, the computer should disable output on the other screen
 -- Solution maybe? - edit: Or does not disable the output, but freeze it (so anything entered while the window is there will not be aviable on other screens)

Making PolicyKit look more genuine
 - integrate user account icon into the prompt
    - its efficacy depends on people setting their own user account icon
      - e.g. taking a photo, or choosing from an icon gallery, in the Ubuntu installer
       -- what about people with computers not having integrated/connected webcameras?
    - if the user does not set their icon, we can have a template default icon in the prompt
      - We could also simply choose a random one during installation or offer one when they select their user info (username, etc)

What programs are still using gksu?
 - Synaptic
 - Software Sources
 - gparted
   - this would require porting gparted to DBus (e.g. udisks)
     - Palimpsest already does this
        - maybe just improve palimpsest instead?
 - The window we enter the wireless key into (this is a question, please correct me if I'm wrong!!)?
   - no, neither NetworkManager nor gnome-keyring use gksu
If we can port or demote these, we can get gksu off the CD

(?)

Work Items