Thread: #7076 - Keychain access on Mac
Hi Hackers,
Issue #7076 has been reported by many Mac users. Issue has popped up when python binary version is changed for the pgadmin.
To save server passwords, pgadmin uses os level secret storage (in case of Mac it is keyring) and adds an entry for each save password. Whenever the python binary version is changed, keychain (python lib used to access keychain) asks for a password 2 times for accessing each entry. If you have 10 servers, then it will ask for 20 times.
To fix the issue, pgadmin will follow the same approach as chrome.
1.An encryption key will be auto-generated and will be stored in the keychain.
2.Whenever save password request is received, encryption key will be used to encrypt password and encrypted password will be saved in the pgadmin database.
3.Similarly, while retrieving the password, encryption will be pulled from the keychain and will be used to decrypt the password.
This will reduce password asks to 2 times on python binary version change.
Kindly share your inputs/suggestions/thoughts.
Thanks,
Yogesh Mahajan
EnterpriseDB
On Mon, 5 Aug 2024 at 13:27, Yogesh Mahajan <yogesh.mahajan@enterprisedb.com> wrote:
Hi Hackers,Issue #7076 has been reported by many Mac users. Issue has popped up when python binary version is changed for the pgadmin.To save server passwords, pgadmin uses os level secret storage (in case of Mac it is keyring) and adds an entry for each save password. Whenever the python binary version is changed, keychain (python lib used to access keychain) asks for a password 2 times for accessing each entry. If you have 10 servers, then it will ask for 20 times.To fix the issue, pgadmin will follow the same approach as chrome.1.An encryption key will be auto-generated and will be stored in the keychain.2.Whenever save password request is received, encryption key will be used to encrypt password and encrypted password will be saved in the pgadmin database.3.Similarly, while retrieving the password, encryption will be pulled from the keychain and will be used to decrypt the password.This will reduce password asks to 2 times on python binary version change.
That sounds almost like returning to the way things used to work with the master password, except we auto-generate it, and store that in the keychain. I assume we'd do the same on all platforms, using whatever the equivalent store is on each?
Any idea why it asks for the login password twice per access on macOS?
Dave Page
pgAdmin: https://www.pgadmin.org
Hi,
On Thu, Aug 8, 2024 at 5:58 PM Dave Page <dpage@pgadmin.org> wrote:
On Mon, 5 Aug 2024 at 13:27, Yogesh Mahajan <yogesh.mahajan@enterprisedb.com> wrote:Hi Hackers,Issue #7076 has been reported by many Mac users. Issue has popped up when python binary version is changed for the pgadmin.To save server passwords, pgadmin uses os level secret storage (in case of Mac it is keyring) and adds an entry for each save password. Whenever the python binary version is changed, keychain (python lib used to access keychain) asks for a password 2 times for accessing each entry. If you have 10 servers, then it will ask for 20 times.To fix the issue, pgadmin will follow the same approach as chrome.1.An encryption key will be auto-generated and will be stored in the keychain.2.Whenever save password request is received, encryption key will be used to encrypt password and encrypted password will be saved in the pgadmin database.3.Similarly, while retrieving the password, encryption will be pulled from the keychain and will be used to decrypt the password.This will reduce password asks to 2 times on python binary version change.That sounds almost like returning to the way things used to work with the master password, except we auto-generate it, and store that in the keychain.
Yeah.
I assume we'd do the same on all platforms, using whatever the equivalent store is on each?
Yes we will be doing the same on all supported platforms.
Any idea why it asks for the login password twice per access on macOS?
This is a known issue for keyring python lib. And this one where the keychain asks for a password for accessing each entry.
--Dave PagepgAdmin: https://www.pgadmin.org
Yogesh Mahajan
EnterpriseDB
On Thu, 8 Aug 2024 at 13:38, Yogesh Mahajan <yogesh.mahajan@enterprisedb.com> wrote:
Hi,On Thu, Aug 8, 2024 at 5:58 PM Dave Page <dpage@pgadmin.org> wrote:On Mon, 5 Aug 2024 at 13:27, Yogesh Mahajan <yogesh.mahajan@enterprisedb.com> wrote:Hi Hackers,Issue #7076 has been reported by many Mac users. Issue has popped up when python binary version is changed for the pgadmin.To save server passwords, pgadmin uses os level secret storage (in case of Mac it is keyring) and adds an entry for each save password. Whenever the python binary version is changed, keychain (python lib used to access keychain) asks for a password 2 times for accessing each entry. If you have 10 servers, then it will ask for 20 times.To fix the issue, pgadmin will follow the same approach as chrome.1.An encryption key will be auto-generated and will be stored in the keychain.2.Whenever save password request is received, encryption key will be used to encrypt password and encrypted password will be saved in the pgadmin database.3.Similarly, while retrieving the password, encryption will be pulled from the keychain and will be used to decrypt the password.This will reduce password asks to 2 times on python binary version change.That sounds almost like returning to the way things used to work with the master password, except we auto-generate it, and store that in the keychain.Yeah.I assume we'd do the same on all platforms, using whatever the equivalent store is on each?Yes we will be doing the same on all supported platforms.Any idea why it asks for the login password twice per access on macOS?
OK, thanks.
Dave Page
pgAdmin: https://www.pgadmin.org
Hi Dave,
Should I proceed with this approach?
Thanks,
Yogesh Mahajan
EnterpriseDB
On Thu, Aug 8, 2024 at 6:14 PM Dave Page <dpage@pgadmin.org> wrote:
--On Thu, 8 Aug 2024 at 13:38, Yogesh Mahajan <yogesh.mahajan@enterprisedb.com> wrote:Hi,On Thu, Aug 8, 2024 at 5:58 PM Dave Page <dpage@pgadmin.org> wrote:On Mon, 5 Aug 2024 at 13:27, Yogesh Mahajan <yogesh.mahajan@enterprisedb.com> wrote:Hi Hackers,Issue #7076 has been reported by many Mac users. Issue has popped up when python binary version is changed for the pgadmin.To save server passwords, pgadmin uses os level secret storage (in case of Mac it is keyring) and adds an entry for each save password. Whenever the python binary version is changed, keychain (python lib used to access keychain) asks for a password 2 times for accessing each entry. If you have 10 servers, then it will ask for 20 times.To fix the issue, pgadmin will follow the same approach as chrome.1.An encryption key will be auto-generated and will be stored in the keychain.2.Whenever save password request is received, encryption key will be used to encrypt password and encrypted password will be saved in the pgadmin database.3.Similarly, while retrieving the password, encryption will be pulled from the keychain and will be used to decrypt the password.This will reduce password asks to 2 times on python binary version change.That sounds almost like returning to the way things used to work with the master password, except we auto-generate it, and store that in the keychain.Yeah.I assume we'd do the same on all platforms, using whatever the equivalent store is on each?Yes we will be doing the same on all supported platforms.Any idea why it asks for the login password twice per access on macOS?OK, thanks.Dave PagepgAdmin: https://www.pgadmin.org
Hi Dave,
On Thu, Aug 8, 2024 at 6:14 PM Dave Page <dpage@pgadmin.org> wrote:
On Thu, 8 Aug 2024 at 13:38, Yogesh Mahajan <yogesh.mahajan@enterprisedb.com> wrote:Hi,On Thu, Aug 8, 2024 at 5:58 PM Dave Page <dpage@pgadmin.org> wrote:On Mon, 5 Aug 2024 at 13:27, Yogesh Mahajan <yogesh.mahajan@enterprisedb.com> wrote:Hi Hackers,Issue #7076 has been reported by many Mac users. Issue has popped up when python binary version is changed for the pgadmin.To save server passwords, pgadmin uses os level secret storage (in case of Mac it is keyring) and adds an entry for each save password. Whenever the python binary version is changed, keychain (python lib used to access keychain) asks for a password 2 times for accessing each entry. If you have 10 servers, then it will ask for 20 times.To fix the issue, pgadmin will follow the same approach as chrome.1.An encryption key will be auto-generated and will be stored in the keychain.2.Whenever save password request is received, encryption key will be used to encrypt password and encrypted password will be saved in the pgadmin database.3.Similarly, while retrieving the password, encryption will be pulled from the keychain and will be used to decrypt the password.This will reduce password asks to 2 times on python binary version change.That sounds almost like returning to the way things used to work with the master password, except we auto-generate it, and store that in the keychain.Yeah.I assume we'd do the same on all platforms, using whatever the equivalent store is on each?Yes we will be doing the same on all supported platforms.Any idea why it asks for the login password twice per access on macOS?
This is not a keyring issue. It is MacOS SDK behavior. The issue was raised to keyring but even they're helpless.
--OK, thanks.Dave PagepgAdmin: https://www.pgadmin.org
Thanks,
Aditya Toshniwal
"Don't Complain about Heat, Plant a TREE"
On Thu, 8 Aug 2024 at 13:46, Yogesh Mahajan <yogesh.mahajan@enterprisedb.com> wrote:
Hi Dave,Should I proceed with this approach?
Sure, go ahead.
Thanks,Yogesh MahajanEnterpriseDBOn Thu, Aug 8, 2024 at 6:14 PM Dave Page <dpage@pgadmin.org> wrote:--On Thu, 8 Aug 2024 at 13:38, Yogesh Mahajan <yogesh.mahajan@enterprisedb.com> wrote:Hi,On Thu, Aug 8, 2024 at 5:58 PM Dave Page <dpage@pgadmin.org> wrote:On Mon, 5 Aug 2024 at 13:27, Yogesh Mahajan <yogesh.mahajan@enterprisedb.com> wrote:Hi Hackers,Issue #7076 has been reported by many Mac users. Issue has popped up when python binary version is changed for the pgadmin.To save server passwords, pgadmin uses os level secret storage (in case of Mac it is keyring) and adds an entry for each save password. Whenever the python binary version is changed, keychain (python lib used to access keychain) asks for a password 2 times for accessing each entry. If you have 10 servers, then it will ask for 20 times.To fix the issue, pgadmin will follow the same approach as chrome.1.An encryption key will be auto-generated and will be stored in the keychain.2.Whenever save password request is received, encryption key will be used to encrypt password and encrypted password will be saved in the pgadmin database.3.Similarly, while retrieving the password, encryption will be pulled from the keychain and will be used to decrypt the password.This will reduce password asks to 2 times on python binary version change.That sounds almost like returning to the way things used to work with the master password, except we auto-generate it, and store that in the keychain.Yeah.I assume we'd do the same on all platforms, using whatever the equivalent store is on each?Yes we will be doing the same on all supported platforms.Any idea why it asks for the login password twice per access on macOS?OK, thanks.Dave PagepgAdmin: https://www.pgadmin.org
Dave Page
pgAdmin: https://www.pgadmin.org