On Wed, Nov 20, 2019 at 5:10 PM Andreas Neumann <a.neum...@carto.net> wrote:
> Hi Jürgen, > > I wouldn't know how this works. When I create a new PG connection, it > forces me to add a username and password. I can't create a new connection > without specifying one. Even if the Windows password manager already knows > my windows credentials, which are the same as the PG credentials. As a > "stupid user" I would either expect: > > - not being asked for credentials (means that QGIS would automagically > forward the Windows credentials) > What if your DNS has been poisoned to hit evil.hacker.com instead? Would you still want your credentials to be automatically sent? - or when creating a new auth-conf, having a choice like "use windows > credentials" and then not being asked for username/password, because QGIS > already knows it from Windows. > I don't get this point: when you enter you credentials in the OS wallet (password manager) it does not leak them to QGIS, or that would be another huge security hole. But maybe I am just not correctly handling it. > > The one thing I noticed is that the Windows password manager automatically > loads the master password of the QGIS password manager. So that one seems > to work. > > That's the currently supported way to manage credentials: you store them into the encrypted QGIS auth DB and (optionally) store the master password in your OS wallet. In any event, the QGIS auth system is plugin based (C++ plugins) and other/custom auth methods could be developed if needed. Cheers -- Alessandro Pasotti w3: www.itopen.it
_______________________________________________ QGIS-Developer mailing list QGIS-Developer@lists.osgeo.org List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer