Per machine password for same user and same home

help

#1

Hi,
I'm searching for some help

I'm running a ownCloud 9.1.4 server at home, and ownCloud clients on several Debian (stable/jessie) notebooks.

My $HOME (at clients) is located on the same Linux server, and gets synced to/from the clients (notebooks) before/after use.

Note: the ownCloud data of the clients is not located within the $HOME tree, instead it's located under /home/ownCloud.
So it's not part of the synced data mechanism mentioned before.

Now I noticed that the owncloud client is using the very same app password for syncing. -- I assume that this is related to the circumstance that the user (me) is having the same synced Gnome-Keyring on every machine.

But I want to use an individual app password for every machine. Especially in case of a notebook theft.

How can this use of individual passwords per machine be achieved, when having the same Gnome Keyring?

Thanks in advance.

Best regards,
Klaus.


#2

Hi @ksingvo I believe this is worth investigating, I'll try to set up a couple of systems using the same keyring and report back once I found out what's happening there, since maybe application passwords are being stored in some special way. (we recently discovered a similar issue with Shibboleth accounts: https://github.com/owncloud/client/issues/5469 that could be related)


#3

So, I looked at this and there's no client problem when storing application passwords as I thought it could be.

The real issue behind this is related to how application passwords work in ownCloud, they're not limited to one use nor bonded to just one application; you can use them from multiple clients.

In your case, as the whole Gnome-Keyring is shared between all the clients, as you said, they could all be using the same application password without the user noticing.

Some questions to know more about your situation:

  1. When you install a fresh client on one of the notebooks, you are prompted with log in?
  2. If yes: do you add the same account with a different application password in the different clients?
  3. If 2 is yes: when you revoke access to the that password, you are still able to access the account contents?

As different passwords for different accounts are stored in different keyring/keychain entries, the client should only have access to the one created when the account was set. That would be the expected behavior plus will solve your problem.


#4

To answer your questions:

After installation I was prompted for password for my Gnome Keyring only.
No, not for owncloud username/password, iirc.

My idea for an solution:

Let's extend the username in configuration with something like ".%h", where "%h" indicates for the new feature:

  1. search for .<$hostname> in Gnome Keyring

  2. send this specific password together with (note: without ) for authentication

I don't see any better (and existing) solution for my situation.

Best regards,
Klaus.


#5

Just realized that, as you are sharing $HOME, you are also synchronizing the same configuration file ($HOME/.local/share/data/ownCloud/owncloud.cfg) between all the clients, that combined with the shared Keyring gives the client in the notebooks the illusion that the account was set completely. This is the reason why you are never prompted with the login view.

I believe there's no way to store the Gnome Keyring in some directory (other than $HOME/.local/share/keyrings) not shared with the rest of the notebooks, right?

It's definitely an interesting use-case to take into account. Thank you for reporting!