[dev] horde auth - password

[Gaudenz Steinlin]

---------------------- multipart/alternative attachment
Chuck Hagenbuch wrote:

>Quoting Jan Schneider <janmailing@gmx.de>:
>
>>perhaps it makes sense to build some sort of password container for horde. If 
>>a user authenticates against horde with horde's configured auth mechanism
>>(imap, ftp, mcal whatever) every horde app can get the necessary password from
>>this container.
>>
>>You then only have to authenticate once and can use gollem, imp, a forward or 
>>a password change module without authenticating again.
>>
>
>My idea has been to build a Credentials class which encapsulates the idea of an 
>account - able to hold whatever information you need, username, password, 
>server, etc. - and then to store them somewhere. You'd unlock them with a 
>passphrase, using a mechanism similar to the Secret:: class, so they could be 
>encrypted in storage.
>
Don't you think, there should also be an easy way to let all the modules 
use the horde
login password? I think many people will use horde on one server and all 
accounts
will only have one password for the whole server. If you can use this 
password as
your horde login password and for IMP and the other modules, then there 
is no
need to store passwords on the server and the whole problem of who to 
encrypt them
secure is solved.
In your design every user has to register his password for every module. 
But often they
will be the same if the modules are installed on the same server and 
restricted to this server. 
IMHO it would be best to have both possibilities and let the 
administrator decide
which authentication method is appropriate.

>
>
>That way you'd authenticate, and at some point enter your passphrase, and all 
>of your account info would be available when needed.
>
>I'd rather not store passwords in Horde sessions.
>
Isn't IMP currently storing passwords in the session? (Encrypted by the 
Secret class)

gaudenz


---------------------- multipart/alternative attachment--