“One of the beauties that comes with Mac OS X is the Keychain that helps you manage your authorization needs as it acts as a depository of passwords. By using the Keychain you don’t need to remember a myriad of passwords but rather just the Keychain password. Don’t worry about losing your passwords either, since the Keychain can be backed up with ease.”
Of course. We have too many passwords, so let’s store them in one place with one password. This will give us and a cracker only one password to remember.
Still better than using Post-It notes to stick them to your monitor.
– chrish
Nice OSX application, but under KDE we have KDE Wallet: same Keychain Access features.
How well does KDE Wallet integrate with all the apps on your system? Is it limited to just KDE apps?
Yes, it’s KDE Wallet, it supports KDE apps. So what’s your point ? I wouldn’t call this a “limitation”. Or you could also say OSX Keychain is “limited” to OSX apps.
Um, why the defensive attitude? I was asking about KDE Wallet because I’ve never used it. Insecure about KDE/Linux much?
Sheesh.
DELETED!
Edited 2006-03-21 22:22
Correct, it’s limited to KDE apps.
Aww.
How difficult is it for apps to tie in to your KDE Wallet store and retrieve credentials? With OS X’s Keychain, any app that wants to take advantage of Keychain can create its own entries to store/retrieve credentials.
It’s trivial to use the KDE keychain (kwalletmanager) from applications/script/shell. So trivial, in fact, that it’s really good practice to key the wallet on a USB keychain rather than on the local disk.
For that matter, the same is true of MacOSX. It’s true that the data is encrypted pretty well, but there are various ways of getting an application to open the keychain and grab a password.
I had to read it twice to realize the article is about “Keychain Access”, not “Keychain”.
Keychain is an excellent tool that probably comes with most Linux distros, including Mandriva Linux which I use. Once the passphrase is entered, it stores decrypted crypto keys in RAM so you can make automatic OpenSSH connections to remote machines after you login to the local machine. Its URL is http://www.gentoo.org/proj/en/keychain/
I’m not familiar with the Keychain Access described in this article (or KDE Wallet mentioned above) but it seems to be password based, not passphrase-protected-key based, which doesn’t sound like nearly as good or helpful of an idea.
The OS-X Keychain allows the same functionality: applications can and do use it to safely store all kinds of sensitive data.
This is used for example by the free “SSHKeychain” application to do what its counterparts do on Linux: store ssh keys in memory so that you don’t have to manually authorize them all the time.
And what is a passphrase other than a very long password?
And what is a passphrase other than a very long password?
A password must be transmitted to the remote computer for authentication.
A passphrase is never transmitted, but is used locally to unlock a private encryption key, which is used both for encryption and authentication. Security is improved by making it long, but it need not be.
Keychain ensures that the unencrypted private key is held in memory where only I can use it on future local logins for automatic authentication for remote access.
Since the article talked about passwords, I suspect Keychain Access actually transmits passwords.
Uhm, no, on both accounts.
This is the first time I hear this distinction between ‘passphrase’ and ‘password’, and quick google shows that I’m not alone on that.
Second, OS-X Keychain by itself doesn’t transmit anything; it just provides a secure storage for sensitive data for use by other local applications (just like ssh keychain, but in a more general way).
“Keychain Access” is a GUI to OS-X Keychain so that users can store arbitrary data, including passwords. What the user does with the passwords (which may be the combinations for their wall safe), is outside of Keychain/Keychain Access control.
Similar, if an application stores passwords or passphrases in OS-X Keychain, it is up to the application alone to decide how to use the stored secrets.
The OS-X Keychains themselves are passphrase protected, so if you lock a keychain (which you can set to happen automatically), applications or nosy roomies no longer have access to it – any attempt will cause the OS to open a dialog asking for your Keychain passphrase.
This is the first time I hear this distinction between ‘passphrase’ and ‘password’…
Well I’m no authority, I’m just relaying my understanding from my experience and reading. For example, the reference I gave above says:
Keychain … article introduces the concepts behind RSA/DSA key authentication and shows you how to set up primitive (with passphrase) RSA/DSA authentication. The second article shows you how to use keychain to set up secure, passwordless ssh access in an extremely convenient way.
Also, I don’t think I ever encountered a remote login that would let me use a password longer than some set number of characters. And it’s always called a password.
But ssh-keygen asks for a passphrase. From your description, it sounds like OS-X Keychain is doing the same thing–using a passphrase locally to unlock the thing that is sent for authentication.
Based on usage I think it’s a fair distinction. But I won’t hold it against you if you use the words differently.