keychain access

[jae77]

i'm a little unsure of how growl's keychain access is supposed to work. every so often i'm prompted to enter my keychain password and immediately after, a growl notification appears.

is this a bug, or just a side effect of my keychain automatically locking after x minutes?

thx!

[The_Tick]

Are you on 10.3 or 10.4?

[jae77]

10.4 macbook

[The_Tick]

Do you have network notifications enabled?

[jae77]

yes - i am listening for messages sent from remote linux machines.

my keychain auto-locks after 15 minutes, any notification that comes in after that point requires me to enter a password.

notifications that are sent locally do not require me to unlock my keychain (i just tried this).

[jae77]

any further updates on this?

thx!

[IngmarStein]

I guess you use a password to encrypt your messages coming from the linux system. Growl stores its password in the keychain and uses it to decrypt the incoming messages. If your keychain is automatically locked after 15 minutes, you will need to authenticate again.

[jae77]

i do specify a password for the remote growl notifications, but i would think that since i say "always allow" to the keychain for the growlhelper, i would not need to reauthenticate when the keychain locks.

[The_Tick]

i do specify a password for the remote growl notifications, but i would think that since i say "always allow" to the keychain for the growlhelper, i would not need to reauthenticate when the keychain locks.

We have to confirm that the password is correct somehow.

[IngmarStein]

For security reasons, we only keep the plaintext password in memory for the decryption process and request it from the keychain for each notification that comes over the network. If you always allow GrowlHelperApp to access the keychain, it will prompt for a password for as long as the keychain is unlocked. You'll need a password to unlock the keychain after the expiration period.

[jae77]

could you expand on what you mean by that?

when i double click the growl entry in the keychain that causes the window to pop up w/ its attributes/access control - when i click the checkbox to show password, i see the password i configured growl w/ to accept network notifications.

[jae77]

For security reasons, we only keep the plaintext password in memory for the decryption process and request it from the keychain for each notification that comes over the network. If you always allow GrowlHelperApp to access the keychain, it will prompt for a password for as long as the keychain is unlocked. You'll need a password to unlock the keychain after the expiration period.

so i guess that means if i want to receive network notifications, i'm stuck having to enter my keychain password every time (the keychain is locked)?

[The_Tick]

For security reasons, we only keep the plaintext password in memory for the decryption process and request it from the keychain for each notification that comes over the network. If you always allow GrowlHelperApp to access the keychain, it will prompt for a password for as long as the keychain is unlocked. You'll need a password to unlock the keychain after the expiration period.

so i guess that means if i want to receive network notifications, i'm stuck having to enter my keychain password every time (the keychain is locked)?

Yes, if you have a password set.

[jae77]

*grumble* - well, at the moment Net::Growl won't work unless i give it a password, so i guess i'm stuck w/ this for now.

could caching the password so the keychain doesn't need to be accessed every time be added as an "advanced" feature in a future release?

[The_Tick]

could caching the password so the keychain doesn't need to be accessed every time be added as an "advanced" feature in a future release?

No, that's insecure. Keychain is what Apple provides us, and it's what we're going to use.

[IngmarStein]

This is what the keychain API documentation says:

Important: You should not cache passwords, because the user can change them using Keychain Access or another program and the data may no longer be valid. In addition, the long-term storage of passwords by applications negates the value of the keychain.

[jae77]

i'm confused - why can't growl retrieve that password from the keychain once, and not have to ask for it again?

what security implication exists from this? if someone got a hold of that password, i would guess the worst they could do is spam me w/ messages.

it seems a little purpose defeating to be able to receive growl messages via the network, but have to authenticate for them to come through.

in my case, i'm using growl to notify me about the results of tests run via a perl script on a remote box.

[jae77]

This is what the keychain API documentation says:

Important: You should not cache passwords, because the user can change them using Keychain Access or another program and the data may no longer be valid. In addition, the long-term storage of passwords by applications negates the value of the keychain.

ah - well, there you go.

i guess i'll have to have a look at Net::Growl to make it work w/o a password.

[jae77]

having given this some more thought, would it be possible to enhance growl to support passwords on a per app basis?

this would allow my custom apps at work to send notifications at will, but still offer me the password protention for others.

[The_Tick]

We're not going to do that.