Re: NetworkManager-vpnc config help

From: Dan Williams <dcbw redhat com>
To: Brian Millett <bmillett gmail com>
Cc: Matthew Saltzman <mjs clemson edu>, NetworkManager <networkmanager-list gnome org>
Subject: Re: NetworkManager-vpnc config help
Date: Wed, 14 May 2008 13:19:59 -0400

On Wed, 2008-05-14 at 12:19 -0500, Brian Millett wrote:
> Dan Williams escribío:
> > On Wed, 2008-05-14 at 11:46 -0400, Matthew Saltzman wrote:
> >> On Tue, 2008-05-13 at 18:23 -0500, Brian Millett wrote:
> >>> Dan Williams escribío:
> >>>> On Tue, 2008-05-13 at 15:58 -0500, Brian Millett wrote:
> >>>>> Fedora 8,
> >>>>> NetworkManager-devel-0.7.0-0.6.7.svn3370.fc8
> >>>>> NetworkManager-vpnc-0.7.0-0.6.3.svn3109.fc8
> >>>>> NetworkManager-glib-0.7.0-0.6.7.svn3370.fc8
> >>>>> NetworkManager-gnome-0.7.0-0.6.7.svn3370.fc8
> >>>>> NetworkManager-openvpn-0.7.0-8.svn3302.fc8
> >>>>> NetworkManager-glib-devel-0.7.0-0.6.7.svn3370.fc8
> >>>>> NetworkManager-0.7.0-0.6.7.svn3370.fc8
> >>>>>
> >>>>> I have a vpnc configuration I need to setup.  It has a "IPSec obfuscated secret" for the 
> >>>>> group password.
> >>>>>
> >>>>> The old vpn connection were defined in the .gconf/system/networking/vpn_connections but 
> >>>>> where are the connections defined now?
> >>>> They are normal connections in /system/networking/connections just like
> >>>> wifi, ethernet, cdma, gsm, etc are.
> >>> Cool!  Still via configuration editor.
> >>>
> >>> Any way of knowing what number corresponds to which connection?
> >>>
> >>>>> How do I edit the configurations?
> >>>> You can still use the VPN connection editor, available from the applet
> >>>> menu.
> >>> Ok, so how do I enable the ability to edit the connection?  I can see the connections in 
> >>> the "Edit connections", but the only item available to click is "Delete".
> >>>
> >>>>> Are the conf files in /etc/vpnc referenced?
> >>>> No, because VPN connections are currently per-user, though with the
> >>>> keyfile system settings plugin there's no reason they couldn't be
> >>>> system-wide as well.
> >>>>
> >> A couple related questions:
> >>
> >> (1) If I want to add
> >>
> >>         DPD idle timeout (our side) 0
> >>
> >> what do I need to name the key in gconf?  The gconf editor complains
> >> about the parentheses.
> > 
> > The name of the item in GConf is the exact string passed to vpnc as a
> > configuration option.  You'll need to GConf-escape the parentheses.
> > GConf uses the @ symbol as the escape, so you want to convert the
> > characters to be escaped to decimal, then put that number between two @
> > symbols, like so:
> > 
> > My Option -->>>  My 32@Option
> > 
> >> (2) Can the obfuscated secret be stored in the keyring?  If so, how?  If
> >> not, how can I get it to be used instead of the group password in the
> >> keyring?
> > 
> > At least vpnc can decrypt the obfuscated group secret these days.  But
> > since it's not really the password, we should store it differently in
> > the keyring than the password we store the group password.
> > 
> > We do have a number of different issues here with the group password:
> > 
> > 1) You're given the cleartext group password
> > 2) You're given a pcf file with obfuscated group password
> > 3) You're using OTP for the group password with tokens or whatever
> > 
> > The first two need to get saved in the keyring.  The third doesn't get
> > saved in the keyring and gets asked for every time.  I don't see a big
> > problem with adding support to the vpnc connector to accept the
> > obfuscated secret, but the big issue is going to be that it's going to
> > add yet another edit box somewhere.  That's not really helpful, I don't
> > think.  Do you have any idea if the obfuscated secrets are all the same
> > length so perhaps we could auto-detect based on string length?  Any good
> > hash algorithm is going to generate stable-length results.
> 
> Ok, so I was given a pcf file with the obfuscated group secret in it.  I need to add it to 
> the gnome keyring or the gpg keyring?  Or do I just put in the long obfuscated secret in 
> the group password field and check that it be saved in the keyring?
> 
> I also added to the %gconf.xml for the vpn-properties of that connection:
> 
> <entry name="IPSec 32@obfuscated 32@secret" mtime="1210720857" type="string"> 
>     <stringvalue>9B5EA67-(cut)-F48CEF</stringvalue>
> </entry>

Well, currently the obfuscated password isn't supported because that
config option is not allowed through to the VPN daemon.  You could for
the time being decrypt the obfuscated secret.


http://svn.unix-ag.uni-kl.de/vpnc/trunk/cisco-decrypt.c

for example should be included in the vpnc sources and built with vpnc,
and will decrypt it for you.

Dan

Follow-Ups:
- Re: NetworkManager-vpnc config help
  - From: Brian Millett

References:
- NetworkManager-vpnc config help
  - From: Brian Millett
- Re: NetworkManager-vpnc config help
  - From: Dan Williams
- Re: NetworkManager-vpnc config help
  - From: Brian Millett
- Re: NetworkManager-vpnc config help
  - From: Matthew Saltzman
- Re: NetworkManager-vpnc config help
  - From: Dan Williams
- Re: NetworkManager-vpnc config help
  - From: Brian Millett

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]