News, tips, partners, and perspectives for the Oracle Solaris operating system

Gaim password storage insecure

Darren Moffat
Senior Software Architect
Gaim, the popular multi protocol instant messaging client, has a mode of operation where it will store the users password in the clear text.

This page attempts to justify this behaviour.  I certainly agree that obscuring it without using real crypto is a bad idea and would never support that.

My gripe with the justification is that it misses a very important, to me and many of my friends and coworkers, use case.  That is where GAIM is being used in a corporate deployment as the client to something like Sun Java Enterprise Instant Messenger.  In this case the user has no choice but to use their password that they use for other critical and sensitive resources (for example: their email, their access to payroll systems, system login password) since in this type of deployment all authentication is done using the same LDAP server.

The other problem is that in many cases the end users have their home directory on NFS.  While NFSv4 (and NFSv3 between Solaris clients) can be secured using RPCSEC_GSS (usually with Kerberos as the mechanism) it isn't by default which means it is too recover users
files despite the file permissions.

Ultimately I'd actually like to see secure single signon, with Gaim using SASL (with GSSAPI plugin) to authenticate to the IM servers using the Kerberos tickets the user got at login.  While this might be possible in some cases it requires a lot of security infrastructure to be deployed that some companies may not have yet.

A simple solution to this would be for Gaim to use the GNOME keyring support as other GNOME desktop applications are starting to do.  For me this has another advantage on the GNOME bits that are JDS on Solaris releases; it uses the OpenSolaris Cryptographic Framework
via PKCS#11.

Technorati Tags: , ,

Join the discussion

Comments ( 2 )
  • Darren Kenny Thursday, June 15, 2006
    Darren, have you logged a bug against gaim in Sun? As this is definately something we could, and probably should do...
  • Darren Moffat Thursday, June 15, 2006
    Yes this is bug# 6439103 in Sun's database.
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.