CLI for the KDE Wallet

Sponsored by
HostEurope Logo

CLI for the KDE Wallet

Table of Content

Homepage of the Command-Line Interface to the KDE Wallet.

Get the Logo (SVG).

kwalletcli Logo

CLI for the KDE Wallet

What's it? A command-line interface to the KDE Wallet, for KDE 3 and KDE 4 both (so shell scripts, Python, etc. do not need to use DCOP or D-Bus directly to access it to store passwords, instead being able to call this convenient wrapper). Please read the wlog entry announcing kwalletcli public beta test for some more background information. Currently, only the default wallet is supported; while the CLI itself could be enhanced by a selection, the utilities also provided cannot really expose this functionality.

kwalletcli is OSI Certified Open Source Software™

Download

Current version: kwalletcli 2.12 (2014-05-11)

Ingredients

The kwalletcli distfile provides a number of things:

Wishlist

Possible extensions include gnome-keyring bindings as well as some for the new KDE/GNOME intra-desktop keyring/wallet standard talking D-Bus instead of using the libkwalletclient convenience libraries; support for selecting a non-default keyring; more utilities on top of kwalletcli(1) (e.g. a libpurple plugin, and means for M*zilla Firef*x, Opera and other desktop software to use it to store passwords in the Wallet).

Packaging

Debian has a kwalletcli (KDE 4) package from squeeze onwards. The backports repository contains a kwalletcli (KDE 3) package for lenny.

Suggested packaging: MidnightBSD mports (for they provide KDE anyway), OpenSuSE Build Service (RPM for many platforms), etc.
If KDE (upstream) desires, they may include it (under The MirOS Licence) in their distribution, even.

Dependencies

Either Qt3 and KDE3, or Qt4 and KDE4, development headers and libraries, and the matching compiler (gcc/g++ is tested, others are not). Either MirMake (MirBSD make(1)) or GNU make. For the scripts, mksh R38+ is a run-time dependency. The manpages require nroff/gnroff and the -mdoc macropackage to compile. The HTML manpages can only be re-made on MirBSD.

Language Bindings

C binding

See the source file kwalletcli.h for details. This is the source-level C binding API (function kw_io() and a couple of return value definitions) that can be re-used. There is no C++ binding, because the high-level KWallet API is already C++, although, for ease of use, the C binding can be used from others' C++ code as well.

Python binding (external)

There's a sample Python 2 binding (we don't know which exact minimum version is required) contributed to the Gajim source code (dual-licenced under the same licence as Gajim (GPLv3 only), as well as the same licence (MirOS) as kwalletcli). The binding was originally written by the author of kwalletcli as well.

Note that the Python binding uses subprocess.Popen() and the Shell binding to do the actual work.

Shell binding

The kwalletcli(1) manpage provides a documentation of the shell binding. The other utilities part of the distribution, as well as the Python binding, serve as usage examples.

Python example (contrib)

This is a user-contributed example in Python, submitted by Stephen McIntosh:

import kwalletbinding as kw
def operation():
    op = raw_input("Add or Read? ")
    return op
def addpass():
    kw.kwallet_put('kdewalletcli',
      raw_input("Name: "),
      raw_input("Password: "))
    print("...\nDone!")
def getpass():
    readpass = kw.kwallet_get('kdewalletcli',
      raw_input("Name: "))
    print "...\nThe password is: " + readpass

if kw.kwallet_available():
    op = operation()
    if op.lower() == "add":
        addpass()
    else:
        getpass()
else:
    print "KDE Wallet not available!"
 

(edited slightly for legibility)

Security

Passwords can, of course, only be accessed if the KDE Wallet is opened. Hence, the on-disc security of the passwords is the same as for all other applications using it. We make no statement on its security (the GnuPG mailing lists have some flamewars about it), but if this is “enough” for you (or, if you are a company sysadmin, your boss), you're welcome. On the other hand, since the KDE pop-up will only show “kwalletcli”, not the application/script using it, when it asks whether access to the Wallet is to be permitted, password stealing by untrusted-local applications is easier (but if you have these, you have totally different problems anyway). Hence, we suggest to “allow always” access for kwalletcli(1) and take the usual care when installing and running applications from third parties.

If you turn “iodebug” in pinentry-kwallet on, it will log the entire dialogue with both parent and co-process, including passwords, to a file in your home directory. (This can only be done by editing the script directly, which is why we refrain from warning the user in a dialogue, as an attacker can also remove that warning.)

Users

The Gajim Jabber client supports kwalletcli, by means of the Python binding, for storing Jabber passwords in the KDE Wallet in an encrypted manner, since version 0.13 (committed after some discussion; Gajim already supported gnome-keyring though).

ChangeLog

Changes in the current (unreleased) development version:

kwalletcli 2.12

kwalletcli 2.11

kwalletcli 2.10

kwalletcli 2.03

MirOS Logo